upgrading envoy to 1.33.2 and fixing CVEs

.changelog/719.txt

@@ -0,0 +1,5 @@
+```release-note:security
+Upgraded `x/net` to 0.38.0. This resolves [GO-2025-3595](https://pkg.go.dev/vuln/GO-2025-3595)
+Upgraded `envoy` to 1.33.2
+Upgraded `Go` to 1.23.8
+```

.github/CODEOWNERS

@@ -1,5 +1,5 @@
 * @hashicorp/consul-selfmanage-maintainers
 
 # release configuration
-/.release/                              @hashicorp/team-selfmanaged-releng
-/.github/workflows/build.yml            @hashicorp/team-selfmanaged-releng
+/.release/                              @hashicorp/team-selfmanaged-releng @hashicorp/consul-selfmanage-maintainers
+/.github/workflows/build.yml            @hashicorp/team-selfmanaged-releng @hashicorp/consul-selfmanage-maintainers

.github/containers/ubuntu/Dockerfile

@@ -0,0 +1,27 @@
+FROM ubuntu:focal
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+ARG GO_VERSION
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+ bash \
+ build-essential \
+ ca-certificates \
+ crossbuild-essential-arm64 \
+ curl \
+ libc-bin \
+ binutils \
+ gcc-aarch64-linux-gnu \
+ git \
+ xz-utils \
+ zip
+
+# Get Go and get Going ;)
+RUN curl -L https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz | tar -C /opt -zxv
+
+ENV PATH="/root/go/bin:/opt/go/bin:$PATH"
+
+RUN git config --global --add safe.directory /build
+
+WORKDIR /build

.github/workflows/build.yml

@@ -39,14 +39,21 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       product-version: ${{ steps.get-product-version.outputs.product-version }}
+      shared-ldflags: ${{ steps.shared-ldflags.outputs.shared-ldflags }}
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: get product version
         id: get-product-version
         run: |
           make version
           echo "product-version=$(make version)" >> $GITHUB_OUTPUT
-
+      - name: Set shared -ldflags
+        id: shared-ldflags
+        run: |
+          T="github.com/hashicorp/consul-dataplane/pkg/version"
+          echo "shared-ldflags=-X ${T}.GitCommit=${GITHUB_SHA::8} \
+          -X ${T}.GitDescribe=${{ steps.get-product-version.outputs.product-version }} \
+          " >> "$GITHUB_OUTPUT"
   generate-metadata-file:
     needs: get-product-version
     runs-on: ubuntu-latest
@@ -71,7 +78,12 @@ jobs:
     needs:
       - get-go-version
       - get-product-version
-    runs-on: ubuntu-20.04 # the GLIBC is too high on 22.04
+    runs-on: ubuntu-22.04 # the GLIBC is too high on 22.04
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
     strategy:
       matrix:
         include:
@@ -91,7 +103,13 @@ jobs:
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
 
-      - uses: hashicorp/actions-go-build@v1
+      - uses: hashicorp/actions-go-build@make-clean-flag-optional
+        name: Build non-FIPS
+        if : ${{!matrix.fips }}
+        env:
+          PRODUCT_VERSION: ${{ needs.get-product-version.outputs.product-version }}
+          CGO_ENABLED: "0"
+          GOLDFLAGS: "${{needs.get-product-version.outputs.shared-ldflags}}"
         with:
           product_name: ${{ env.PKG_NAME }}
           product_version: ${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}
@@ -101,12 +119,148 @@ jobs:
           reproducible: assert
           instructions: |
             cp LICENSE $TARGET_DIR/LICENSE.txt
-            if [[ "${{ matrix.fips }}" == "+fips1402" ]]
-            then
-              sudo apt-get update --allow-releaseinfo-change-suite --allow-releaseinfo-change-version && sudo apt-get install -y build-essential gcc-aarch64-linux-gnu
-            fi
             ${{ matrix.env }} go build -tags=${{ matrix.gotags }} -trimpath -buildvcs=false -ldflags="-X github.com/hashicorp/consul-dataplane/pkg/version.GitCommit=${GITHUB_SHA::8}" -o $BIN_PATH ./cmd/$BIN_NAME
 
+      - name: Build ubuntu-focal-builder image
+        if: ${{ matrix.goos != 'windows' && matrix.fips == '+fips1402' }}
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+        with:
+          platforms: linux/amd64 # we only ever build amd64 images because we always run on amd64 runners and cross-compile inside the container if needed
+          context: .github/containers/ubuntu/
+          build-args: |
+            GO_VERSION=${{ needs.get-go-version.outputs.go-version }}
+          push: true
+          tags: localhost:5000/ubuntu-focal-builder:${{ github.sha }}
+
+      - uses: hashicorp/actions-go-build@make-clean-flag-optional
+        name: Build FIPS non-windows
+        if: ${{ matrix.goos != 'windows' && matrix.fips == '+fips1402' }}
+        env:
+          PRODUCT_VERSION: ${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}
+          GO_ENV: "${{ matrix.env }}"
+          GO_VERSION: ${{ needs.get-go-version.outputs.go-version }}
+          GOLDFLAGS: "${{needs.get-product-version.outputs.shared-ldflags}}"
+          BINARY_PATH: "dist/${{ env.PKG_NAME }}"
+          GOOS: ${{ matrix.goos }}
+          GOARCH: ${{ matrix.goarch }}
+          GOTAGS: ${{ matrix.gotags }}
+        with:
+          product_name: ${{ env.PKG_NAME }}
+          product_version: ${{ needs.get-product-version.outputs.product-version }}${{ matrix.fips }}
+          go_version: ${{ needs.get-go-version.outputs.go-version }}
+          os: ${{ matrix.goos }}
+          arch: ${{ matrix.goarch }}
+          reproducible: nope
+          clean: false
+          instructions: |-
+            mkdir -p .release/linux/package/usr/share/doc/$PKG_NAME
+            cp LICENSE $TARGET_DIR/LICENSE.txt
+            #### Create a script file to run inside Docker with detailed logging ####
+
+            cat > container_build_script.sh << 'EOF'
+            #!/bin/bash
+            set -x  # Print each command before execution
+            mkdir -p /build/dist
+            echo "====== Environment inside container ======"
+            env | sort
+            git config --global url."https://${GITHUB_TOKEN}:@github.com/".insteadOf "https://github.com/"
+
+            if [ -n "$ELEVATED_GITHUB_TOKEN" ]; then
+              echo "Configuring Git with elevated GitHub token for authentication..."
+              git config --global url."https://${ELEVATED_GITHUB_TOKEN}:[email protected]/".insteadOf "https://github.com/"
+              git config --global url."https://${ELEVATED_GITHUB_TOKEN}:[email protected]/".insteadOf "[email protected]:"
+            else
+              echo "WARNING: ELEVATED_GITHUB_TOKEN not provided. Private repository access may fail."
+              exit 1
+            fi
+             echo "Configuring Git for private repositories..."
+
+            # Use .netrc for Git authentication - more reliable than url rewriting
+            cat > /tmp/.netrc << EON
+              machine github.com
+              login oauth2
+              password $ELEVATED_GITHUB_TOKEN
+            EON
+
+            # Set permissions and tell Git where to find it
+            chmod 600 /tmp/.netrc
+            export HOME=/tmp
+
+            # Verify Git can access a private repository
+            echo "Testing Git authentication..."
+            git ls-remote https://github.com/hashicorp/consul-dataplane.git HEAD || {
+              echo "Failed to authenticate with GitHub. Check token permissions."
+              exit 1
+            }
+
+            # Ensure GOPRIVATE is set in the container
+            export GOPRIVATE=${GOPRIVATE:-github.com/hashicorp}
+
+            # Show Go environment (excluding sensitive info)
+            go env | grep -v -E '(TOKEN|PASSWORD|SECRET|KEY)'
+            echo "========================================"
+
+            echo "====== Starting build process ======"
+            echo "Go Environment: $GO_ENV"
+            echo "Go Tags: $GOTAGS"
+            echo "Gold Flags: $GOLDFLAGS"
+            echo "Binary will be output to: /build/$BINARY_PATH"
+            ls -la /build
+            ls -la /build/dist
+            # Executing the build command with detailed output
+            BUILD_CMD="$GO_ENV go build -v -tags=$GOTAGS -ldflags \"$GOLDFLAGS\"  -o \"/build/$BINARY_PATH\" -trimpath -buildvcs=false ./cmd/$BINARY_NAME"
+            echo "Build command: $BUILD_CMD"
+
+            # Use eval to properly execute the command
+            eval "$BUILD_CMD"
+            BUILD_STATUS=$?
+            echo "======Binary exists - Checking package DL dependencies======"
+            readelf -sW /build/dist/consul-dataplane | grep GLIBC_ || echo "No GLIBC symbols found."
+            echo "Go build exit status: $BUILD_STATUS"
+
+            if [ $BUILD_STATUS -ne 0 ]; then
+            echo "ERROR: Go build failed with status $BUILD_STATUS"
+            # Display more diagnostic information
+            echo "Go version:"
+            go version
+            echo "Go environment:"
+            go env
+            exit $BUILD_STATUS
+            fi
+
+            echo "====== Listing build output ======"
+            ls -la /build/
+            ls -la /build/dist/
+            echo "====== Build process completed successfully ======"
+            EOF
+            ###### end of script file #####
+
+
+            # Make the script executable
+            chmod +x container_build_script.sh
+
+            ESCAPED_GOLDFLAGS=$(echo "${{env.GOLDFLAGS}}" | sed 's/"/\\"/g')
+            echo "Running Docker container..."
+            docker run --rm \
+            --user "$(id -u):$(id -g)" \
+            --env HOME=/tmp \
+            --env PRODUCT_VERSION=${{env.PRODUCT_VERSION}} \
+            --env GOLDFLAGS="$ESCAPED_GOLDFLAGS" \
+            --env BINARY_PATH=${{env.BINARY_PATH}} \
+            --env GOOS=${{env.GOOS}} \
+            --env GOARCH=${{env.GOARCH}} \
+            --env GOTAGS=${{env.GOTAGS}} \
+            --env GO_ENV="${{env.GO_ENV}}" \
+            --env PKG_NAME=${{env.PKG_NAME}} \
+            --env GOPRIVATE="github.com/hashicorp" \
+            --env ELEVATED_GITHUB_TOKEN=${{ secrets.ELEVATED_GITHUB_TOKEN }} \
+            --env BINARY_NAME=$BIN_NAME \
+            -v "$(pwd)":/build \
+            -w /build \
+            localhost:5000/ubuntu-focal-builder:${{ github.sha }} \
+            /build/container_build_script.sh
+            ls -la ./dist
+
       - name: Copy license file
         if: ${{ matrix.goos == 'linux' }}
         env:
@@ -155,7 +309,7 @@ jobs:
       - get-go-version
       - get-product-version
       - build-linux
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       matrix:
         # This is the subset of architectures we build binaries for officially
@@ -178,7 +332,6 @@ jobs:
           echo "full_dev_tag=${{ env.version }}" >> $GITHUB_ENV
           echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" 
           echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" >> $GITHUB_ENV
-
       - name: Docker Build (Action)
         if: ${{ !matrix.fips }}
         uses: hashicorp/actions-docker-build@v2

.go-version

@@ -1 +1 @@
-1.23.6
+1.23.8

Dockerfile

@@ -11,7 +11,7 @@
 # prebuilt binaries in any other form.
 #
 ARG GOLANG_VERSION
-FROM envoyproxy/envoy-distroless:v1.33.0 as envoy-binary
+FROM envoyproxy/envoy-distroless:v1.33.2 as envoy-binary
 
 # Modify the envoy binary to be able to bind to privileged ports (< 1024).
 FROM debian:bullseye-slim AS setcap-envoy-binary
@@ -24,10 +24,11 @@ COPY --from=envoy-binary /usr/local/bin/envoy /usr/local/bin/
 COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/
 
 RUN apt-get update && apt install -y libcap2-bin
+RUN apt-get update && apt-get install -y libc6
 RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/envoy
 RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/$BIN_NAME
 
-FROM hashicorp/envoy-fips:1.33.0-fips1402 as envoy-fips-binary
+FROM hashicorp/envoy-fips:1.33.2-fips1402 as envoy-fips-binary
 
 # Modify the envoy-fips binary to be able to bind to privileged ports (< 1024).
 FROM debian:bullseye-slim AS setcap-envoy-fips-binary
@@ -40,6 +41,7 @@ COPY --from=envoy-fips-binary /usr/local/bin/envoy /usr/local/bin/
 COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /usr/local/bin/
 
 RUN apt-get update && apt install -y libcap2-bin
+RUN apt-get update && apt-get install -y libc6
 RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/envoy
 RUN setcap CAP_NET_BIND_SERVICE=+ep /usr/local/bin/$BIN_NAME
 

go.mod

@@ -1,6 +1,6 @@
 module github.com/hashicorp/consul-dataplane
 
-go 1.23.6
+go 1.23.8
 
 require (
 	dario.cat/mergo v1.0.0
@@ -40,7 +40,7 @@ require (
 	github.com/prometheus/common v0.37.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	golang.org/x/net v0.37.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230526203410-71b5a4ffd15e // indirect

go.sum

@@ -353,8 +353,8 @@ golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
-golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=

integration-tests/go.mod

@@ -1,6 +1,6 @@
 module github.com/hashicorp/consul-dataplane/integration-tests
 
-go 1.20
+go 1.23.8
 
 require (
 	github.com/docker/docker v20.10.20+incompatible
@@ -50,10 +50,10 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
-	golang.org/x/crypto v0.22.0 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
 	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 // indirect
-	golang.org/x/net v0.24.0 // indirect
-	golang.org/x/sys v0.19.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
 	golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230526203410-71b5a4ffd15e // indirect
 	google.golang.org/grpc v1.56.3 // indirect