backport of commit f86f00e

.changelog/4244.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: Kubernetes v1.30 is now supported. Minimum tested version of Kubernetes is now v1.27.
+```

.github/workflows/security-scan.yml

@@ -46,7 +46,8 @@ jobs:
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           repository: hashicorp/security-scanner
-          token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }}
+          #TODO: replace w/ HASHIBOT_PRODSEC_GITHUB_TOKEN once provisioned
+          token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
           path: security-scanner
           ref: main
 
@@ -65,4 +66,4 @@ jobs:
       - name: Upload SARIF file
         uses: github/codeql-action/upload-sarif@c4fb451437765abf5018c6fbf22cce1a7da1e5cc # codeql-bundle-v2.17.1
         with:
-          sarif_file: results.sarif
+          sarif_file: results.sarif

.github/workflows/weekly-acceptance-1-5-x.yml → .github/workflows/weekly-acceptance-1-4-0-rc1.yml

@@ -1,7 +1,7 @@
 # Dispatch to the consul-k8s-workflows with a weekly cron
 #
 # A separate file is needed for each release because the cron schedules are different for each release.
-name: weekly-acceptance-1-5-x
+name: weekly-acceptance-1-4-0-rc1
 on:
   schedule:
     # * is a special character in YAML so you have to quote this string
@@ -10,7 +10,7 @@ on:
 
 # these should be the only settings that you will ever need to change
 env:
-  BRANCH: "release/1.5.x"
+  BRANCH: "release/1.4.0-rc1"
   CONTEXT: "weekly"
 
 jobs:

CHANGELOG.md

@@ -18,62 +18,6 @@ BUG FIXES:
 * endpoints-controller: graceful shutdown logic should not run on a new pod with the same name. Fixes a case where statefulset rollouts could get stuck in graceful shutdown when the new pods come up. [[GH-4059](https://github.com/hashicorp/consul-k8s/issues/4059)]
 * terminating-gateway: Fix generated acl policy for external services to include the namespace and partition block if they are enabled. [[GH-4153](https://github.com/hashicorp/consul-k8s/issues/4153)]
 
-## 1.4.4 (July 15, 2024)
-
-SECURITY:
-
-* Upgrade go version to 1.22.5 to address [CVE-2024-24791](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791) [[GH-4154](https://github.com/hashicorp/consul-k8s/issues/4154)]
-* Upgrade go-retryablehttp to v0.7.7 to address [GHSA-v6v8-xj6m-xwqh](https://github.com/advisories/GHSA-v6v8-xj6m-xwqh) [[GH-4169](https://github.com/hashicorp/consul-k8s/issues/4169)]
-
-IMPROVEMENTS:
-
-* upgrade go version to v1.22.4. [[GH-4085](https://github.com/hashicorp/consul-k8s/issues/4085)]
-* api-gateways: Change security settings to make root file system read only and to not allow privilage escalation. [[GH-3959](https://github.com/hashicorp/consul-k8s/issues/3959)]
-* cni: package `consul-cni` as .deb and .rpm files [[GH-4040](https://github.com/hashicorp/consul-k8s/issues/4040)]
-* control-plane: Remove anyuid Security Context Constraints (SCC) requirement in OpenShift. [[GH-4152](https://github.com/hashicorp/consul-k8s/issues/4152)]
-* partition-init: Role no longer includes unnecessary access to Secrets resource. [[GH-4053](https://github.com/hashicorp/consul-k8s/issues/4053)]
-
-BUG FIXES:
-
-* api-gateway: fix issue where API Gateway specific acl roles/policy were not being cleaned up on deletion of an api-gateway [[GH-4060](https://github.com/hashicorp/consul-k8s/issues/4060)]
-* cni: fix incorrect release version due to unstable submodule pinning [[GH-4091](https://github.com/hashicorp/consul-k8s/issues/4091)]
-* connect-inject: add NET_BIND_SERVICE capability when injecting consul-dataplane sidecar [[GH-4152](https://github.com/hashicorp/consul-k8s/issues/4152)]
-* endpoints-controller: graceful shutdown logic should not run on a new pod with the same name. Fixes a case where statefulset rollouts could get stuck in graceful shutdown when the new pods come up. [[GH-4059](https://github.com/hashicorp/consul-k8s/issues/4059)]
-
-## 1.3.7 (July 16, 2024)
-
-SECURITY:
-
-* Upgrade go version to 1.22.5 to address [CVE-2024-24791](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791) [[GH-4154](https://github.com/hashicorp/consul-k8s/issues/4154)]
-* Upgrade go-retryablehttp to v0.7.7 to address [GHSA-v6v8-xj6m-xwqh](https://github.com/advisories/GHSA-v6v8-xj6m-xwqh) [[GH-4169](https://github.com/hashicorp/consul-k8s/issues/4169)]
-
-IMPROVEMENTS:
-
-* upgrade go version to v1.22.4. [[GH-4085](https://github.com/hashicorp/consul-k8s/issues/4085)]
-* partition-init: Role no longer includes unnecessary access to Secrets resource. [[GH-4053](https://github.com/hashicorp/consul-k8s/issues/4053)]
-
-BUG FIXES:
-
-* api-gateway: fix issue where API Gateway specific acl roles/policy were not being cleaned up on deletion of an api-gateway [[GH-4060](https://github.com/hashicorp/consul-k8s/issues/4060)]
-* cni: fix incorrect release version due to unstable submodule pinning [[GH-4091](https://github.com/hashicorp/consul-k8s/issues/4091)]
-* endpoints-controller: graceful shutdown logic should not run on a new pod with the same name. Fixes a case where statefulset rollouts could get stuck in graceful shutdown when the new pods come up. [[GH-4059](https://github.com/hashicorp/consul-k8s/issues/4059)]
-
-## 1.1.14 (July 16, 2024)
-
-SECURITY:
-
-* Upgrade go version to 1.22.5 to address [CVE-2024-24791](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24791) [[GH-4154](https://github.com/hashicorp/consul-k8s/issues/4154)]
-* Upgrade go-retryablehttp to v0.7.7 to address [GHSA-v6v8-xj6m-xwqh](https://github.com/advisories/GHSA-v6v8-xj6m-xwqh) [[GH-4169](https://github.com/hashicorp/consul-k8s/issues/4169)]
-
-IMPROVEMENTS:
-
-* upgrade go version to v1.22.4. [[GH-4085](https://github.com/hashicorp/consul-k8s/issues/4085)]
-* partition-init: Role no longer includes unnecessary access to Secrets resource. [[GH-4053](https://github.com/hashicorp/consul-k8s/issues/4053)]
-
-BUG FIXES:
-
-* cni: fix incorrect release version due to unstable submodule pinning [[GH-4091](https://github.com/hashicorp/consul-k8s/issues/4091)]
-
 ## 1.5.0 (June 13, 2024)
 
 > NOTE: Consul K8s 1.5.x is compatible with Consul 1.19.x and Consul Dataplane 1.5.x. Refer to our [compatibility matrix](https://developer.hashicorp.com/consul/docs/k8s/compatibility) for more info.

CONTRIBUTING.md

@@ -961,23 +961,17 @@ The tests are organized like this :
 ```shell
 demo $ tree -L 1 -d acceptance/tests
 acceptance/tests
-├── api-gateway
 ├── basic
 ├── cli
-├── cloud
 ├── config-entries
 ├── connect
 ├── consul-dns
-├── datadog
 ├── example
 ├── fixtures
 ├── ingress-gateway
 ├── metrics
 ├── partitions
 ├── peering
-├── sameness
-├── segments
-├── server
 ├── snapshot-agent
 ├── sync
 ├── terminating-gateway
@@ -1015,9 +1009,7 @@ $ kind create cluster --name=dc1 && kind create cluster --name=dc2
   `-consul-k8s-image=<your-custom-image>` && `-consul-image=<your-custom-image>`
 * You can set custom helm flags by modifying the test file directly in the respective directory.
 
-Finally, you have two options on how you can run your test:
-1. Take the following steps, this will run the test through to completion but not teardown any resources created by the test so you can inspect the state of the cluster
-at that point. You will be responsible for cleaning up the resources or deleting the cluster entirely when you're done.
+Finally, run the test like shown above:
 ```shell
 $ cd acceptance/tests
 $ go test -run Vault_WANFederationViaGateways ./vault/... -p 1 -timeout 2h -failfast -use-kind -no-cleanup-on-failure -kubecontext=kind-dc1 -secondary-kubecontext=kind-dc2 -enable-multi-cluster -debug-directory=/tmp/debug
@@ -1026,36 +1018,6 @@ You can interact with the running kubernetes clusters now using `kubectl [COMMAN
 
 * `kind delete clusters --all` is helpful for cleanup!
 
-2. The other option is to use the helper method in the framework: `helpers.WaitForInput(t)` at the spot in your acceptance test where you would like to pause execution to inspect the cluster. This will pause the test execution until you execute a request to `localhost:38501` which tells the test to continue running, you can override the port value used by setting the `CONSUL_K8S_TEST_PAUSE_PORT` environment variable to a port of your choosing. When running the tests with the `-v` flag you will see a log output of the endpoint that the test is waiting on.
-
-First you'll want to add the helper method to your test file:
-
-```go
-import "github.com/hashicorp/consul-k8s/acceptance/framework/helpers"
-
-func TestSomeTest(t *testing.T) {
-  // stuff to setup
-
-  // test execution will pause here until the endpoint is hit
-  helpers.WaitForInput(t)
-
-  // rest of test
-}
-```
-
-Then run the tests (note the removal of the `-no-cleanup-on-failure` flag):
-```shell
-$ cd acceptance/tests
-$ go test -run Vault_WANFederationViaGateways ./vault/... -p 1 -timeout 2h -failfast -use-kind -kubecontext=kind-dc1 -secondary-kubecontext=kind-dc2 -enable-multi-cluster -debug-directory=/tmp/debug
-```
-
-You can interact with the running kubernetes clusters now using `kubectl [COMMAND] --context=<kind-dc1/kind-dc2>`
-
-When you're done interacting you can tell the test to continue by issuing a curl command to the endpoint (if you are using a non-default port for this test then replace the `38501` port value with the value you have set):
-```shell
-curl localhost:38501
-```
-
 ### Example Debugging session using the acceptance test framework to bootstrap and debug a Vault backed federated Consul installation:
 This test utilizes the `consul-k8s` acceptance test framework, with a custom consul-k8s branch which:
 * Modifies the acceptance test to use custom consul+consul-k8s images and sleeps at the end of the test to allow analysis.

Makefile

@@ -9,8 +9,6 @@ KUBECTL_VERSION= $(shell ./control-plane/build-support/scripts/read-yaml-config.
 
 GO_MODULES := $(shell find . -name go.mod -exec dirname {} \; | sort)
 
-GOTESTSUM_PATH?=$(shell command -v gotestsum)
-
 ##@ Helm Targets
 
 .PHONY: gen-helm-docs
@@ -99,32 +97,11 @@ control-plane-fips-dev-docker: ## Build consul-k8s-control-plane FIPS dev Docker
 
 .PHONY: control-plane-test
 control-plane-test: ## Run go test for the control plane.
-ifeq ("$(GOTESTSUM_PATH)","")
-	cd control-plane && go test ./...
-else
-	cd control-plane && \
-	gotestsum \
-		--format=short-verbose \
-		--debug \
-		--rerun-fails=3 \
-		--packages="./..."
-endif
-
+	cd control-plane; go test ./...
 
 .PHONY: control-plane-ent-test
 control-plane-ent-test: ## Run go test with Consul enterprise tests. The consul binary in your PATH must be Consul Enterprise.
-ifeq ("$(GOTESTSUM_PATH)","")
-	cd control-plane && go test ./... -tags=enterprise
-else
-	cd control-plane && \
-	gotestsum \
-		--format=short-verbose \
-		--debug \
-		--rerun-fails=3 \
-		--packages="./..." \
-		-- \
-		--tags enterprise
-endif
+	cd control-plane; go test ./... -tags=enterprise
 
 .PHONY: control-plane-cov
 control-plane-cov: ## Run go test with code coverage.
@@ -427,7 +404,7 @@ ifndef CONSUL_K8S_RELEASE_DATE
 	$(error CONSUL_K8S_RELEASE_DATE is required, use format <Month> <Day>, <Year> (ex. October 4, 2022))
 endif
 ifndef CONSUL_K8S_NEXT_RELEASE_VERSION
-	$(error CONSUL_K8S_NEXT_RELEASE_VERSION is required)
+	$(error CONSUL_K8S_RELEASE_VERSION is required)
 endif
 ifndef CONSUL_K8S_CONSUL_VERSION
 	$(error CONSUL_K8S_CONSUL_VERSION is required)

README.md

@@ -56,7 +56,7 @@ by contacting us at [[email protected]](mailto:[email protected]).
 
 The following pre-requisites must be met before installing Consul on Kubernetes. 
 
-  * **Kubernetes 1.26.x - 1.29.x** - This represents the earliest versions of Kubernetes tested.
+  * **Kubernetes 1.27.x - 1.30.x** - This represents the earliest versions of Kubernetes tested.
     It is possible that this chart works with earlier versions, but it is
     untested.
   * Helm install

acceptance/ci-inputs/kind-inputs.yaml

@@ -1,6 +1,6 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
-kindVersion: v0.22.0
-kindNodeImage: kindest/node:v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245
-kubectlVersion: v1.27.1
+kindVersion: v0.23.0
+kindNodeImage: kindest/node:v1.30.2@sha256:ecfe5841b9bee4fe9690f49c118c33629fa345e3350a0c67a5a34482a99d6bba
+kubectlVersion: v1.30.2

acceptance/framework/consul/helm_cluster.go

@@ -13,6 +13,8 @@ import (
 	"github.com/gruntwork-io/terratest/modules/helm"
 	terratestLogger "github.com/gruntwork-io/terratest/modules/logger"
 	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
 	corev1 "k8s.io/api/core/v1"
 	policyv1beta "k8s.io/api/policy/v1beta1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -26,6 +28,7 @@ import (
 
 	"github.com/hashicorp/consul-k8s/control-plane/api/v1alpha1"
 	"github.com/hashicorp/consul/api"
+	"github.com/hashicorp/consul/proto-public/pbresource"
 	"github.com/hashicorp/consul/sdk/testutil/retry"
 
 	"github.com/hashicorp/consul-k8s/acceptance/framework/config"
@@ -484,6 +487,26 @@ func (h *HelmCluster) CreatePortForwardTunnel(t *testing.T, remotePort int, rele
 	return portforward.CreateTunnelToResourcePort(t, serverPod, remotePort, h.helmOptions.KubectlOptions, h.logger)
 }
 
+// ResourceClient returns a resource service grpc client for the given helm release.
+func (h *HelmCluster) ResourceClient(t *testing.T, secure bool, release ...string) (client pbresource.ResourceServiceClient) {
+	if secure {
+		panic("TODO: add support for secure resource client")
+	}
+	releaseName := h.releaseName
+	if len(release) > 0 {
+		releaseName = release[0]
+	}
+
+	// TODO: get grpc port from somewhere
+	localTunnelAddr := h.CreatePortForwardTunnel(t, 8502, releaseName)
+
+	// Create a grpc connection to the server pod.
+	grpcConn, err := grpc.Dial(localTunnelAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	require.NoError(t, err)
+	resourceClient := pbresource.NewResourceServiceClient(grpcConn)
+	return resourceClient
+}
+
 func (h *HelmCluster) SetupConsulClient(t *testing.T, secure bool, release ...string) (client *api.Client, configAddress string) {
 	t.Helper()
 

acceptance/framework/helpers/helpers.go

@@ -6,9 +6,7 @@ package helpers
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
-	"net/http"
 	"os"
 	"os/exec"
 	"os/signal"
@@ -360,52 +358,3 @@ func createCmdArgs(options *k8s.KubectlOptions) []string {
 	}
 	return cmdArgs
 }
-
-const DEFAULT_PAUSE_PORT = "38501"
-
-// WaitForInput starts a http server on a random port (which is output in the logs) and waits until you
-// issue a request to that endpoint to continue the tests. This is useful for debugging tests that require
-// inspecting the current state of a running cluster and you don't need to use long sleeps.
-func WaitForInput(t *testing.T) {
-	t.Helper()
-
-	listenerPort := os.Getenv("CONSUL_K8S_TEST_PAUSE_PORT")
-
-	if listenerPort == "" {
-		listenerPort = DEFAULT_PAUSE_PORT
-	}
-
-	mux := http.NewServeMux()
-	srv := &http.Server{
-		Addr:    fmt.Sprintf(":%s", listenerPort),
-		Handler: mux,
-	}
-
-	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-		defer func() {
-			err := r.Body.Close()
-			if err != nil {
-				t.Logf("error closing request body: %v", err)
-			}
-		}()
-
-		w.WriteHeader(http.StatusOK)
-
-		_, err := w.Write([]byte("input received\n"))
-		if err != nil {
-			t.Logf("writing body: %v", err)
-		}
-
-		err = srv.Shutdown(context.Background())
-		if err != nil {
-			t.Logf("error closing listener: %v", err)
-		}
-
-		t.Log("input received, continuing test")
-	})
-
-	t.Logf("Waiting for input on http://localhost:%s", listenerPort)
-	if err := srv.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) {
-		t.Fatal(err)
-	}
-}