Upgrade Node.js to 24 and update dependencies (#604)

* chore: upgrade Node.js to 24 and update dependencies

- Upgrade Node.js from 20 to 24.15.0 across all CI jobs and workflows
- Run npm audit fix to resolve CVEs in dependencies
- Generate TLS certs dynamically via scripts/gen-tls-certs.sh instead of using static certs
- Add Makefile targets for running each integration test suite locally

* add GOPATH/bin to PATH before running gen-tls-certs.sh

* Add changelog entry

* refactor makefile

* Refine e2e-enterprise pipeline and scripts

scripts/.functions

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2019, 2025
+# SPDX-License-Identifier: MIT
+
+# Adapted from: https://github.com/hashicorp/vault-secrets-operator/blob/main/hack/.functions
+
+# getGH downloads files from GitHub with optional authentication
+# Usage: getGH <url> [dest_file] [num_retries]
+function getGH() {
+  local url="$1"
+  local dest="$2"
+  local num_retries="${3:-${GH_GET_RETRIES}}"
+
+  headers=(
+      '--header' "Accept: application/vnd.github+json"
+      '--header' "X-GitHub-Api-Version: 2022-11-28"
+  )
+  if [ -n "${GITHUB_TOKEN}" ]; then
+      headers+=(
+          '--header' "Authorization: Bearer ${GITHUB_TOKEN}"
+      )
+  fi
+  cmd=curl
+  opts=('-sfSL')
+  echo "Fetching ${url}"
+  if [ -z "${dest}" ]; then
+    opts+=('-O')
+  else
+    opts+=('-o' "${dest}")
+  fi
+  if [ -n "${num_retries}" ]; then
+    opts+=('--retry' "${num_retries}")
+  fi
+  ${cmd} "${opts[@]}" "${headers[@]}" "${url}"
+}

scripts/gen-tls-certs.sh

@@ -0,0 +1,112 @@
+#!/usr/bin/env bash
+# Copyright IBM Corp. 2019, 2025
+# SPDX-License-Identifier: MIT
+#
+# Generates a PKI chain (CA, server cert, client cert) using cfssl.
+# Outputs certs to .build/certs/ and writes .build/e2e-tls.env for local
+# act usage (act --env-file .build/e2e-tls.env).
+#
+# Usage: ./scripts/gen-tls-certs.sh
+# Requires: cfssl, cfssljson  (brew install cfssl)
+
+set -euo pipefail
+
+pushd "$(git rev-parse --show-toplevel || echo .)" > /dev/null
+
+OUTDIR=".build/certs"
+ENVFILE=".build/e2e-tls.env"
+
+if ! command -v cfssl &>/dev/null || ! command -v cfssljson &>/dev/null; then
+    echo "error: cfssl and cfssljson are required." >&2
+    popd > /dev/null
+    exit 1
+fi
+
+mkdir -p "$OUTDIR"
+pushd "$OUTDIR" > /dev/null
+
+# ── cfssl signing config ──────────────────────────────────────────────────────
+cat > cfssl-config.json <<'EOF'
+{
+  "signing": {
+    "default": { "expiry": "8760h" },
+    "profiles": {
+      "server": {
+        "usages": ["signing", "key encipherment", "server auth"],
+        "expiry": "8760h"
+      },
+      "client": {
+        "usages": ["signing", "key encipherment", "client auth"],
+        "expiry": "8760h"
+      }
+    }
+  }
+}
+EOF
+
+# ── CA ────────────────────────────────────────────────────────────────────────
+echo "Generating CA..."
+cfssl gencert -initca - <<'EOF' | cfssljson -bare ca
+{
+  "CN": "Vault Test CA",
+  "key": { "algo": "rsa", "size": 2048 },
+  "ca": { "expiry": "87600h" }
+}
+EOF
+
+# ── Server cert ───────────────────────────────────────────────────────────────
+echo "Generating server certificate..."
+cfssl gencert \
+    -ca=ca.pem \
+    -ca-key=ca-key.pem \
+    -config=cfssl-config.json \
+    -profile=server - <<'EOF' | cfssljson -bare server
+{
+  "CN": "vault-tls",
+  "hosts": ["localhost", "127.0.0.1", "vault-tls"],
+  "key": { "algo": "rsa", "size": 2048 }
+}
+EOF
+
+# ── Client cert ───────────────────────────────────────────────────────────────
+echo "Generating client certificate..."
+cfssl gencert \
+    -ca=ca.pem \
+    -ca-key=ca-key.pem \
+    -config=cfssl-config.json \
+    -profile=client - <<'EOF' | cfssljson -bare client
+{
+  "CN": "vault-client",
+  "key": { "algo": "rsa", "size": 2048 }
+}
+EOF
+
+# ── Rename to names expected by vault config ──────────────────────────────────
+mv ca.pem ca.crt
+mv server.pem server.crt
+mv server-key.pem server.key
+mv client.pem client.crt
+mv client-key.pem client.key
+
+# ── Remove intermediates not needed at runtime ────────────────────────────────
+rm -f ca.csr server.csr client.csr ca-key.pem cfssl-config.json
+
+# Ensure files are readable by the vault container user
+chmod 644 ./*.crt ./*.key
+
+popd > /dev/null
+
+# ── Copy vault server config ──────────────────────────────────────────────────
+cp "integrationTests/e2e-tls/configs/config.hcl" "$OUTDIR/config.hcl"
+
+# ── Write env file for local act usage ───────────────────────────────────────
+{
+    printf 'VAULTCA=%s\n'          "$(base64 < "$OUTDIR/ca.crt"     | tr -d '\n')"
+    printf 'VAULT_CLIENT_CERT=%s\n' "$(base64 < "$OUTDIR/client.crt" | tr -d '\n')"
+    printf 'VAULT_CLIENT_KEY=%s\n'  "$(base64 < "$OUTDIR/client.key" | tr -d '\n')"
+} > "$ENVFILE"
+
+echo "Certs generated in $OUTDIR"
+echo "Env file written to $ENVFILE"
+
+popd > /dev/null