From 1ea96467f81ca9caa20fc5527d1172a61317366e Mon Sep 17 00:00:00 2001 From: "nitin.sachdev" Date: Fri, 18 Apr 2025 13:58:49 +0530 Subject: [PATCH 01/21] upgrading envoy to 1.33.2 and fixing CVEs GO-2025-3595 in golang.org/x/net@v0.37.0 --- Dockerfile | 4 ++-- go.mod | 4 ++-- go.sum | 4 ++-- integration-tests/go.mod | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index a90c67e6..21987259 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,7 @@ # prebuilt binaries in any other form. # ARG GOLANG_VERSION -FROM envoyproxy/envoy-distroless:v1.33.0 as envoy-binary +FROM envoyproxy/envoy-distroless:v1.33.2 as envoy-binary # Modify the envoy binary to be able to bind to privileged ports (< 1024). FROM debian:bullseye-slim AS setcap-envoy-binary @@ -27,7 +27,7 @@ RUN apt-get update && apt install -y libcap2-bin RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/envoy RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/$BIN_NAME -FROM hashicorp/envoy-fips:1.33.0-fips1402 as envoy-fips-binary +FROM hashicorp/envoy-fips:1.33.2-fips1402 as envoy-fips-binary # Modify the envoy-fips binary to be able to bind to privileged ports (< 1024). FROM debian:bullseye-slim AS setcap-envoy-fips-binary diff --git a/go.mod b/go.mod index f462412d..f2a57e24 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/hashicorp/consul-dataplane -go 1.23.6 +go 1.23.8 require ( dario.cat/mergo v1.0.0 @@ -40,7 +40,7 @@ require ( github.com/prometheus/common v0.37.0 // indirect github.com/prometheus/procfs v0.8.0 // indirect github.com/stretchr/objx v0.5.2 // indirect - golang.org/x/net v0.37.0 // indirect + golang.org/x/net v0.38.0 // indirect golang.org/x/sys v0.31.0 // indirect golang.org/x/text v0.23.0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230526203410-71b5a4ffd15e // indirect diff --git a/go.sum b/go.sum index 5e69ba6a..50165fb5 100644 --- a/go.sum +++ b/go.sum @@ -353,8 +353,8 @@ golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c/go.mod h1:p54w0d4576C0XHj96b golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c= -golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= +golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8= +golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= diff --git a/integration-tests/go.mod b/integration-tests/go.mod index 4c9471ba..6b762801 100644 --- a/integration-tests/go.mod +++ b/integration-tests/go.mod @@ -52,7 +52,7 @@ require ( github.com/sirupsen/logrus v1.9.0 // indirect golang.org/x/crypto v0.22.0 // indirect golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 // indirect - golang.org/x/net v0.24.0 // indirect + golang.org/x/net v0.38.0 // indirect golang.org/x/sys v0.19.0 // indirect golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230526203410-71b5a4ffd15e // indirect From 9a8eeb9a8070363f4066bc7dda4dea09e175670e Mon Sep 17 00:00:00 2001 From: "nitin.sachdev" Date: Fri, 18 Apr 2025 14:01:00 +0530 Subject: [PATCH 02/21] added changelog --- .changelog/719.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .changelog/719.txt diff --git a/.changelog/719.txt b/.changelog/719.txt new file mode 100644 index 00000000..f6512429 --- /dev/null +++ b/.changelog/719.txt @@ -0,0 +1,4 @@ +```release-note:security +Upgraded `x/net` to 0.38.0. This resolves [GO-2025-3595](https://pkg.go.dev/vuln/GO-2025-3595) +Upgraded `envoy` to 1.33.2. +``` From 09c503f38e64255fe0fbb7c4bea234d4d2c148ee Mon Sep 17 00:00:00 2001 From: "nitin.sachdev" Date: Fri, 18 Apr 2025 15:27:30 +0530 Subject: [PATCH 03/21] executed go mod tidy --- integration-tests/go.mod | 6 +++--- integration-tests/go.sum | 34 ++++++++++++++++++++++++++-------- 2 files changed, 29 insertions(+), 11 deletions(-) diff --git a/integration-tests/go.mod b/integration-tests/go.mod index 6b762801..8608a181 100644 --- a/integration-tests/go.mod +++ b/integration-tests/go.mod @@ -1,6 +1,6 @@ module github.com/hashicorp/consul-dataplane/integration-tests -go 1.20 +go 1.23.8 require ( github.com/docker/docker v20.10.20+incompatible @@ -50,10 +50,10 @@ require ( github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/sirupsen/logrus v1.9.0 // indirect - golang.org/x/crypto v0.22.0 // indirect + golang.org/x/crypto v0.36.0 // indirect golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 // indirect golang.org/x/net v0.38.0 // indirect - golang.org/x/sys v0.19.0 // indirect + golang.org/x/sys v0.31.0 // indirect golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230526203410-71b5a4ffd15e // indirect google.golang.org/grpc v1.56.3 // indirect diff --git a/integration-tests/go.sum b/integration-tests/go.sum index 9eba035a..f63fdcea 100644 --- a/integration-tests/go.sum +++ b/integration-tests/go.sum @@ -4,6 +4,7 @@ github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3 github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/hcsshim v0.9.6 h1:VwnDOgLeoi2du6dAznfmspNqTiwczvjv4K7NxuY9jsY= +github.com/Microsoft/hcsshim v0.9.6/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= @@ -26,7 +27,9 @@ github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp github.com/containerd/containerd v1.6.18 h1:qZbsLvmyu+Vlty0/Ex5xc0z2YtKpIsb5n45mAMI+2Ns= github.com/containerd/containerd v1.6.18/go.mod h1:1RdCUu95+gc2v9t3IL+zIlpClSmew7/0YS8O5eQZrOw= github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg= +github.com/containerd/continuity v0.3.0/go.mod h1:wJEAIwKOm/pBZuBd0JmeTvnLquTB1Ag8espWhkykbPM= github.com/creack/pty v1.1.17 h1:QeVUsEDNrLBW4tMgZHvxy18sKtr6VI492kBhUfhDJNI= +github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -59,16 +62,20 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= +github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/hashicorp/consul/api v1.29.1 h1:UEwOjYJrd3lG1x5w7HxDRMGiAUPrb3f103EoeKuuEcc= github.com/hashicorp/consul/api v1.29.1/go.mod h1:lumfRkY/coLuqMICkI7Fh3ylMG31mQSRZyef2c5YvJI= github.com/hashicorp/consul/proto-public v0.6.1 h1:+uzH3olCrksXYWAYHKqK782CtK9scfqH+Unlw3UHhCg= +github.com/hashicorp/consul/proto-public v0.6.1/go.mod h1:cXXbOg74KBNGajC+o8RlA502Esf0R9prcoJgiOX/2Tg= github.com/hashicorp/consul/sdk v0.16.1 h1:V8TxTnImoPD5cj0U9Spl0TUxcytjcbbJeADFF07KdHg= +github.com/hashicorp/consul/sdk v0.16.1/go.mod h1:fSXvwxB2hmh1FMZCNl6PwX0Q/1wdWtHJcZ7Ea5tns0s= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -82,6 +89,7 @@ github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJ github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= github.com/hashicorp/go-msgpack v0.5.5 h1:i9R9JSrqIz0QVLz3sz+i3YJdT7TTSLcfLLzJi9aZTuI= +github.com/hashicorp/go-msgpack v0.5.5/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= @@ -91,11 +99,14 @@ github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5O github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc= +github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= +github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-version v1.2.1 h1:zEfKbn2+PDgroKdiOzqiE8rsmLqU2uwi5PB5pBJ3TkI= +github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= @@ -116,6 +127,7 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxv github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= +github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= @@ -190,6 +202,7 @@ github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg= +github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUtVbo7ada43DJhG55ua/hjS5I= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= @@ -201,6 +214,7 @@ github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVs github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -219,8 +233,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= -golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= +golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= +golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ= golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= @@ -239,8 +253,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8= golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= -golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= +golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8= +golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -248,6 +262,7 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= +golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -276,16 +291,17 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= -golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= +golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= +golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44= +golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= @@ -308,6 +324,7 @@ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLks gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w= gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -318,3 +335,4 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= +gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= From d78d40d7391602fabc7ea1f6923fc39d2c43fec3 Mon Sep 17 00:00:00 2001 From: "nitin.sachdev" Date: Fri, 18 Apr 2025 15:38:44 +0530 Subject: [PATCH 04/21] fixed changelog --- .changelog/719.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.changelog/719.txt b/.changelog/719.txt index f6512429..06f90bea 100644 --- a/.changelog/719.txt +++ b/.changelog/719.txt @@ -1,4 +1,5 @@ ```release-note:security Upgraded `x/net` to 0.38.0. This resolves [GO-2025-3595](https://pkg.go.dev/vuln/GO-2025-3595) -Upgraded `envoy` to 1.33.2. +Upgraded `envoy` to 1.33.2 +Upgraded `Go` to 1.23.8 ``` From 2a9d4b540bcb658681b8fdc7b7d7b23ca63593cf Mon Sep 17 00:00:00 2001 From: "nitin.sachdev" Date: Fri, 18 Apr 2025 16:03:49 +0530 Subject: [PATCH 05/21] upgraded go version --- .go-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.go-version b/.go-version index fa994bd7..5a043202 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.23.6 \ No newline at end of file +1.23.8 \ No newline at end of file From 41377ec38fe64697b795da2032b1badacf63530e Mon Sep 17 00:00:00 2001 From: "nitin.sachdev" Date: Fri, 18 Apr 2025 16:27:08 +0530 Subject: [PATCH 06/21] upgraded ubuntu to latest --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e323c9c3..f7ee8506 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -71,7 +71,7 @@ jobs: needs: - get-go-version - get-product-version - runs-on: ubuntu-20.04 # the GLIBC is too high on 22.04 + runs-on: ubuntu-latest # the GLIBC is too high on 22.04 strategy: matrix: include: From 2ebbf7918072f6de2d3aa19a5bc2689c47d34548 Mon Sep 17 00:00:00 2001 From: "nitin.sachdev" Date: Fri, 18 Apr 2025 17:49:09 +0530 Subject: [PATCH 07/21] fixed build pipeline --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 21987259..dca05e42 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,6 +24,7 @@ COPY --from=envoy-binary /usr/local/bin/envoy /usr/local/bin/ COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ RUN apt-get update && apt install -y libcap2-bin +RUN apt-get update && apt-get install -y libc6 RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/envoy RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/$BIN_NAME @@ -40,6 +41,7 @@ COPY --from=envoy-fips-binary /usr/local/bin/envoy /usr/local/bin/ COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/ RUN apt-get update && apt install -y libcap2-bin +RUN apt-get update && apt-get install -y libc6 RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/envoy RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/$BIN_NAME From 169ef4d4071d62347624bb240cddbab8e8dcf5b8 Mon Sep 17 00:00:00 2001 From: "nitin.sachdev" Date: Fri, 18 Apr 2025 18:03:30 +0530 Subject: [PATCH 08/21] changed ubuntu version --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f7ee8506..57c0bf59 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -71,7 +71,7 @@ jobs: needs: - get-go-version - get-product-version - runs-on: ubuntu-latest # the GLIBC is too high on 22.04 + runs-on: ubuntu-24.04 # the GLIBC is too high on 22.04 strategy: matrix: include: From cc26736c9198b7d3618ecfeb3d307687120a9cb2 Mon Sep 17 00:00:00 2001 From: Mukul Anand Date: Fri, 18 Apr 2025 18:11:50 +0530 Subject: [PATCH 09/21] Update build.yml 24.04 failing due to glibc version not available. Falling back to 22.04 for testing --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 57c0bf59..5b9d8969 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -71,7 +71,7 @@ jobs: needs: - get-go-version - get-product-version - runs-on: ubuntu-24.04 # the GLIBC is too high on 22.04 + runs-on: ubuntu-22.04 # the GLIBC is too high on 22.04 strategy: matrix: include: From 4478dbb3ab38e0e8679480f1fdf03bcc227eae18 Mon Sep 17 00:00:00 2001 From: Mukul Anand Date: Fri, 18 Apr 2025 18:33:11 +0530 Subject: [PATCH 10/21] Fixed glibc libraries not found with a step for installing them --- .github/workflows/build.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5b9d8969..025129cf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -179,6 +179,18 @@ jobs: echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" >> $GITHUB_ENV + - name: Install Required glibc version + run: | + GLIBC_VERSION=2.34 + wget http://ftp.gnu.org/gnu/libc/glibc-$GLIBC_VERSION.tar.gz + tar -xvzf glibc-${GLIBC_VERSION}.tar.gz + cd glibc-${GLIBC_VERSION} + mkdir build + cd build + ../configure --prefix=/opt/glibc-${GLIBC_VERSION} + make -j$(nproc) + sudo make install + export LD_LIBRARY_PATH=/opt/glibc-${GLIBC_VERSION}/lib:${LD_LIBRARY_PATH} - name: Docker Build (Action) if: ${{ !matrix.fips }} uses: hashicorp/actions-docker-build@v2 From 2173bbe13b2de73e6b3709c917e2d7a385f1ee98 Mon Sep 17 00:00:00 2001 From: Mukul Anand Date: Wed, 23 Apr 2025 15:47:55 +0530 Subject: [PATCH 11/21] build test fix --- .github/containers/Dockerfile | 27 ++++++ .github/workflows/build.yml | 164 +++++++++++++++++++++++++++++++--- 2 files changed, 177 insertions(+), 14 deletions(-) create mode 100644 .github/containers/Dockerfile diff --git a/.github/containers/Dockerfile b/.github/containers/Dockerfile new file mode 100644 index 00000000..4acf2a42 --- /dev/null +++ b/.github/containers/Dockerfile @@ -0,0 +1,27 @@ +FROM ubuntu:focal + +ENV DEBIAN_FRONTEND=noninteractive + +ARG GO_VERSION + +RUN apt-get update && apt-get install -y --no-install-recommends \ + bash \ + build-essential \ + ca-certificates \ + crossbuild-essential-arm64 \ + curl \ + libc-bin \ + binutils \ + gcc-aarch64-linux-gnu \ + git \ + xz-utils \ + zip + +# Get Go and get Going ;) +RUN curl -L https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz | tar -C /opt -zxv + +ENV PATH="/root/go/bin:/opt/go/bin:$PATH" + +RUN git config --global --add safe.directory /build + +WORKDIR /build \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 025129cf..93ce667b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,6 +39,7 @@ jobs: runs-on: ubuntu-latest outputs: product-version: ${{ steps.get-product-version.outputs.product-version }} + shared-ldflags: ${{ steps.shared-ldflags.outputs.shared-ldflags }} steps: - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: get product version @@ -46,7 +47,13 @@ jobs: run: | make version echo "product-version=$(make version)" >> $GITHUB_OUTPUT - + - name: Set shared -ldflags + id: shared-ldflags + run: | + T="github.com/hashicorp/consul-dataplane/pkg/version" + echo "shared-ldflags=-X ${T}.GitCommit=${GITHUB_SHA::8} \ + -X ${T}.GitDescribe=${{ steps.get-product-version.outputs.product-version }} \ + " >> "$GITHUB_OUTPUT" generate-metadata-file: needs: get-product-version runs-on: ubuntu-latest @@ -92,6 +99,8 @@ jobs: - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - uses: hashicorp/actions-go-build@v1 + name: Build non-FIPS + if : ${{ matrix.fips != '+fips1402' }} with: product_name: ${{ env.PKG_NAME }} product_version: ${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }} @@ -107,6 +116,146 @@ jobs: fi ${{ matrix.env }} go build -tags=${{ matrix.gotags }} -trimpath -buildvcs=false -ldflags="-X github.com/hashicorp/consul-dataplane/pkg/version.GitCommit=${GITHUB_SHA::8}" -o $BIN_PATH ./cmd/$BIN_NAME + - name: Build ubuntu-focal-builder image + if: ${{ matrix.goos != 'windows' && matrix.fips == '+fips1402' }} + uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 + with: + platforms: linux/amd64 # we only ever build amd64 images because we always run on amd64 runners and cross-compile inside the container if needed + context: .github/containers/ubuntu/ + build-args: | + GO_VERSION=${{ needs.get-go-version.outputs.go-version }} + push: true + tags: localhost:5000/ubuntu-focal-builder:${{ github.sha }} + + - uses: hashicorp/actions-go-build@v1 + name: Build FIPS non-windows + if: ${{ matrix.goos != 'windows' && matrix.fips == '+fips1402' }} + env: + PRODUCT_VERSION: ${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }} + GO_ENV: "${{ matrix.env }}" + GO_VERSION: ${{ needs.get-go-version.outputs.go-version }} + GOLDFLAGS: "${{needs.get-product-version.outputs.shared-ldflags}}" + BINARY_PATH: "dist/${{ env.PKG_NAME }}" + GOOS: ${{ matrix.goos }} + GOARCH: ${{ matrix.goarch }} + GOTAGS: ${{ matrix.gotags }} + with: + product_name: ${{ env.PKG_NAME }} + product_version: ${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }} + go_version: ${{ needs.get-go-version.outputs.go-version }} + os: ${{ matrix.goos }} + arch: ${{ matrix.goarch }} + reproducible: assert + instructions: |- + mkdir -p /build/dist + mkdir -p .release/linux/package/usr/share/doc/$PKG_NAME + cp LICENSE $TARGET_DIR/LICENSE.txt + + #### Create a script file to run inside Docker with detailed logging #### + + cat > container_build_script.sh << 'EOF' + #!/bin/bash + set -x # Print each command before execution + + echo "====== Environment inside container ======" + env | sort + git config --global url."https://${GITHUB_TOKEN}:@github.com/".insteadOf "https://github.com/" + + if [ -n "$ELEVATED_GITHUB_TOKEN" ]; then + echo "Configuring Git with elevated GitHub token for authentication..." + git config --global url."https://${ELEVATED_GITHUB_TOKEN}:x-oauth-basic@github.com/".insteadOf "https://github.com/" + git config --global url."https://${ELEVATED_GITHUB_TOKEN}:x-oauth-basic@github.com/".insteadOf "git@github.com:" + else + echo "WARNING: ELEVATED_GITHUB_TOKEN not provided. Private repository access may fail." + exit 1 + fi + echo "Configuring Git for private repositories..." + + # Use .netrc for Git authentication - more reliable than url rewriting + cat > /tmp/.netrc << EON + machine github.com + login oauth2 + password $ELEVATED_GITHUB_TOKEN + EON + + # Set permissions and tell Git where to find it + chmod 600 /tmp/.netrc + export HOME=/tmp + + # Verify Git can access a private repository + echo "Testing Git authentication..." + git ls-remote https://github.com/hashicorp/consul-dataplane.git HEAD || { + echo "Failed to authenticate with GitHub. Check token permissions." + exit 1 + } + + # Ensure GOPRIVATE is set in the container + export GOPRIVATE=${GOPRIVATE:-github.com/hashicorp} + + # Show Go environment (excluding sensitive info) + go env | grep -v -E '(TOKEN|PASSWORD|SECRET|KEY)' + echo "========================================" + + echo "====== Starting build process ======" + echo "Go Environment: $GO_ENV" + echo "Go Tags: $GOTAGS" + echo "Gold Flags: $GOLDFLAGS" + echo "Binary will be output to: /build/$BINARY_PATH" + ls -la /build + ls -la /build/dist + # Executing the build command with detailed output + BUILD_CMD="$GO_ENV go build -tags=$GOTAGS -ldflags \"$GOLDFLAGS\" -o \"/build/$BINARY_PATH\" -trimpath -buildvcs=false ./cmd/$BIN_NAME" + echo "Build command: $BUILD_CMD" + + # Use eval to properly execute the command + eval "$BUILD_CMD" + BUILD_STATUS=$? + echo "======Binary exists - Checking package DL dependencies======" + readelf -sW /build/dist/consul-dataplane | grep GLIBC_ || echo "No GLIBC symbols found." + echo "Go build exit status: $BUILD_STATUS" + + if [ $BUILD_STATUS -ne 0 ]; then + echo "ERROR: Go build failed with status $BUILD_STATUS" + # Display more diagnostic information + echo "Go version:" + go version + echo "Go environment:" + go env + exit $BUILD_STATUS + fi + + echo "====== Listing build output ======" + ls -la /build/ + ls -la /build/dist/ + echo "====== Build process completed successfully ======" + EOF + ###### end of script file ##### + + + # Make the script executable + chmod +x container_build_script.sh + + ESCAPED_GOLDFLAGS=$(echo "${{env.GOLDFLAGS}}" | sed 's/"/\\"/g') + echo "Running Docker container..." + docker run --rm \ + --user "$(id -u):$(id -g)" \ + --env HOME=/tmp \ + --env PRODUCT_VERSION=${{env.PRODUCT_VERSION}} \ + --env GOLDFLAGS="$ESCAPED_GOLDFLAGS" \ + --env BINARY_PATH=${{env.BINARY_PATH}} \ + --env GOOS=${{env.GOOS}} \ + --env GOARCH=${{env.GOARCH}} \ + --env GOTAGS=${{env.GOTAGS}} \ + --env GO_ENV="${{env.GO_ENV}}" \ + --env PKG_NAME=${{env.PKG_NAME}} \ + --env GOPRIVATE="github.com/hashicorp" \ + --env ELEVATED_GITHUB_TOKEN=${{ secrets.ELEVATED_GITHUB_TOKEN }} \ + -v "$(pwd)":/build \ + -w /build \ + localhost:5000/ubuntu-focal-builder:${{ github.sha }} \ + /build/container_build_script.sh + ls -la ./dist + - name: Copy license file if: ${{ matrix.goos == 'linux' }} env: @@ -178,19 +327,6 @@ jobs: echo "full_dev_tag=${{ env.version }}" >> $GITHUB_ENV echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" >> $GITHUB_ENV - - - name: Install Required glibc version - run: | - GLIBC_VERSION=2.34 - wget http://ftp.gnu.org/gnu/libc/glibc-$GLIBC_VERSION.tar.gz - tar -xvzf glibc-${GLIBC_VERSION}.tar.gz - cd glibc-${GLIBC_VERSION} - mkdir build - cd build - ../configure --prefix=/opt/glibc-${GLIBC_VERSION} - make -j$(nproc) - sudo make install - export LD_LIBRARY_PATH=/opt/glibc-${GLIBC_VERSION}/lib:${LD_LIBRARY_PATH} - name: Docker Build (Action) if: ${{ !matrix.fips }} uses: hashicorp/actions-docker-build@v2 From 86dceb685b6da67606abbf3160bb022ae5bd62be Mon Sep 17 00:00:00 2001 From: Mukul Anand Date: Wed, 23 Apr 2025 16:13:44 +0530 Subject: [PATCH 12/21] Trigger Build From 26ecc82837af7f7a31a78c1c9c7f2e4b7020c0bf Mon Sep 17 00:00:00 2001 From: Mukul Anand Date: Wed, 23 Apr 2025 16:16:09 +0530 Subject: [PATCH 13/21] clubbed container --- .github/containers/{ => ubuntu}/Dockerfile | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/containers/{ => ubuntu}/Dockerfile (100%) diff --git a/.github/containers/Dockerfile b/.github/containers/ubuntu/Dockerfile similarity index 100% rename from .github/containers/Dockerfile rename to .github/containers/ubuntu/Dockerfile From ab3d31df66584c043bfef24bbc0f666e7c7b57b0 Mon Sep 17 00:00:00 2001 From: Mukul Anand Date: Wed, 23 Apr 2025 16:19:54 +0530 Subject: [PATCH 14/21] added local docker repository service --- .github/workflows/build.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 93ce667b..6a8edba2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -79,6 +79,11 @@ jobs: - get-go-version - get-product-version runs-on: ubuntu-22.04 # the GLIBC is too high on 22.04 + services: + registry: + image: registry:2 + ports: + - 5000:5000 strategy: matrix: include: From ab78cdfeca84ea1146c31e58f1f894cc200f16a5 Mon Sep 17 00:00:00 2001 From: Mukul Anand Date: Wed, 23 Apr 2025 16:31:20 +0530 Subject: [PATCH 15/21] directory failure fix --- .github/workflows/build.yml | 153 ++++++++++++++++++------------------ 1 file changed, 76 insertions(+), 77 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6a8edba2..1c80238d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -152,88 +152,87 @@ jobs: arch: ${{ matrix.goarch }} reproducible: assert instructions: |- - mkdir -p /build/dist mkdir -p .release/linux/package/usr/share/doc/$PKG_NAME cp LICENSE $TARGET_DIR/LICENSE.txt #### Create a script file to run inside Docker with detailed logging #### - cat > container_build_script.sh << 'EOF' - #!/bin/bash - set -x # Print each command before execution - - echo "====== Environment inside container ======" - env | sort - git config --global url."https://${GITHUB_TOKEN}:@github.com/".insteadOf "https://github.com/" - - if [ -n "$ELEVATED_GITHUB_TOKEN" ]; then - echo "Configuring Git with elevated GitHub token for authentication..." - git config --global url."https://${ELEVATED_GITHUB_TOKEN}:x-oauth-basic@github.com/".insteadOf "https://github.com/" - git config --global url."https://${ELEVATED_GITHUB_TOKEN}:x-oauth-basic@github.com/".insteadOf "git@github.com:" - else - echo "WARNING: ELEVATED_GITHUB_TOKEN not provided. Private repository access may fail." - exit 1 - fi - echo "Configuring Git for private repositories..." - - # Use .netrc for Git authentication - more reliable than url rewriting - cat > /tmp/.netrc << EON - machine github.com - login oauth2 - password $ELEVATED_GITHUB_TOKEN - EON - - # Set permissions and tell Git where to find it - chmod 600 /tmp/.netrc - export HOME=/tmp - - # Verify Git can access a private repository - echo "Testing Git authentication..." - git ls-remote https://github.com/hashicorp/consul-dataplane.git HEAD || { - echo "Failed to authenticate with GitHub. Check token permissions." - exit 1 - } - - # Ensure GOPRIVATE is set in the container - export GOPRIVATE=${GOPRIVATE:-github.com/hashicorp} - - # Show Go environment (excluding sensitive info) - go env | grep -v -E '(TOKEN|PASSWORD|SECRET|KEY)' - echo "========================================" - - echo "====== Starting build process ======" - echo "Go Environment: $GO_ENV" - echo "Go Tags: $GOTAGS" - echo "Gold Flags: $GOLDFLAGS" - echo "Binary will be output to: /build/$BINARY_PATH" - ls -la /build - ls -la /build/dist - # Executing the build command with detailed output - BUILD_CMD="$GO_ENV go build -tags=$GOTAGS -ldflags \"$GOLDFLAGS\" -o \"/build/$BINARY_PATH\" -trimpath -buildvcs=false ./cmd/$BIN_NAME" - echo "Build command: $BUILD_CMD" - - # Use eval to properly execute the command - eval "$BUILD_CMD" - BUILD_STATUS=$? - echo "======Binary exists - Checking package DL dependencies======" - readelf -sW /build/dist/consul-dataplane | grep GLIBC_ || echo "No GLIBC symbols found." - echo "Go build exit status: $BUILD_STATUS" - - if [ $BUILD_STATUS -ne 0 ]; then - echo "ERROR: Go build failed with status $BUILD_STATUS" - # Display more diagnostic information - echo "Go version:" - go version - echo "Go environment:" - go env - exit $BUILD_STATUS - fi - - echo "====== Listing build output ======" - ls -la /build/ - ls -la /build/dist/ - echo "====== Build process completed successfully ======" - EOF + cat > container_build_script.sh << 'EOF' + #!/bin/bash + set -x # Print each command before execution + mkdir -p /build/dist + echo "====== Environment inside container ======" + env | sort + git config --global url."https://${GITHUB_TOKEN}:@github.com/".insteadOf "https://github.com/" + + if [ -n "$ELEVATED_GITHUB_TOKEN" ]; then + echo "Configuring Git with elevated GitHub token for authentication..." + git config --global url."https://${ELEVATED_GITHUB_TOKEN}:x-oauth-basic@github.com/".insteadOf "https://github.com/" + git config --global url."https://${ELEVATED_GITHUB_TOKEN}:x-oauth-basic@github.com/".insteadOf "git@github.com:" + else + echo "WARNING: ELEVATED_GITHUB_TOKEN not provided. Private repository access may fail." + exit 1 + fi + echo "Configuring Git for private repositories..." + + # Use .netrc for Git authentication - more reliable than url rewriting + cat > /tmp/.netrc << EON + machine github.com + login oauth2 + password $ELEVATED_GITHUB_TOKEN + EON + + # Set permissions and tell Git where to find it + chmod 600 /tmp/.netrc + export HOME=/tmp + + # Verify Git can access a private repository + echo "Testing Git authentication..." + git ls-remote https://github.com/hashicorp/consul-dataplane.git HEAD || { + echo "Failed to authenticate with GitHub. Check token permissions." + exit 1 + } + + # Ensure GOPRIVATE is set in the container + export GOPRIVATE=${GOPRIVATE:-github.com/hashicorp} + + # Show Go environment (excluding sensitive info) + go env | grep -v -E '(TOKEN|PASSWORD|SECRET|KEY)' + echo "========================================" + + echo "====== Starting build process ======" + echo "Go Environment: $GO_ENV" + echo "Go Tags: $GOTAGS" + echo "Gold Flags: $GOLDFLAGS" + echo "Binary will be output to: /build/$BINARY_PATH" + ls -la /build + ls -la /build/dist + # Executing the build command with detailed output + BUILD_CMD="$GO_ENV go build -v -tags=$GOTAGS -ldflags \"$GOLDFLAGS\" -o \"/build/$BINARY_PATH\" -trimpath -buildvcs=false ./cmd/$BIN_NAME" + echo "Build command: $BUILD_CMD" + + # Use eval to properly execute the command + eval "$BUILD_CMD" + BUILD_STATUS=$? + echo "======Binary exists - Checking package DL dependencies======" + readelf -sW /build/dist/consul-dataplane | grep GLIBC_ || echo "No GLIBC symbols found." + echo "Go build exit status: $BUILD_STATUS" + + if [ $BUILD_STATUS -ne 0 ]; then + echo "ERROR: Go build failed with status $BUILD_STATUS" + # Display more diagnostic information + echo "Go version:" + go version + echo "Go environment:" + go env + exit $BUILD_STATUS + fi + + echo "====== Listing build output ======" + ls -la /build/ + ls -la /build/dist/ + echo "====== Build process completed successfully ======" + EOF ###### end of script file ##### From 2ff780699c2323bbc053fa86ec69035ecffab454 Mon Sep 17 00:00:00 2001 From: Mukul Anand Date: Wed, 23 Apr 2025 16:59:35 +0530 Subject: [PATCH 16/21] bin_name passing to docker fix --- .github/workflows/build.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1c80238d..8c205ff8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -115,10 +115,6 @@ jobs: reproducible: assert instructions: | cp LICENSE $TARGET_DIR/LICENSE.txt - if [[ "${{ matrix.fips }}" == "+fips1402" ]] - then - sudo apt-get update --allow-releaseinfo-change-suite --allow-releaseinfo-change-version && sudo apt-get install -y build-essential gcc-aarch64-linux-gnu - fi ${{ matrix.env }} go build -tags=${{ matrix.gotags }} -trimpath -buildvcs=false -ldflags="-X github.com/hashicorp/consul-dataplane/pkg/version.GitCommit=${GITHUB_SHA::8}" -o $BIN_PATH ./cmd/$BIN_NAME - name: Build ubuntu-focal-builder image @@ -154,7 +150,6 @@ jobs: instructions: |- mkdir -p .release/linux/package/usr/share/doc/$PKG_NAME cp LICENSE $TARGET_DIR/LICENSE.txt - #### Create a script file to run inside Docker with detailed logging #### cat > container_build_script.sh << 'EOF' @@ -208,7 +203,7 @@ jobs: ls -la /build ls -la /build/dist # Executing the build command with detailed output - BUILD_CMD="$GO_ENV go build -v -tags=$GOTAGS -ldflags \"$GOLDFLAGS\" -o \"/build/$BINARY_PATH\" -trimpath -buildvcs=false ./cmd/$BIN_NAME" + BUILD_CMD="$GO_ENV go build -v -tags=$GOTAGS -ldflags \"$GOLDFLAGS\" -o \"/build/$BINARY_PATH\" -trimpath -buildvcs=false ./cmd/$BINARY_NAME" echo "Build command: $BUILD_CMD" # Use eval to properly execute the command @@ -254,6 +249,7 @@ jobs: --env PKG_NAME=${{env.PKG_NAME}} \ --env GOPRIVATE="github.com/hashicorp" \ --env ELEVATED_GITHUB_TOKEN=${{ secrets.ELEVATED_GITHUB_TOKEN }} \ + --env BINARY_NAME=$BIN_NAME \ -v "$(pwd)":/build \ -w /build \ localhost:5000/ubuntu-focal-builder:${{ github.sha }} \ From c636831015eceb8b4fa52ceeef2c6b9b7258fa9d Mon Sep 17 00:00:00 2001 From: Mukul Anand Date: Wed, 23 Apr 2025 17:06:09 +0530 Subject: [PATCH 17/21] make clean optional --- .github/workflows/build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8c205ff8..ea82f0ff 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -128,7 +128,7 @@ jobs: push: true tags: localhost:5000/ubuntu-focal-builder:${{ github.sha }} - - uses: hashicorp/actions-go-build@v1 + - uses: hashicorp/actions-go-build@make-clean-flag-optional name: Build FIPS non-windows if: ${{ matrix.goos != 'windows' && matrix.fips == '+fips1402' }} env: @@ -147,6 +147,7 @@ jobs: os: ${{ matrix.goos }} arch: ${{ matrix.goarch }} reproducible: assert + clean: false instructions: |- mkdir -p .release/linux/package/usr/share/doc/$PKG_NAME cp LICENSE $TARGET_DIR/LICENSE.txt From e44bb505ce4153a163bdeb30dde00ceabff937a7 Mon Sep 17 00:00:00 2001 From: Mukul Anand Date: Wed, 23 Apr 2025 17:49:13 +0530 Subject: [PATCH 18/21] reproducible nope setting test --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ea82f0ff..e41cd43f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -103,7 +103,7 @@ jobs: steps: - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - - uses: hashicorp/actions-go-build@v1 + - uses: hashicorp/actions-go-build@make-clean-flag-optional name: Build non-FIPS if : ${{ matrix.fips != '+fips1402' }} with: @@ -146,7 +146,7 @@ jobs: go_version: ${{ needs.get-go-version.outputs.go-version }} os: ${{ matrix.goos }} arch: ${{ matrix.goarch }} - reproducible: assert + reproducible: nope clean: false instructions: |- mkdir -p .release/linux/package/usr/share/doc/$PKG_NAME From a6a8d764c30f9c1644e3e5b00be6cbdbdf70d852 Mon Sep 17 00:00:00 2001 From: Mukul Anand Date: Wed, 23 Apr 2025 20:18:12 +0530 Subject: [PATCH 19/21] fixing ubuntu-runner for docker build step --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e41cd43f..0f896cf1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -105,7 +105,7 @@ jobs: - uses: hashicorp/actions-go-build@make-clean-flag-optional name: Build non-FIPS - if : ${{ matrix.fips != '+fips1402' }} + if : ${{ !matrix.fips }} with: product_name: ${{ env.PKG_NAME }} product_version: ${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }} @@ -305,7 +305,7 @@ jobs: - get-go-version - get-product-version - build-linux - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 strategy: matrix: # This is the subset of architectures we build binaries for officially From fde86f1e0c5b0e7d06f13472a912f989ffea03d2 Mon Sep 17 00:00:00 2001 From: Mukul Anand Date: Wed, 23 Apr 2025 20:31:38 +0530 Subject: [PATCH 20/21] fix : CGO_ENABLED=0 for non-fips as env not set for actions-go-build --- .github/workflows/build.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0f896cf1..154c9211 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -105,7 +105,11 @@ jobs: - uses: hashicorp/actions-go-build@make-clean-flag-optional name: Build non-FIPS - if : ${{ !matrix.fips }} + if : ${{!matrix.fips }} + env: + PRODUCT_VERSION: ${{ needs.get-product-version.outputs.product-version }} + CGO_ENABLED: "0" + GOLDFLAGS: "${{needs.get-product-version.outputs.shared-ldflags}}" with: product_name: ${{ env.PKG_NAME }} product_version: ${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }} From 0b8d96624e983ad6d66f43a8b6ad1d5d70d22341 Mon Sep 17 00:00:00 2001 From: "nitin.sachdev" Date: Thu, 24 Apr 2025 12:36:16 +0530 Subject: [PATCH 21/21] chore: update CODEOWNERS to include consul-selfmanage-maintainers for release configuration --- .github/CODEOWNERS | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 306bb7c8..ed637010 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,5 +1,5 @@ * @hashicorp/consul-selfmanage-maintainers # release configuration -/.release/ @hashicorp/team-selfmanaged-releng -/.github/workflows/build.yml @hashicorp/team-selfmanaged-releng +/.release/ @hashicorp/team-selfmanaged-releng @hashicorp/consul-selfmanage-maintainers +/.github/workflows/build.yml @hashicorp/team-selfmanaged-releng @hashicorp/consul-selfmanage-maintainers