build(deps): bump github.com/hashicorp/nomad from 1.8.0 to 1.8.3

[dependabot]

Bumps github.com/hashicorp/nomad from 1.8.0 to 1.8.3.

Release notes

Sourced from github.com/hashicorp/nomad's releases.

v1.8.3

1.8.3 (August 13, 2024)

SECURITY:

• security: Fix symlink escape during unarchiving by removing existing paths within the same allocdir. Compromising the Nomad client agent at the source allocation first is a prerequisite for leveraging this issue. [GH-23738]

IMPROVEMENTS:

• acl: Submitting a policy with a leading / in a variable path will now return an error to prevent improperly working policies. [GH-23757]
• cli: Added option to return original HCL in job inspect command [GH-23699]
• cli: Added support for updating the roles for an ACL token [GH-18532]
• cli: acl token create will now emit a warning if the token has a policy that does not yet exist [GH-16437]
• keyring: Added support for encrypting the keyring via Vault transit or external KMS [GH-23580]
• keyring: Added support for prepublishing keys [GH-23577]
• metrics: Added client.tasks metrics to track task states [GH-23773]
• resources: Added resources.secrets field to configure size of secrets directory on Linux [GH-23696]
• tls: Allow setting the tls_min_version field to "tls13" [GH-23713]
• ui: added a Pack badge to the jobs index page for jobs run via Nomad Pack [GH-23404]

BUG FIXES:

• api: Fixed a bug where an api.Config targeting a unix domain socket could not be reused between clients [GH-23785]
• cni: .conf and .json config files are now parsed properly [GH-23629]
• cni: network.cni jobspec updates now replace allocs to apply the new network config [GH-23764]
• docker: Fixed a bug where plugin SELinux labels would conflict with read-only volume options [GH-23750]
• identity: Fixed a bug where a missing default task identity could panic the leader [GH-23763]
• keyring: Fixed a bug where keys could be garbage collected before workload identities expire [GH-23577]
• keyring: Fixed a bug where keys would never exit the "rekeying" state after a rotation with the -full flag [GH-23577]
• keyring: Fixed a bug where periodic key rotation would not occur [GH-23577]
• networking: The same static port can now be used more than once on host networks with multiple IPs [GH-23693]
• scaling: Fixed a bug where state store corruption could occur when writing scaling events [GH-23673]
• template: Fixed a bug where change_mode = "script" would not execute after a client restart [GH-23663]
• ui: Fixed storage/plugin 404s by unescaping a slash character in the request URL [GH-23625]
• windows: Fix bug with containers capabilities on Docker CE [GH-23599]

v1.8.2

1.8.2 (July 16, 2024)

BREAKING CHANGES:

• docker: default to hyper-v isolation mode on Windows [GH-23452]

SECURITY:

• build: Updated Go to 1.22.5 to address CVE-2024-24791 [GH-23498]
• migration: Added a check for relative paths escaping the allocation directory when unpacking archive during migration, to harden clients against compromised peer clients sending malicious archives [GH-23319]
• security: Removed insecure TLS cipher suites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA25 and TLS_RSA_WITH_AES_128_CBC_SHA256. [GH-23551]

IMPROVEMENTS:

... (truncated)

Changelog

Sourced from github.com/hashicorp/nomad's changelog.

1.8.3 (August 13, 2024)

SECURITY:

• security: Fix symlink escape during unarchiving by removing existing paths within the same allocdir. Compromising the Nomad client agent at the source allocation first is a prerequisite for leveraging this issue. [GH-23738]

IMPROVEMENTS:

• acl: Submitting a policy with a leading / in a variable path will now return an error to prevent improperly working policies. [GH-23757]
• cli: Added option to return original HCL in job inspect command [GH-23699]
• cli: Added support for updating the roles for an ACL token [GH-18532]
• cli: acl token create will now emit a warning if the token has a policy that does not yet exist [GH-16437]
• keyring: Added support for encrypting the keyring via Vault transit or external KMS [GH-23580]
• keyring: Added support for prepublishing keys [GH-23577]
• metrics: Added client.tasks metrics to track task states [GH-23773]
• resources: Added resources.secrets field to configure size of secrets directory on Linux [GH-23696]
• tls: Allow setting the tls_min_version field to "tls13" [GH-23713]
• ui: added a Pack badge to the jobs index page for jobs run via Nomad Pack [GH-23404]

BUG FIXES:

• api: Fixed a bug where an api.Config targeting a unix domain socket could not be reused between clients [GH-23785]
• cni: .conf and .json config files are now parsed properly [GH-23629]
• cni: network.cni jobspec updates now replace allocs to apply the new network config [GH-23764]
• docker: Fixed a bug where plugin SELinux labels would conflict with read-only volume options [GH-23750]
• identity: Fixed a bug where a missing default task identity could panic the leader [GH-23763]
• keyring: Fixed a bug where keys could be garbage collected before workload identities expire [GH-23577]
• keyring: Fixed a bug where keys would never exit the "rekeying" state after a rotation with the -full flag [GH-23577]
• keyring: Fixed a bug where periodic key rotation would not occur [GH-23577]
• networking: The same static port can now be used more than once on host networks with multiple IPs [GH-23693]
• scaling: Fixed a bug where state store corruption could occur when writing scaling events [GH-23673]
• template: Fixed a bug where change_mode = "script" would not execute after a client restart [GH-23663]
• ui: Fixed storage/plugin 404s by unescaping a slash character in the request URL [GH-23625]
• windows: Fix bug with containers capabilities on Docker CE [GH-23599]

1.8.2 (July 16, 2024)

BREAKING CHANGES:

• docker: default to hyper-v isolation mode on Windows [GH-23452]

SECURITY:

• build: Updated Go to 1.22.5 to address CVE-2024-24791 [GH-23498]
• migration: Added a check for relative paths escaping the allocation directory when unpacking archive during migration, to harden clients against compromised peer clients sending malicious archives [GH-23319]
• security: Removed insecure TLS cipher suites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA25 and TLS_RSA_WITH_AES_128_CBC_SHA256. [GH-23551]

IMPROVEMENTS:

• client: add a preferred_address_family config to prefer ipv4 or ipv6 when deducing IP from network interface [GH-23389]

... (truncated)

Commits

• 63b636e Generate files for 1.8.3 release
• 09b2447 Backport of api: only set url field in config if previously unset into releas...
• 9b67836 Backport of metrics: add client.tasks state metrics into release/1.8.x (#23781)
• cb748f9 Backport of testing: fix skip comment on RequireWindows helper into release/1...
• 8c9134f Backport of login.mdx: Illustrate how to use the obtained token into release/...
• 2d4d0fd Backport of Add role update functionality to acl token update into release/1....
• e58650e Backport of feat: show warning if policy doesn't exist into release/1.8.x (#2...
• 103b624 Backport of docker: fix delimiter for selinux label for read-only volumes int...
• f5d0a06 Backport of identity: prevent missing task identity from panicking server int...
• 2ad57d9 backport of commit d131c41943cd8d2560ad044ad75981d2a0501457 (#23765)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.