Commit graph

7 commits

Author SHA1 Message Date
Michael Zalimeni 57265a06f0
Backport of [NET-6138] security: Bump google.golang.org/grpc to 1.56.3 (CVE-2023-44487) to release/1.16.x (#19420)
Bump google.golang.org/grpc to 1.56.3

This resolves [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487).

Co-authored-by: Chris Thain <chris.m.thain@gmail.com>
2023-10-30 08:58:11 -04:00
hc-github-team-consul-core adefe8d16a
Backport of [NET-5944] security: Update Go version to 1.20.10 and x/net to 0.17.0 into release/1.16.x (#19234)
* backport of commit d7d9de95642a625307fecc8cff29bda1c22fa983

* backport of commit 0794b1ce74d37623d50f5e52cb289a48e8558d18

---------

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
2023-10-17 00:12:24 +00:00
hc-github-team-consul-core d1a52f31a2
Backport of [NET-5146] security: Update Go version to 1.20.7 and x/net to 0.13.0 into release/1.16.x (#18363)
backport of commit 905e371607112dc00c55cae53c907b989a651f61

Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>
2023-08-02 18:36:08 +00:00
hc-github-team-consul-core 7aef7ebc42
Backport of [NET-4865] Bump golang.org/x/net to 0.12.0 into release/1.16.x (#18189)
Bump golang.org/x/net to 0.12.0

While not necessary to directly address CVE-2023-29406 (which should be
handled by using a patched version of Go when building), an
accompanying change to HTTP/2 error handling does impact agent code.

See https://go-review.googlesource.com/c/net/+/506995 for the HTTP/2
change.

Bump this dependency across our submodules as well for the sake of
potential indirect consumers of `x/net/http`.

Manual backport of 84cbf09185ebfc59f9fcf486d1c4983ef129bf95.
2023-07-19 12:22:18 -04:00
Matt Keeler e909289454
Various bits of cleanup detected when using Go Workspaces (#17462)
TLDR with many modules the versions included in each diverged quite a bit. Attempting to use Go Workspaces produces a bunch of errors.

This commit:

1. Fixes envoy-library-references.sh to work again
2. Ensures we are pulling in go-control-plane@v0.11.0 everywhere (previously it was at that version in some modules and others were much older)
3. Remove one usage of golang/protobuf that caused us to have a direct dependency on it.
4. Remove deprecated usage of the Endpoint field in the grpc resolver.Target struct. The current version of grpc (v1.55.0) has removed that field and recommended replacement with URL.Opaque and calls to the Endpoint() func when needing to consume the previous field.
4. `go work init <all the paths to go.mod files>` && `go work sync`. This syncrhonized versions of dependencies from the main workspace/root module to all submodules
5. Updated .gitignore to ignore the go.work and go.work.sum files. This seems to be standard practice at the moment.
6. Update doc comments in protoc-gen-consul-rate-limit to be go fmt compatible
7. Upgraded makefile infra to perform linting, testing and go mod tidy on all modules in a flexible manner.
8. Updated linter rules to prevent usage of golang/protobuf
9. Updated a leader peering test to account for an extra colon in a grpc error message.
2023-06-05 16:08:39 -04:00
Matt Keeler 554f1e6fee
Protobuf Modernization (#15949)
* Protobuf Modernization

Remove direct usage of golang/protobuf in favor of google.golang.org/protobuf

Marshallers (protobuf and json) needed some changes to account for different APIs.

Moved to using the google.golang.org/protobuf/types/known/* for the well known types including replacing some custom Struct manipulation with whats available in the structpb well known type package.

This also updates our devtools script to install protoc-gen-go from the right location so that files it generates conform to the correct interfaces.

* Fix go-mod-tidy make target to work on all modules
2023-01-11 09:39:10 -05:00
Daniel Upton 3664ac54a5 Make proto-public a Go module
Our original intention was for projects to consume and generate their
own Go code for these protobuf packages using Buf. While this is still
the best route for many projects, it causes some headaches when using
a library (e.g. consul-server-connection-manager) that pulls in the
same protobuf package as your project, as Go's protobuf implementation
only allows for a package/namespace to be registered once.

In such cases, projects can depend on this Go module instead, as a
single place where these protobuf packages are registered.
2022-09-06 19:30:17 +01:00