ci: update to Go 1.15.4 and alpine:3.12

[mikemorris]

Is there any substantial reason we can't/shouldn't bump to Go 1.15.x for the Consul 1.9 release series? Did I miss bumping the version in any files?

[mikemorris]

In the go-test-api TestAPI_ClientTLSOptions, several tests are failing with x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

[mikemorris]

It looks like maybe static validation of time is more strict in 1.15, not sure if this simply means two of these failing tests could be removed now...

TestSession_Apply_BadTTL
    session_endpoint_test.go:929: incorrect error message: Session TTL '10z' invalid: time: unknown unit "z" in duration "10z"

TestConfigUtil_Values
    config_test.go:85: (case 3) err: 1 error(s) decoding:
        
        * error decoding 'duration': time: invalid duration "nope"

[rboyer]

@mikemorris I fixed the two tests in question. The error messages are mostly the same, except that now the inputs are wrapped in double quotes now so our assertions were slightly incorrect.

[rboyer]

Now there's this fun one with multiple occurrences:

 CONT  TestSetupHTTPServer_HTTP2
    http_test.go:196: err: Get "https://127.0.0.1:38331/echo": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

[rboyer]

might be good to wait until 1.15.4 for golang/go#42138

[rboyer]

I also regenerated some of the TLS test data files so they don't anger the updated tls stack in Go.

[mikemorris]

Yeaaaa, x509: certificate relies on legacy Common Name field is my biggest concern with moving to 1.15, it feels like a change we might want to look into a little more closely, particularly implications on service mesh things...

[mikemorris]

might be good to wait until 1.15.4 for golang/go#42138

Sooo, clock skew is potentially not fun, and we just published a consul:1.8.5 Docker image bundling a binary with alpine:3.12, and the actual pipeline building the binary would've been using circleci/golang:1.14.9 which is FROM golang:1.14.9 and appears to use either alpine:3.11 or alpine 3.12

I'm slightly unclear on if the issue is only present when running a compiled binary on an affected version of alpine or if the issue is which version of alpine was used to compile the binary, but it looks like 1.8.5 could be affected...

/cc @alvin-huang

[rboyer]

Yeaaaa, x509: certificate relies on legacy Common Name field is my biggest concern with moving to 1.15, it feels like a change we might want to look into a little more closely, particularly implications on service mesh things...

Service mesh doesn't use the Common Name, preferring instead the newer SubjectAlternativeName (SAN) field. The former is singly valued and the latter is multi valued.

[rboyer]

This lets you easily display the common name and subject alternative name fields from the CLI:

$ openssl x509  -noout -in server.crt -subject -ext subjectAltName

[hashicorp-ci]

🍒 Starting backport cherry picking.

To cherry-pick post-merge, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/280920.

[hashicorp-ci]

🍒✅ Cherry pick of commit 7af643a onto release/1.9.x succeeded!