Backport prepare release rc1

.changelog/4333.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set.
+```

.github/scripts/check_skip_ci.sh

@@ -28,7 +28,7 @@ skip_check_branch=${SKIP_CHECK_BRANCH:?SKIP_CHECK_BRANCH is required}
 files_to_check=$(git diff --name-only "$(git merge-base origin/$skip_check_branch HEAD~)"...HEAD)
 
 # Define the directories to check
-skipped_directories=("assets" ".changelog" "version")
+skipped_directories=("assets" ".changelog")
 
 files_to_skip=("LICENSE" ".copywrite.hcl" ".gitignore")
 

.github/workflows/pr.yml

@@ -40,6 +40,7 @@ jobs:
           - check-name: acceptance-cni
           - check-name: acceptance-tproxy
           - check-name: Unit test helm templates
+          - check-name: Unit test helm gen
           - check-name: Unit test enterprise control plane
           - check-name: Unit test control plane
           - check-name: Unit test cli

CHANGELOG.md

@@ -1,3 +1,23 @@
+## 1.6.0-rc1 (September 20, 2024)
+
+SECURITY:
+
+* Upgrade Go to use 1.22.7. This addresses CVE 
+[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-4313](https://github.com/hashicorp/consul-k8s/issues/4313)]
+
+IMPROVEMENTS:
+
+* dns-proxy: add the ability to deploy a DNS proxy within the kubernetes cluster that forwards DNS requests to the consul server and can be configured with an ACL token and make partition aware DNS requests. [[GH-4300](https://github.com/hashicorp/consul-k8s/issues/4300)]
+* sync-catalog: expose prometheus scrape metrics on sync-catalog pods [[GH-4212](https://github.com/hashicorp/consul-k8s/issues/4212)]
+* connect-inject: remove unnecessary resource permissions from connect-inject ClusterRole [[GH-4307](https://github.com/hashicorp/consul-k8s/issues/4307)]
+* helm: Exclude gke namespaces from being connect-injected when the connect-inject: default: true value is set. [[GH-4333](https://github.com/hashicorp/consul-k8s/issues/4333)]
+
+BUG FIXES:
+
+* control-plane: add missing `$HOST_IP` environment variable to consul-dataplane sidecar containers [[GH-4277](https://github.com/hashicorp/consul-k8s/issues/4277)]
+* helm: Fix ArgoCD hooks related annotations on server-acl-init Job, they must be added at Job definition and not template level. [[GH-3989](https://github.com/hashicorp/consul-k8s/issues/3989)]
+* sync-catalog: Enable the user to purge the registered services by passing parent node and necessary filters. [[GH-4255](https://github.com/hashicorp/consul-k8s/issues/4255)]
+
 ## 1.5.3 (August 30, 2024)
 
 SECURITY:

Makefile

@@ -32,7 +32,7 @@ generate-external-crds: ## Generate CRDs for externally defined CRDs and copy th
 
 .PHONY: bats-tests
 bats-tests: ## Run Helm chart bats tests.
-	 bats --jobs 4 charts/consul/test/unit
+	docker run -it -v $(CURDIR):/consul-k8s hashicorpdev/consul-helm-test:latest bats --jobs 4 /consul-k8s/charts/consul/test/unit -f "$(TEST_NAME)"
 
 ##@ Control Plane Targets
 

charts/consul/Chart.yaml

@@ -3,8 +3,8 @@
 
 apiVersion: v2
 name: consul
-version: 1.6.0-dev
-appVersion: 1.20-dev
+version: 1.6.0-rc1
+appVersion: 1.20.0-rc1
 kubeVersion: ">=1.22.0-0"
 description: Official HashiCorp Consul Chart
 home: https://www.consul.io
@@ -13,14 +13,14 @@ sources:
   - https://github.com/hashicorp/consul
   - https://github.com/hashicorp/consul-k8s
 annotations:
-  artifacthub.io/prerelease: true
+  artifacthub.io/prerelease: false
   artifacthub.io/images: |
     - name: consul
-      image: docker.mirror.hashicorp.services/hashicorppreview/consul:1.20-dev
+      image: hashicorp/consul:1.20.0-rc1
     - name: consul-k8s-control-plane
-      image: docker.mirror.hashicorp.services/hashicorppreview/consul-k8s-control-plane:1.6-dev
+      image: hashicorp/consul-k8s-control-plane:1.6.0-rc1
     - name: consul-dataplane
-      image: docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.6-dev
+      image: hashicorp/consul-dataplane:1.6.0-rc1
     - name: envoy
       image: envoyproxy/envoy:v1.25.11
   artifacthub.io/license: MPL-2.0

charts/consul/test/docker/Test.dockerfile

@@ -9,71 +9,71 @@
 # a script to configure kubectl, potentially install Helm, and run the tests
 # manually. This image only has the dependencies pre-installed.
 
-FROM cimg/go:1.19
+FROM cimg/go:1.23.1
 
 # change the user to root so we can install stuff
 USER root
 
-ENV BATS_VERSION "1.6.0"
-ENV TERRAFORM_VERSION "0.13.5"
+ENV BATS_VERSION "1.11.0"
+ENV TERRAFORM_VERSION "1.9.6"
 
 RUN apt-get update
 
 # base packages
 RUN apt-get install -y \
-    openssl \
-    python3 \
-    python3-pip \
-    jq
+  openssl \
+  python3 \
+  python3-pip \
+  jq
 
 # yq
 RUN pip3 install yq
 
 # gcloud
 RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] http://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list && \
-    curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key --keyring /usr/share/keyrings/cloud.google.gpg  add - && \
-    apt-get update -y && \
-    apt-get install google-cloud-sdk -y && \
-    apt-get install google-cloud-sdk-gke-gcloud-auth-plugin
+  curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key --keyring /usr/share/keyrings/cloud.google.gpg  add - && \
+  apt-get update -y && \
+  apt-get install google-cloud-sdk -y && \
+  apt-get install google-cloud-sdk-gke-gcloud-auth-plugin
 
 # terraform
 RUN curl -sSL https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip -o /tmp/tf.zip \
-    && unzip /tmp/tf.zip  \
-    && mv ./terraform /usr/local/bin/terraform
+  && unzip /tmp/tf.zip  \
+  && mv ./terraform /usr/local/bin/terraform
 
 # kubectl
 RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && \
-    chmod +x ./kubectl && \
-    mv ./kubectl /usr/local/bin/kubectl
+  chmod +x ./kubectl && \
+  mv ./kubectl /usr/local/bin/kubectl
 
 # helm
 RUN curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
 
 # bats
 RUN curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz \
-    && tar -zxf /tmp/bats.tgz -C /tmp \
-    && /bin/bash /tmp/bats-core-${BATS_VERSION}/install.sh /usr/local
+  && tar -zxf /tmp/bats.tgz -C /tmp \
+  && /bin/bash /tmp/bats-core-${BATS_VERSION}/install.sh /usr/local
 
 # Azure CLI
 RUN curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
 
 # OpenShift CLI
 # https://docs.microsoft.com/en-us/azure/openshift/tutorial-connect-cluster
 RUN curl -sSL https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-client-linux.tar.gz -o /tmp/oc.tar.gz \
-    && tar -zxvf /tmp/oc.tar.gz -C /tmp  \
-    && mv /tmp/oc /usr/local/bin/oc
+  && tar -zxvf /tmp/oc.tar.gz -C /tmp  \
+  && mv /tmp/oc /usr/local/bin/oc
 
 # AWS CLI
 RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
-    && unzip awscliv2.zip \
-    && ./aws/install --bin-dir /usr/local/bin \
-    && rm awscliv2.zip \
-    && rm -rf ./aws
+  && unzip awscliv2.zip \
+  && ./aws/install --bin-dir /usr/local/bin \
+  && rm awscliv2.zip \
+  && rm -rf ./aws
 
 # AWS IAM authenticator
 RUN curl -Lo aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.5.9/aws-iam-authenticator_0.5.9_linux_amd64 \
-    && chmod +x ./aws-iam-authenticator \
-    && mv ./aws-iam-authenticator /usr/local/bin/aws-iam-authenticator
+  && chmod +x ./aws-iam-authenticator \
+  && mv ./aws-iam-authenticator /usr/local/bin/aws-iam-authenticator
 
 # change the user back to what circleci/golang image has
 USER circleci

charts/consul/values.yaml

@@ -66,7 +66,7 @@ global:
   # image: "hashicorp/consul-enterprise:1.10.0-ent"
   # ```
   # @default: hashicorp/consul:<latest version>
-  image: docker.mirror.hashicorp.services/hashicorppreview/consul:1.20-dev
+  image: hashicorp/consul:1.20.0-rc1
 
   # Array of objects containing image pull secret names that will be applied to each service account.
   # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image.
@@ -86,7 +86,7 @@ global:
   # image that is used for functionality such as catalog sync.
   # This can be overridden per component.
   # @default: hashicorp/consul-k8s-control-plane:<latest version>
-  imageK8S: docker.mirror.hashicorp.services/hashicorppreview/consul-k8s-control-plane:1.6-dev
+  imageK8S: hashicorp/consul-k8s-control-plane:1.6.0-rc1
 
   # The image pull policy used globally for images controlled by Consul (consul, consul-dataplane, consul-k8s, consul-telemetry-collector).
   # One of "IfNotPresent", "Always", "Never", and "". Refer to https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
@@ -793,7 +793,7 @@ global:
   # The name (and tag) of the consul-dataplane Docker image used for the
   # connect-injected sidecar proxies and mesh, terminating, and ingress gateways.
   # @default: hashicorp/consul-dataplane:<latest supported version>
-  imageConsulDataplane: docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.6-dev
+  imageConsulDataplane: hashicorp/consul-dataplane:1.6.0-rc1
 
   # Configuration for running this Helm chart on the Red Hat OpenShift platform.
   # This Helm chart currently supports OpenShift v4.x+.
@@ -2771,6 +2771,7 @@ connectInject:
   # By default, we exclude kube-system since usually users won't
   # want those pods injected and local-path-storage and openebs so that
   # Kind (Kubernetes In Docker) and [OpenEBS](https://openebs.io/) respectively can provision Pods used to create PVCs.
+  # We also exclude gmp-system and gke-managed-cim namespaces that are used by GKE for managing the cluster.
   # Note that this exclusion is only supported in Kubernetes v1.21.1+.
   #
   # Example:
@@ -2785,7 +2786,7 @@ connectInject:
     matchExpressions:
       - key: "kubernetes.io/metadata.name"
         operator: "NotIn"
-        values: ["kube-system","local-path-storage","openebs"]
+        values: ["kube-system","local-path-storage","openebs","gmp-system","gke-managed-cim"]
 
   # List of k8s namespaces to allow Connect sidecar
   # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`,