backport of commit 4b8bc71

.changelog/2962.txt

@@ -1,3 +1,3 @@
-```release-note:feature
+```releast-note:feature
 api-gateway: (Consul Enterprise) Add JWT authentication and authorization for API Gateway and HTTPRoutes.
 ```

.changelog/3418.txt

@@ -1,3 +1,3 @@
 ```release-note:security
-Upgrade OpenShift container images to use `ubi9-minimal:9.3` as the base image.
+Upgrade OpenShift container images to use `ubi-minimal:9.3` as the base image.
 ```

.changelog/3668.txt

@@ -1,3 +1,3 @@
 ```release-note:improvement
-control-plane: publish `consul-k8s-control-plane` and `consul-k8s-control-plane-fips` images to official HashiCorp AWS ECR. 
-```
+ control-plane: publish `consul-k8s-control-plane` and `consul-k8s-control-plane-fips` images to official HashiCorp AWS ECR. 
+ ```

.github/pull_request_template.md

@@ -1,13 +1,14 @@
-### Changes proposed in this PR ###  
+Changes proposed in this PR:
 -
 -
 
-### How I've tested this PR ###
+How I've tested this PR:
 
+How I expect reviewers to test this PR:
 
-### How I expect reviewers to test this PR ###
 
-
-### Checklist ###
+Checklist:
 - [ ] Tests added
 - [ ] [CHANGELOG entry added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry) 
+
+

.github/workflows/build.yml

@@ -106,7 +106,6 @@ jobs:
           - {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm64", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni", gotags: "fips", env: "CGO_ENABLED=1 GOEXPERIMENT=boringcrypto CC=aarch64-linux-gnu-gcc", fips: "+fips1402", pkg_suffix: "-fips" }
           - {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "windows", goarch: "amd64", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni.exe", gotags: "fips", env: "CGO_ENABLED=1 GOEXPERIMENT=cngcrypto", fips: "+fips1402" }
 
-
       fail-fast: true
 
     name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} ${{ matrix.component }} ${{ matrix.fips }} build
@@ -328,8 +327,8 @@ jobs:
           extra_build_args: |
             GOLANG_VERSION=${{ needs.get-go-version.outputs.go-version }}
 
-  build-docker-ubi:
-    name: Docker ${{ matrix.arch }} ${{ matrix.fips }} UBI builds
+  build-docker-ubi-redhat-registry:
+    name: Docker ${{ matrix.arch }} ${{ matrix.fips }} UBI build for RedHat Registry
     needs: [get-product-version, get-go-version, build]
     runs-on: ubuntu-latest
     strategy:
@@ -352,6 +351,78 @@ jobs:
         run: |
           cd "${ZIP_LOCATION}"
           unzip -j *.zip
+      - name: Copy LICENSE
+        run:
+         cp LICENSE ./control-plane
+      - name: Docker Build (Action)
+        if: ${{ !matrix.fips }}
+        uses: hashicorp/actions-docker-build@76d2fc91532d816ca2660d8f3139e432ac3700fd
+        with:
+          smoke_test: |
+            TEST_VERSION="$(docker run "${IMAGE_NAME}" consul-k8s-control-plane version  | awk '{print $2}')"
+            if [ "${TEST_VERSION}" != "v${version}" ]; then
+              echo "Test FAILED"
+              exit 1
+            fi
+            echo "Test PASSED"
+          version: ${{ env.version }}
+          target: ubi
+          arch: ${{ matrix.arch }}
+          pkg_name: consul-k8s-control-plane_${{ env.version }}
+          bin_name: consul-k8s-control-plane
+          workdir: control-plane
+          tags: |
+            public.ecr.aws/hashicorp/${{ env.repo }}-control-plane:${{ env.version }}-ubi
+          redhat_tag: quay.io/redhat-isv-containers/611ca2f89a9b407267837100:${{env.version}}-ubi
+          extra_build_args: |
+            GOLANG_VERSION=${{ needs.get-go-version.outputs.go-version }}
+
+      - name: Docker FIPS Build (Action)
+        if: ${{ matrix.fips }}
+        uses: hashicorp/actions-docker-build@76d2fc91532d816ca2660d8f3139e432ac3700fd
+        with:
+          smoke_test: |
+            TEST_VERSION="$(docker run "${IMAGE_NAME}" consul-k8s-control-plane version  | awk '{print $2}')"
+            if [ "${TEST_VERSION}" != "v${version}" ]; then
+              echo "Test FAILED"
+              exit 1
+            fi
+            echo "Test PASSED"
+          version: ${{ env.version }}
+          target: ubi-fips # duplicate target to distinguish FIPS builds in CRT machinery
+          arch: ${{ matrix.arch }}
+          pkg_name: consul-k8s-control-plane_${{ env.version }}
+          bin_name: consul-k8s-control-plane
+          workdir: control-plane
+          tags: |
+            public.ecr.aws/hashicorp/${{ env.repo }}-control-plane-fips:${{ env.version }}-ubi
+          redhat_tag: quay.io/redhat-isv-containers/6486b1beabfc4e51588c0416:${{env.version}}-ubi # this is different than the non-FIPS one
+          extra_build_args: |
+            GOLANG_VERSION=${{ needs.get-go-version.outputs.go-version }}
+
+  build-docker-ubi-dockerhub:
+    name: Docker ${{ matrix.arch }} ${{ matrix.fips }} UBI build for DockerHub
+    needs: [ get-product-version, get-go-version, build ]
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        arch: [ "amd64" ]
+        fips: [ "+fips1402", "" ]
+    env:
+      repo: ${{ github.event.repository.name }}
+      version: ${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: consul-cni_${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}_linux_${{ matrix.arch }}.zip
+          path: control-plane/dist/cni/linux/${{ matrix.arch }}
+      - name: extract consul-cni zip
+        env:
+          ZIP_LOCATION: control-plane/dist/cni/linux/${{ matrix.arch }}
+        run: |
+          cd ${ZIP_LOCATION}
+          unzip -j *.zip
       - name: Copy LICENSE
         run:
           cp LICENSE ./control-plane
@@ -365,8 +436,8 @@ jobs:
           echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" >> $GITHUB_ENV
 
       - name: Docker Build (Action)
-        if: ${{ !matrix.fips }}
         uses: hashicorp/actions-docker-build@76d2fc91532d816ca2660d8f3139e432ac3700fd
+        if: ${{ !matrix.fips }}
         with:
           smoke_test: |
             TEST_VERSION="$(docker run "${IMAGE_NAME}" consul-k8s-control-plane version  | awk '{print $2}')"
@@ -383,19 +454,17 @@ jobs:
           workdir: control-plane
           tags: |
             docker.io/hashicorp/${{ env.repo }}-control-plane:${{ env.version }}-ubi
-            public.ecr.aws/hashicorp/${{ env.repo }}-control-plane:${{ env.version }}-ubi
           dev_tags: |
             docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.full_dev_tag }}-ubi
             docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.full_dev_tag }}-ubi-${{ github.sha }}
             docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.minor_dev_tag }}-ubi
             docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.minor_dev_tag }}-ubi-${{ github.sha }}
-          redhat_tag: quay.io/redhat-isv-containers/611ca2f89a9b407267837100:${{env.version}}-ubi
           extra_build_args: |
             GOLANG_VERSION=${{ needs.get-go-version.outputs.go-version }}
 
       - name: Docker FIPS Build (Action)
-        if: ${{ matrix.fips }}
         uses: hashicorp/actions-docker-build@76d2fc91532d816ca2660d8f3139e432ac3700fd
+        if: ${{ matrix.fips }}
         with:
           smoke_test: |
             TEST_VERSION="$(docker run "${IMAGE_NAME}" consul-k8s-control-plane version  | awk '{print $2}')"
@@ -411,7 +480,11 @@ jobs:
           bin_name: consul-k8s-control-plane
           workdir: control-plane
           tags: |
-            public.ecr.aws/hashicorp/${{ env.repo }}-control-plane-fips:${{ env.version }}-ubi
-          redhat_tag: quay.io/redhat-isv-containers/6486b1beabfc4e51588c0416:${{env.version}}-ubi # this is different than the non-FIPS one
+            docker.io/hashicorp/${{ env.repo }}-control-plane-fips:${{ env.version }}-ubi
+          dev_tags: |
+            docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.full_dev_tag }}-ubi
+            docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.full_dev_tag }}-ubi-${{ github.sha }}
+            docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.minor_dev_tag }}-ubi
+            docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.minor_dev_tag }}-ubi-${{ github.sha }}
           extra_build_args: |
             GOLANG_VERSION=${{ needs.get-go-version.outputs.go-version }}

.github/workflows/weekly-acceptance-1-4-0-rc1.yml → .github/workflows/nightly-acceptance-1-3-0-rc1.yml

@@ -1,17 +1,15 @@
-# Dispatch to the consul-k8s-workflows with a weekly cron
-#
-# A separate file is needed for each release because the cron schedules are different for each release.
-name: weekly-acceptance-1-4-0-rc1
+# Dispatch to the consul-k8s-workflows with a nightly cron
+name: nightly-acceptance
 on:
   schedule:
     # * is a special character in YAML so you have to quote this string
-    # Run weekly on Friday at 3AM UTC/11PM EST/8PM PST
-   - cron:  '0 3 * * 5'
+    # Run nightly at 12AM UTC/8PM EST/5PM PST
+    - cron:  '0 0 * * *'
 
 # these should be the only settings that you will ever need to change
 env:
-  BRANCH: "release/1.4.0-rc1"
-  CONTEXT: "weekly"
+  BRANCH: "release/1.3.0-rc1"
+  CONTEXT: "nightly"
 
 jobs:
   cloud:

.github/workflows/weekly-acceptance-1-4-x.yml → .github/workflows/weekly-acceptance-0-49-x.yml

@@ -1,16 +1,16 @@
 # Dispatch to the consul-k8s-workflows with a weekly cron
 #
 # A separate file is needed for each release because the cron schedules are different for each release.
-name: weekly-acceptance-1-4-x
+name: weekly-acceptance-0-49-x
 on:
   schedule:
     # * is a special character in YAML so you have to quote this string
-    # Run weekly on Thursday at 3AM UTC/11PM EST/8PM PST
-   - cron:  '0 3 * * 4'
+    # Run weekly on Monday at 3AM UTC/11PM EST/8PM PST
+    - cron:  '0 3 * * 1'
 
 # these should be the only settings that you will ever need to change
 env:
-  BRANCH: "release/1.4.x"
+  BRANCH: "release/0.49.x"
   CONTEXT: "weekly"
 
 jobs:

.github/workflows/weekly-acceptance-1-3-x.yml → .github/workflows/weekly-acceptance-1-0-x.yml

@@ -1,16 +1,17 @@
 # Dispatch to the consul-k8s-workflows with a weekly cron
 #
 # A separate file is needed for each release because the cron schedules are different for each release.
-name: weekly-acceptance-1-3-x
+name: weekly-acceptance-1-0-x
 on:
   schedule:
     # * is a special character in YAML so you have to quote this string
-    # Run weekly on Wednesday at 3AM UTC/11PM EST/8PM PST
-   - cron:  '0 3 * * 3'
+    # Run weekly on Tuesday at 3AM UTC/11PM EST/8PM PST
+    - cron:  '0 3 * * 2'
+
 
 # these should be the only settings that you will ever need to change
 env:
-  BRANCH: "release/1.3.x"
+  BRANCH: "release/1.0.x"
   CONTEXT: "weekly"
 
 jobs:

.github/workflows/weekly-acceptance-1-1-x.yml

@@ -5,8 +5,8 @@ name: weekly-acceptance-1-1-x
 on:
   schedule:
     # * is a special character in YAML so you have to quote this string
-    # Run weekly on Monday at 3AM UTC/11PM EST/8PM PST
-    - cron:  '0 3 * * 1'
+    # Run weekly on Wednesday at 3AM UTC/11PM EST/8PM PST
+    - cron:  '0 3 * * 3'
 
 
 # these should be the only settings that you will ever need to change

.github/workflows/weekly-acceptance-1-2-x.yml

@@ -5,8 +5,9 @@ name: weekly-acceptance-1-2-x
 on:
   schedule:
     # * is a special character in YAML so you have to quote this string
-    # Run weekly on Tuesday at 3AM UTC/11PM EST/8PM PST
-    - cron:  '0 3 * * 2'
+    # Run weekly on Wednesday at 3AM UTC/11PM EST/8PM PST
+   # - cron:  '0 3 * * 3'
+    - cron:  '0 0 * * *' # Temporarily nightly until 1.2.0 GA
 
 
 # these should be the only settings that you will ever need to change