backport of commit d482dd9

.changelog/1770.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+control-plane: server ACL Init always appends both, the secrets from the serviceAccount's secretRefs and the one created by the Helm chart, to support Openshift secret handling.
+```

.changelog/1934.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+control-plane: update alpine to 3.17 in the Docker image.
+```

.changelog/1953.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+control-plane: update alpine to 3.17 in the Docker image.
+```

.changelog/1976.txt

@@ -0,0 +1,3 @@
+```release-note:security
+upgrade to use Go 1.19.6. This resolves vulnerabilities CVE-2022-41724 in crypto/tls and CVE-2022-41723 in net/http.
+```

.circleci/config.yml

@@ -6,7 +6,7 @@ orbs:
 executors:
   go:
     docker:
-      - image: docker.mirror.hashicorp.services/cimg/go:1.20.1
+      - image: docker.mirror.hashicorp.services/cimg/go:1.19.6
     environment:
       TEST_RESULTS: /tmp/test-results # path to where test results are saved
 
@@ -23,7 +23,6 @@ aks-terraform-path: &aks-terraform-path charts/consul/test/terraform/aks
 openshift-terraform-path: &openshift-terraform-path charts/consul/test/terraform/openshift
 # This image is built from test/docker/Test.dockerfile
 consul-helm-test-image: &consul-helm-test-image docker.mirror.hashicorp.services/hashicorpdev/consul-helm-test:0.15.0
-consul-test-image: &consul-test-image hashicorppreview/consul-enterprise:1.15-dev
 
 ########################
 # COMMANDS
@@ -35,9 +34,9 @@ commands:
       - run:
           name: Install go, gotestsum, kind, kubectl, and helm
           command: |
-            wget https://golang.org/dl/go1.20.1.linux-amd64.tar.gz
-            sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.20.1.linux-amd64.tar.gz
-            rm go1.20.1.linux-amd64.tar.gz
+            wget https://golang.org/dl/go1.19.6.linux-amd64.tar.gz
+            sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.19.6.linux-amd64.tar.gz
+            rm go1.19.6.linux-amd64.tar.gz
             echo 'export PATH=$PATH:/usr/local/go/bin' >> $BASH_ENV
 
             wget https://github.com/gotestyourself/gotestsum/releases/download/v1.8.2/gotestsum_1.8.2_linux_amd64.tar.gz
@@ -169,7 +168,7 @@ commands:
                   echo $pkgs
                   for pkg in $pkgs
                   do
-                    if ! gotestsum --format=testname --no-summary=all --jsonfile=jsonfile-${pkg////-} -- $pkg -p 1 -timeout 2h -failfast \
+                    if ! gotestsum --no-summary=all --jsonfile=jsonfile-${pkg////-} -- $pkg -p 1 -timeout 2h -failfast \
                           << parameters.additional-flags >> \
                           -enable-multi-cluster \
                           ${ENABLE_ENTERPRISE:+-enable-enterprise} \
@@ -181,7 +180,7 @@ commands:
                       break
                     fi
                   done
-                  gotestsum --format=testname --raw-command --junitfile "$TEST_RESULTS/gotestsum-report.xml" -- cat jsonfile*
+                  gotestsum --raw-command --junitfile "$TEST_RESULTS/gotestsum-report.xml" -- cat jsonfile*
                   exit $exit_code
 
       - unless:
@@ -200,7 +199,7 @@ commands:
 
                   pkgs=$(go list ./... | circleci tests split --split-by=timings --timings-type=classname)
                   echo "Running $pkgs"
-                  gotestsum --format testname --junitfile "$TEST_RESULTS/gotestsum-report.xml" -- $pkgs -p 1 -timeout 2h -failfast \
+                  gotestsum --junitfile "$TEST_RESULTS/gotestsum-report.xml" -- $pkgs -p 1 -timeout 2h -failfast \
                       << parameters.additional-flags >> \
                       ${ENABLE_ENTERPRISE:+-enable-enterprise} \
                       -enable-multi-cluster \
@@ -281,7 +280,7 @@ jobs:
                  unzip consul_"${CONSUL_VERSION}"_linux_amd64.zip -d /home/circleci/bin &&
                  rm consul_"${CONSUL_VERSION}"_linux_amd64.zip
             PACKAGE_NAMES=$(go list ./...)
-            gotestsum --format testname --junitfile $TEST_RESULTS/gotestsum-report.xml -- -p 4 $PACKAGE_NAMES
+            gotestsum --junitfile $TEST_RESULTS/gotestsum-report.xml -- -p 4 $PACKAGE_NAMES
 
       - store_test_results:
           path: /tmp/test-results
@@ -312,7 +311,7 @@ jobs:
                  unzip consul_"${CONSUL_ENT_VERSION}"_linux_amd64.zip -d /home/circleci/bin &&
                  rm consul_"${CONSUL_ENT_VERSION}"_linux_amd64.zip
             PACKAGE_NAMES=$(go list ./...)
-            gotestsum --format testname --junitfile $TEST_RESULTS/gotestsum-report.xml -- -tags=enterprise -p 4 $PACKAGE_NAMES
+            gotestsum --junitfile $TEST_RESULTS/gotestsum-report.xml -- -tags=enterprise -p 4 $PACKAGE_NAMES
 
       - store_test_results:
           path: /tmp/test-results
@@ -401,7 +400,7 @@ jobs:
           name: Run tests
           working_directory: *cli-path
           command: |
-            gotestsum --format testname --junitfile $TEST_RESULTS/gotestsum-report.xml ./... -- -p 4
+            gotestsum --junitfile $TEST_RESULTS/gotestsum-report.xml ./... -- -p 4
 
       - store_test_results:
           path: /tmp/test-results
@@ -500,7 +499,7 @@ jobs:
           name: Run tests
           working_directory: *acceptance-framework-path
           command: |
-            gotestsum --format testname --junitfile $TEST_RESULTS/gotestsum-report.xml ./... -- -p 4
+            gotestsum --junitfile $TEST_RESULTS/gotestsum-report.xml ./... -- -p 4
 
       - store_test_results:
           path: /tmp/test-results
@@ -523,7 +522,7 @@ jobs:
           name: Run tests
           working_directory: *helm-gen-path
           command: |
-            gotestsum --format testname --junitfile $TEST_RESULTS/gotestsum-report.xml ./... -- -p 4
+            gotestsum --junitfile $TEST_RESULTS/gotestsum-report.xml ./... -- -p 4
 
       - store_test_results:
           path: /tmp/test-results
@@ -566,7 +565,6 @@ jobs:
   acceptance:
     environment:
       - TEST_RESULTS: /tmp/test-results
-      - CONSUL_TEST_IMAGE: *consul-test-image
     machine:
       image: ubuntu-2004:202010-01
     resource_class: xlarge
@@ -591,7 +589,7 @@ jobs:
       - run: mkdir -p $TEST_RESULTS
       - run-acceptance-tests:
           failfast: true
-          additional-flags: -use-kind -kubecontext="kind-dc1" -secondary-kubecontext="kind-dc2" -consul-image=$CONSUL_TEST_IMAGE
+          additional-flags: -use-kind -kubecontext="kind-dc1" -secondary-kubecontext="kind-dc2" -consul-image=docker.mirror.hashicorp.services/hashicorppreview/consul-enterprise:1.14-dev
       - store_test_results:
           path: /tmp/test-results
       - store_artifacts:
@@ -600,7 +598,6 @@ jobs:
   acceptance-tproxy:
     environment:
       - TEST_RESULTS: /tmp/test-results
-      - CONSUL_TEST_IMAGE: *consul-test-image
     machine:
       image: ubuntu-2004:202010-01
     resource_class: xlarge
@@ -625,7 +622,7 @@ jobs:
       - run: mkdir -p $TEST_RESULTS
       - run-acceptance-tests:
           failfast: true
-          additional-flags: -use-kind -kubecontext="kind-dc1" -secondary-kubecontext="kind-dc2" -enable-transparent-proxy -consul-image=$CONSUL_TEST_IMAGE
+          additional-flags: -use-kind -kubecontext="kind-dc1" -secondary-kubecontext="kind-dc2" -enable-transparent-proxy -consul-image=docker.mirror.hashicorp.services/hashicorppreview/consul-enterprise:1.14-dev
       - store_test_results:
           path: /tmp/test-results
       - store_artifacts:
@@ -634,7 +631,6 @@ jobs:
   acceptance-tproxy-cni:
     environment:
       - TEST_RESULTS: /tmp/test-results
-      - CONSUL_TEST_IMAGE: *consul-test-image
     machine:
       image: ubuntu-2004:202010-01
     resource_class: xlarge
@@ -659,7 +655,7 @@ jobs:
       - run: mkdir -p $TEST_RESULTS
       - run-acceptance-tests:
           failfast: true
-          additional-flags: -use-kind -kubecontext="kind-dc1" -secondary-kubecontext="kind-dc2" -enable-transparent-proxy -enable-cni -consul-image=$CONSUL_TEST_IMAGE
+          additional-flags: -use-kind -kubecontext="kind-dc1" -secondary-kubecontext="kind-dc2" -enable-transparent-proxy -enable-cni -consul-image=docker.mirror.hashicorp.services/hashicorppreview/consul-enterprise:1.14-dev
       - store_test_results:
           path: /tmp/test-results
       - store_artifacts:
@@ -732,7 +728,6 @@ jobs:
     environment:
       - TEST_RESULTS: /tmp/test-results
       - USE_GKE_GCLOUD_AUTH_PLUGIN: true
-      - CONSUL_TEST_IMAGE: *consul-test-image
     docker:
       - image: *consul-helm-test-image
 
@@ -778,7 +773,7 @@ jobs:
       - run: mkdir -p $TEST_RESULTS
 
       - run-acceptance-tests:
-          additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-transparent-proxy -consul-image=$CONSUL_TEST_IMAGE
+          additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-transparent-proxy -consul-image=hashicorppreview/consul-enterprise:1.14-dev
 
       - store_test_results:
           path: /tmp/test-results
@@ -802,7 +797,6 @@ jobs:
     environment:
       - TEST_RESULTS: /tmp/test-results
       - USE_GKE_GCLOUD_AUTH_PLUGIN: true
-      - CONSUL_TEST_IMAGE: *consul-test-image
     docker:
       - image: *consul-helm-test-image
 
@@ -848,7 +842,7 @@ jobs:
       - run: mkdir -p $TEST_RESULTS
 
       - run-acceptance-tests:
-          additional-flags: -use-gke -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-transparent-proxy -enable-cni -consul-image=$CONSUL_TEST_IMAGE
+          additional-flags: -use-gke -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-transparent-proxy -enable-cni -consul-image=hashicorppreview/consul-enterprise:1.14-dev
 
       - store_test_results:
           path: /tmp/test-results
@@ -871,7 +865,6 @@ jobs:
     parallelism: 3
     environment:
       - TEST_RESULTS: /tmp/test-results
-      - CONSUL_TEST_IMAGE: *consul-test-image
     docker:
       - image: *consul-helm-test-image
 
@@ -906,7 +899,7 @@ jobs:
       - run: mkdir -p $TEST_RESULTS
 
       - run-acceptance-tests:
-          additional-flags: -use-aks -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-transparent-proxy -consul-image=$CONSUL_TEST_IMAGE
+          additional-flags: -use-aks -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-transparent-proxy -consul-image=hashicorppreview/consul-enterprise:1.14-dev
 
       - store_test_results:
           path: /tmp/test-results
@@ -929,7 +922,6 @@ jobs:
     parallelism: 3
     environment:
       - TEST_RESULTS: /tmp/test-results
-      - CONSUL_TEST_IMAGE: *consul-test-image
     docker:
       - image: *consul-helm-test-image
 
@@ -964,7 +956,7 @@ jobs:
       - run: mkdir -p $TEST_RESULTS
 
       - run-acceptance-tests:
-          additional-flags: -use-aks -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-transparent-proxy -enable-cni -consul-image=$CONSUL_TEST_IMAGE
+          additional-flags: -use-aks -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-transparent-proxy -enable-cni -consul-image=hashicorppreview/consul-enterprise:1.14-dev
 
       - store_test_results:
           path: /tmp/test-results
@@ -986,7 +978,6 @@ jobs:
     parallelism: 3
     environment:
       - TEST_RESULTS: /tmp/test-results
-      - CONSUL_TEST_IMAGE: *consul-test-image
     docker:
       - image: *consul-helm-test-image
 
@@ -1027,7 +1018,7 @@ jobs:
       - run: mkdir -p $TEST_RESULTS
 
       - run-acceptance-tests:
-          additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-transparent-proxy -consul-image=$CONSUL_TEST_IMAGE
+          additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-transparent-proxy -consul-image=hashicorppreview/consul-enterprise:1.14-dev
 
       - store_test_results:
           path: /tmp/test-results
@@ -1050,7 +1041,6 @@ jobs:
     parallelism: 3
     environment:
       - TEST_RESULTS: /tmp/test-results
-      - CONSUL_TEST_IMAGE: *consul-test-image
     docker:
       - image: *consul-helm-test-image
 
@@ -1091,7 +1081,7 @@ jobs:
       - run: mkdir -p $TEST_RESULTS
 
       - run-acceptance-tests:
-          additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-transparent-proxy -enable-cni -consul-image=$CONSUL_TEST_IMAGE
+          additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-transparent-proxy -enable-cni -consul-image=hashicorppreview/consul-enterprise:1.14-dev
 
       - store_test_results:
           path: /tmp/test-results
@@ -1113,7 +1103,6 @@ jobs:
   acceptance-openshift:
     environment:
       TEST_RESULTS: /tmp/test-results
-      CONSUL_TEST_IMAGE: *consul-test-image
     parallelism: 1
     docker:
       - image: *consul-helm-test-image
@@ -1146,7 +1135,7 @@ jobs:
       - run: mkdir -p $TEST_RESULTS
 
       - run-acceptance-tests:
-          additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-openshift -enable-transparent-proxy -consul-image=$CONSUL_TEST_IMAGE
+          additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-openshift -enable-transparent-proxy -consul-image=hashicorppreview/consul-enterprise:1.14-dev
 
       - store_test_results:
           path: /tmp/test-results
@@ -1275,15 +1264,15 @@ workflows:
       - acceptance:
           context: consul-ci
           requires:
-            - dev-upload-docker
+          - dev-upload-docker
       - acceptance-tproxy-cni:
           context: consul-ci
           requires:
-            - dev-upload-docker
+          - dev-upload-docker
       - acceptance-tproxy:
           context: consul-ci
           requires:
-            - dev-upload-docker
+          - dev-upload-docker
 
 
   nightly-cleanup:
@@ -1312,7 +1301,6 @@ workflows:
               only:
                 - release/0.49.x
                 - release/1.0.x
-                - release/1.1.x
     jobs:
       - build-distro:
           OS: "linux"
@@ -1325,13 +1313,13 @@ workflows:
       # - acceptance-openshift
       - acceptance-gke-1-25:
           requires:
-            - dev-upload-docker
+          - dev-upload-docker
       - acceptance-gke-cni-1-25:
           requires:
-            - acceptance-gke-1-25
+          - acceptance-gke-1-25
       - acceptance-tproxy:
           requires:
-            - dev-upload-docker
+          - dev-upload-docker
 
   nightly-acceptance-tests-main:
     description: |
@@ -1376,3 +1364,19 @@ workflows:
       - acceptance-tproxy:
           requires:
             - dev-upload-docker
+
+  nightly-kind-acceptance-tests-consul-compatability:
+    description: |
+      Acceptance tests which run nightly to verify the compatibility between
+      a consul-k8s binary and it's consul version pair. Tests will be conducted
+      for up to n-2 previous Consul-k8s releases.
+    triggers:
+      - schedule:
+          cron: "0 0 * * *" # Run at 12 am UTC (5 pm PST)
+          filters:
+            branches:
+              only:
+                - main
+    jobs:
+      - acceptance-kind-1-23-consul-compat-nightly-1-12
+      - acceptance-kind-1-23-consul-compat-nightly-1-13

.github/workflows/backport.yml

@@ -2,7 +2,7 @@
 name: Backport Assistant Runner
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - closed
       - labeled