build(deps): bump github.com/hashicorp/consul-template from 0.25.2 to 0.28.0

[dependabot]

Bumps github.com/hashicorp/consul-template from 0.25.2 to 0.28.0.

Changelog

Sourced from github.com/hashicorp/consul-template's changelog.

v0.28.0 (Mar 04, 2022)

BUG FIXES:

• Fix issue returning typed nil pointers in template functions [GH-1535, GH-1418]
• Support secret write queries w/ an empty write [GH-1532, GH-1453]

IMPROVEMENTS:

• Add sprig library [GH-1312]
• Add option to make template errors non-fatal [GH-1420, GH-1419, GH-1289]
• Support for accepting a custom logger for a child process [GH-1515]
• Add support for providing Consul ACL Token via a file [GH-1516, GH-1429]
• Allow setting user/group ownership of template output [GH-1531, GH-1497, GH-639]
• Logging to file [GH-1534, GH-1416]]
• Support command/exec lists [GH-1543, GH-1518]

v0.27.2 (Nov 05, 2021)

BUG FIXES:

• Syslog doesn't work after upgrade to 0.27 [GH-1523, GH-1529]

v0.27.1 (Sep 22, 2021)

IMPROVEMENTS:

• Updated command execution on *nix systems to call the command directly, without the sh -c wrapping shell command, only in cases where the command is a single word (no spaces). This allows docker to run in environments (like a minimal docker image) where there is no shell (sh). Multi-word commands will continue to use the wrapping shell call. [GH-1509, GH-1508]

SECURITY:

• Updated golang.or/x/crypto dependency for CVE-2020-29652. [GH-1507]

v0.27.0 (Aug 16, 2021)

BREAKING CHANGES:

• All command execution calls are now made (on *nix systems) using a shell command call ('/bin/sh -c ...') with process group set to ensure all signals are propagated to the called commands. This was done to eliminate the need for parsing the shell command as it was a continual source of bugs. Windows systems currently only support single command calls because of no (known) 'sh -c' equivalent on Windows. [GH-1496, GH-1494]

IMPROVEMENTS:

• New Docker Image. Similar to old Alpine image but modernized and simplified [GH-1481, GH-1484]
• New, more obvious, log level environment variable [GH-1383]
• New 'writeToFile' template function [GH-1495, GH-1077]
• New mergeMap and mergeMapWithOverride template functions [GH-1500, GH-1499].

BUG FIXES:

• Ignore SIGURG signals by default [GH-1486, GH-1487]

... (truncated)

Commits

• ae2bbca Release v0.28.0
• 1dd876f changelog and version updates for 0.28.0
• be5fcd8 support command lists
• 14a926e Allow the child to be provided a custom logger.
• 2bf43d8 made timing based tests a bit more lenient
• f9dd3bb Merge branch 'phemmer-template-error-fatal'
• 1f3d98f Merge branch 'template-error-fatal' of github.com:phemmer/consul-template int...
• 3ea7d99 bumping consul/vault version for CI
• d874405 Merge pull request #1531 from deblasis/template_output_pragmatic_chown
• fc22b48 Merge pull request #1516 from lawliet89/http-token-file
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[schmichael]

We need to ensure that the new writeToFile function honors the sandbox_path before merging this.

[angrycub]

Unassigned myself. Not sure why dependabot threw me under that bus.

[schmichael]

consul-template 0.28.0 does not appear to honor SandboxPath, so we can't merge it as-is.

Even more worrying is that the function chowns and chmods which seems ripe for a setuid-style attack. Luckily it appears the mode is masked which prevents that.

My inclination is to disable writeToFile by default via our client.template.function_denylist configuration parameter until a user comes forward with a compelling use case. Using multiple template stanzas seems like a more idiomatic approach to this functionality in Nomad and doesn't create any new security issues.

[ip-sf]

until a user comes forward with a compelling use case.

I could perhaps offer one:

When trying to deploy a MongoDB Cluster via Nomad, the replica key that mongodb uses (PSK Symmetrical) has to have a UID/GID that is accessible by the Mongo user AND be set to perms: X00. Because of how all the internals work, the created template file is not accessible by mongo with default UID/GID and file RWX permissions.

Being able to simply add UID/GID would overcome this blocker:

template { 
  destination   = "local/mongo_replica.key"
  perms         = "600"
  uid           = 999
  gid           = 999
  change_mode   = "signal"
  change_signal = "SIGHUP"
  data          = <<-EOF
    ---
    - "SomeDummyKey"
  EOF
}

When setting perms: 640, the following error prevents mongod from starting
{"t":{"$date":"2022-03-28T19:42:03.879+00:00"},"s":"I", "c":"ACCESS", "id":20254, "ctx":"thread1","msg":"Read security file failed","attr":{"error":{"code":30,"codeName":"InvalidPath","errmsg":"permissions on /etc/mongo_replica.key are too open"}}}

setting to perms: 600:
{"t":{"$date":"2022-03-28T19:37:26.129+00:00"},"s":"I", "c":"ACCESS", "id":20254, "ctx":"main","msg":"Read security file failed","attr":{"error":{"code":30,"codeName":"InvalidPath","errmsg":"error opening file: /etc/mongo_replica.key: bad file"}}}

Which is counter-intuitive on the surface. Mongod is telling us that 'I can't read the file' because it's using the user mongod, but the file created is owned by root.

[schmichael]

@ip-sf Thanks for sharing your use case! Setting the owner and permissions of rendered templates is covered by #5020. writeToFile would be another way to accomplish this, but we will not be enabling it for Nomad 1.3. See #12095 (comment) for details on writeToFile if you're curious.

We do peek at reaction emoji, so please vote on whatever issues are a priority for you.

[schmichael]

Closing in favor of #12312 which disables writeToFile by default. See #12095 for details.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[ip-sf]

@schmichael Thank you for the quick response and info!

I understand the reasoning for the actions being taken.

A question: If I am understanding this comment correctly:

See #12095 (comment) for details on writeToFile if you're curious.

I assume this is saying: We (royal) will disable this by default for , but if someone was so inclined they could set their own denylist and override the default, effectively re-enabling it and accepting any potential security implications?

If my understanding is correct, then thank you and that should serve as an appropriate workaround for my use case.

In any event, thank you personally for all you have done for the community!

[3nprob]

@ip-sf Sounds about right. It can be overridden here: https://www.nomadproject.io/docs/configuration/client#function_denylist=

[schmichael]

We (royal) will disable this

Ha, yes, I suppose I can just say I 😅

if someone was so inclined they could set their own denylist and override the default, effectively re-enabling it and accepting any potential security implications

Yes, @3nprob is right. I want to make Nomad secure-by-default but configurable.

[github-actions]

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.