Backport of correct prometheus port and scheme annotations if tls is enabled into release/1.0.x #2855

* fix grammar in changelog checker * add backport checker

Support automatic ACL bootstrapping with the Vault secrets backend With the Vault secrets backend, server-acl-init now: * Runs the Vault agent as a sidecar * Bootstraps ACLs if the Vault bootstrap token is empty or not found, and writes the bootstrap token back to Vault via the Vault agent The Kubernetes backend will write the bootstrap token to the user-provided secret if that secret is empty. The Vault behavior is the same. The Vault backend writes to a default secret name if the secretName and secretKey are not set in the helm chart values. server-acl-init reads the secret directly from k8s or Vault. * Remove -bootstrap-token-file flag from server-acl-init and remove the * Remove the volume/mount for bootstrap token --------- Co-authored-by: Chris Thain <32781396+cthain@users.noreply.github.com>

* update charts to point to 1.15.1 * updated consul libraries to the latest

…roller Add SNI skip for client node configuration

…`null` to increase service registration times (#2008) * Update values.yaml

Clients are not required for ingress/terminating gateways.

Website has linting that errors when links have the developer.hashicorp.com prefix.

…shicorp/consul-k8s into bug/gateway-controller-incomplete-acl

…ed the bug

[COMPLIANCE] add copyright headers to files

…lete-acl Update ACLs, add namespace.write permission

…xy-default add failover policy to service resolver and proxy default

This reverts commit 2fb7944.

* Terraform: increase node sizes * update GKE to use already created subnets * Dispatch: dispatch to consul-k8s-workflows

* Update status on PRs * Split pr and push into 2 different files so that context can be passed through

* Add a cleanup cron job

* draft of adding sameness group CRD * move sameness group tests to ent test file * update tests * fix lint issues * generate yaml and update helm charts * update field descriptions and validation and its test * remove unwanted files, add license comments back * rename samenessgroups to samenessgroup * fix resource names * update failing unit test

* Fix Sync Catalog ACL Token Environment Var Name * Update ACL variable name in tests

* add sameness group to exported services * update CRDs * update deep copy * re add license line * check if sameness group is wildcard * remove experimental tag on peering fields * update error message case * update error message case in webhook test

…figured as secrets backend (#2083) * Adjust mount based on whether Vault is enabled as secrets backend * Add changelog entry * Improve wording of changelog entry * Use Vault serverca for CONSUL_CACERT when secrets backend enabled * Add comment to Helm template explaining logic * Add unit test for CONSUL_CACERT with Vault secret path * Add unit tests for removing mounts when Vault is secrets backend

Co-authored-by: hashicorp-tsccr[bot] <hashicorp-tsccr[bot]@users.noreply.github.com>

* add sameness group to service resolver, update manifests * get the latest api and update acceptance tests * get the latest api in acceptanc tests * update validation code, remove dynamic validations, update tests * check nil pointer * go get latest api * revert acceptance changes

* add sameness group to source intention * add more test coverage * add comment on metaValueMaxLength variable * fix comment lint issue

* Add MaxEjectionPercent and BaseEjectionTime to servicedefaults * test with sister branch in consul repo * missed one * fix tag names * fix json tags and duration type * update test * generate yaml files and fix imports --------- Co-authored-by: Semir Patel <semir.patel@hashicorp.com>

* Customizing Vault Version for WanFed Test * Modified * Changed according to the review comments * Removed the commented line * Vault server version type changed to String * changed back to VaultServerVersion type * Changing "VaultServerVersion" to type "String"

* add config read command * add tests * lint * update docs * add changelog * fix linting errors * PR feedback

* Add mutualTLSMode to service-defaults and proxy-defaults * Add allowEnablingPermisiveMutualTLS to mesh config entry

* add HOST_IP to mesh-gateway

* Add support for syncing Ingress hostname to the Consul Catalog * fix changelog-checker syntax error

* Create values.yaml section for telemetry-collector * Initial telemetry-collector validation and bats test * Add nodeSelector * Add connect-init initContainer * Add consul-dataplane container * Conditionally add ca-cert volume * Include vault annotations * Prune tests to pertinent test cases * Move consul server env vars * Check ca mount for dataplane container * Check correct env var * Set default resources * Set initContainer and tolerations * Support priorityClassName * Support setting initContainer resources * Fix replicas unit test * Turn off tproxy and remove unneeded security context * Set -tls-disabled if global.tls.enabled=false * Set -ca-certs correct if tls is enabled * Set external server args * Set partition flag tests * Label bats tests, remove duplicate flags * Bats tests for service, add metricsserver port * Support annotations and imagePullSecret on serviceAccount * Create configmap for custom configuration * Add configmap to deployment * Fix test names * Remove unneeded cloud validation. fixup comment * Comment values.yaml changes * Switch from sidecar auth method to component auth method * changelog * Add PodSecurityPolicy for consul-telemetry-collector * Rename init container + add comment * Remove logLevel bats tests as it is unsupported right now * Remove auth-method special cases * Replace LOGIN_DATACENTER login with LOGIN_NAMESPACE * Remove unneeded LOGIN_DATACENTER test

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>

* update go-discove so we're not pulling in a version of tencent cloud that no longer exists * Update go discover to latest

…2170) * add helm chart values to configure global server side rate limiting * add changelog. * update server checksum for configmap * fix the other 2 checksums

* Disable DNS redirection when tproxy is disabled DNS redirection and the various settings that make that possible (like the dataplane binding to a port for DNS) is only useful if tproxy is enabled. Most of the code checked if tproxy was enabled but there was one location where we didn't check. This resulted in a bug with our multiport support where even though tproxy is disabled, we tried to setup the dataplane to proxy DNS. This meant each dataplane tried to bind to 8600 but because there are >1 dataplanes with multiport, there was a port conflict. This PR fixes the location where we didn't check if tproxy was enabled and as a result fixes the multiport issue.

@jm96441n

* Add API Gateway subcommand to Control Plane. Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Add GatewayClassConfig CRD (#2036) * Update dependencies so that CRDs can be added * Generate CRD for GatewayClassConfig * Return empty logger instead of nil due to dependency update * Update sidecar webhook to use ProbeHandler instead of Handler * Update controller sub resources to use sub resource update options * Re-add copyright header that got removed on generation * Use NewTestLogger and ProbeHandler in tests * Add api_gateway_types_test * Remove boilerplate from ctrl-generate as it is no longer required * Add app-copyright-header to Makefile * Clarify GatewayClassConfig description * Remove unneeded fields from GatewayClassConfig * Fix lint issues * Fix TestLogger in enterprise tests * Add Changelog * Fix TestLogger in enterprise test in one more place * Remove the helpers * Remove unused consts * Adds API Gateway Class Config controller * Add Hack for Generating CRDs from external sources (#2060) * Add generate-external-crds to Makefile * Add contributing docs * Add comment about Helm ignoring kustomization.yaml * Update Makefile Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> --------- Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Remove the api-gateway subcommand we decided not to use (#2062) * APIGW Resource Translation (#2070) * WIP: api-gateway resource conversion * convert meta for apigw from k8s * Added tests and updated config entry translation for APIGW * Fix linting issue, move translation code to correct location * Updates from PR comments * Update config entry translation to use k8s type NamedNamespace, updated tests * switch to standard import rename for consul api * Add GatewayClass Controller (#2055) * Add permissions to connect-inject clusterrole * Add gateway api crd deps * Stub out the gatewayclass controller * Add finalizer functions * Use finalizer functions * Add tests for GatewayClass Controller * Change the controller name * Only register gwv1beta1 * Run tests in parallel * Remove RBAC comments * Remove perms from resources not yet implemented * shouldUpdate -> expectedDidUpdate * Don't requeue if in use * Address PR feedback * Apply suggestions from code review Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com> * Make gatewayClassFinalizer private * Separate out indexers * Move validation of parametersRef to a helper func * Add reason to ensureStatus * Rename GatewayClassReconciler -> GatewayClassController * Add perms to list gateways * Clean up status conditions * Clean up indexes * Set conditions properly and test them * Test incorrect parametersRef * Fix comments on indexer funcs * Fix lint issues * Set conditions without unnecessary updates * Set ObservedGeneration from parent object * Fix infinite loop issue with invalid config * Fix update issue * Return error if the GatewayClass cannot be reached --------- Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com> * Updates GatewayClassConfig Controller to use common finalizer methods * APIGW4CONK8S: HTTP Route/TCPRoute/Secrets Translation (#2088) * Add http route translation * Added copywrite headers * Add namespace translation for service * handle potential nil pointer on section name, check if parent ref if an api gateway, fix comment from PR Review * Added TCPRoute Translation * Fix potential nil pointer deref in tcp service namespace, update tcproute tests * Add inline certs translation, clean up some potential nil pointer derefs * Clean up comments * Linting * Switch out env var usage for field on translator * rename api-gateway/consul package to api-gateway/translation * Adds stub for Gateway Controller * Use the non-deprecated logr test (#2125) * APIGW4CONK8s: Add Consul Cache (#2118) * Added basic cache functionality with most tests, todo: add get method for cache and expand tests * Updated tests for Cache.Run function, removed tests of unexported methods called by Run function * Moved translation function def to translation package, added translate apigw config entry * Add translation for consul config entries to k8s namespaced name meta * Added Get method to cache * Add watch for contoller and setup in inject command * Updated comments, renamed TranslateConsulInlineSecret method to TranslateConsulInlineCertificate * Updates from PR review * Parallelize tests * Bump consul api version * Set api timeout for cache calls * Revert "Bump consul api version" This reverts commit c074b0f. * Linting fun * Add Gatekeeper for managing gateway deployment resources (#2117) * Stub out the gatewayclass controller * Change the controller name * Only register gwv1beta1 * Address PR feedback * Adds stub of Gateway Controller * cannot understand why the indexes are not working * some updates, want to do cleanup * rebase and cleanup * Start adding deployer * Flesh out tests * Refactor into a "gatekeeper" * Integrate the gatekeeper into the gateway controller * Simplify the api * Remove the creation of helm config until later * Remove use and rename package to gatekeeper * Add labels to apigateway * Manage ServiceAccount * Manage Deployment * Add more to deployment * Update Helm Values * WIP fleshing out the gateway deployment upsert behavior * Update role and service * Fix merge conflicts * Round out tests * Add test for respecting replicas * Change the Gatekeeper New API and add comments for Upsert and Delete * implement joinResources * accept suggestions from @jm96441n * Use pointer receivers * Separate out mutator * Update deployment correctly * Update Role and ServiceAccount * Fix that silly linting error * Comments on HelmConfig * Add Image to deployment * Merge api-gateway into branch --------- Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com> * Net 3490/reference grants (#2122) * Adds reference grant validation * Adds all necessary methods and tests * lint * some cleanup, fix copypasta test errors * lint * more linting * PR updates, fix capitalization * Add a bunch of TODOs for teamwork * Split out cleanup func and clear up todos * APIGW4CONK8S: Serialize the GatewayClassConfig onto the Gateway for easier retrieval (#2126) * Add serialization of gateway class config * Parallelize tests * Remove prints, fix cache tests * Add outer managed check to ensure we don't fetch config if we don't need to * Stub out where the openshift role info will go (#2145) * APIGW4CONK8S: Function to get all refs for a gateway (#2139) * Added function to get all refs for a gateway * Use k8s objects for references rather than consul objects * Fix comment * [API Gateway] API Gateway Binding Logic (#2142) * initial commit * Add additional TODO * Add some basic lifecycle unit tests * split up implementation * Add more tests and fix some bugs * remove one parallel call in a loop * Fix binding * Add resolvedRefs statuses for routes * Fix issue with empty parent ref that k8s doesn't like * Fix up updates/status ordering * Add basic gateway status setting * Finish up first pass on gateway statuses * Re-organize and begin adding comments * More comments * More comments * More comments * More comments * More comments * Add file that wasn't saved * Add utils unit tests * Add more tests * Final tests * Fix tests * Fix up gateway annotation with binding logic * Update doc comments for linter * Add forgotten file * Fix block in tests due to buffered channel size and better handle context cancelation * Add basic acceptance tests for route binding behavior (#2161) * Configure Gateway Controller with Helm values (#2158) * Stub out the gatewayclass controller * Change the controller name * Only register gwv1beta1 * Address PR feedback * Adds stub of Gateway Controller * cannot understand why the indexes are not working * some updates, want to do cleanup * rebase and cleanup * Start adding deployer * Flesh out tests * Refactor into a "gatekeeper" * Integrate the gatekeeper into the gateway controller * Simplify the api * Remove the creation of helm config until later * Remove use and rename package to gatekeeper * Add labels to apigateway * Manage ServiceAccount * Manage Deployment * Add more to deployment * Update Helm Values * WIP fleshing out the gateway deployment upsert behavior * Update role and service * Fix merge conflicts * Round out tests * Add test for respecting replicas * Change the Gatekeeper New API and add comments for Upsert and Delete * implement joinResources * accept suggestions from @jm96441n * Use pointer receivers * Separate out mutator * Update deployment correctly * Update Role and ServiceAccount * Fix that silly linting error * Comments on HelmConfig * Add Image to deployment * Add Gateway flags to inject-connect * Pass through env vars * Add environment variables to the deployment template * Add conditional injection of environment variables * Add env vars back in * Fix up issues from merge * Test default env vars * Test all of the env vars * Fix up more issues from merge * Pass in values to HelmConfig then to Controller * Just pass config in as a struct * Add gateway-gatewayclass * Add gateway-gatewayclassconfig * Add DeploymentSpec to GatewayClassConfig * Remove deployment configuration settings from HelmConfig * Remove BATs on deployment configuration * Expand gatewayclassconfig * Set deployment replicas in test * Place GatewayClassConfig in the crds/ dir * Update control-plane/api-gateway/gatekeeper/gatekeeper_test.go Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com> --------- Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com> Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com> * Net 4124/handle syncing consul lifecycle events (#2173) * with type switch * latest changes * remove debugging panic * Updated error in test * Fix bug with capacity v length in the cache list and type that is being subscribed to * Fix linting issues/naming from PR review * Added tests for delete function * Plumbing for gatekeeper with snapshot * [API Gateway] Hooking up API Gateways End-to-End (#2175) * updated gatekeeper, added update call, still needs work * still has some print statements, seeing issues with updates * some linting * run ctrl-manifests and generate * get the whole gamut finally working in a minimum configuration * Fix up tests * Add some tests * Move cache package * Fix up tests after other fixes * Fix up test lifecycle * Fix up linter issues * Remove unnecessary test that panics * Add MeshService CRD * fix bats tests * bats bats bats * baaaatttss * Fix up acceptance test cleanup by introducing uninstall hook to cleanup managed GatewayClass and GatewayClassConfig resources * Add test for deletion failures due to finalizers * reorder commands --------- Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com> * Fix crd loading (#2179) * Fix CRD loading for CLI * Adds crds directory to install with consul-k8s cli * fix tests * testing * fix bats tests --------- Co-authored-by: Thomas Eckert <teckert@hashicorp.com> Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com> * Add Changelog * Fix up issues after merge back * Fix wildcard usage on enterprise * Don't subscribe to peerings when not enabled * Remove additional changelog entries since we're only going to use 1 --------- Co-authored-by: Melisa Griffin <missylbytes@users.noreply.github.com> Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> Co-authored-by: John Maguire <john.maguire@hashicorp.com> Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com> Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com>

Update consul image on prepare-dev and prepare-release

* Bump version of controller runtime * Use SubResourceUpdateOption * Fix test loggr * Fix ProbeHandler * Set runtime to 0.14.6 * Add Changelog * Fix up a few more breaking change issues

* Adding support for idleTimeout in Service Router spec

* add changelog

…llector is enabled (#2143) * inject envoy_telemetry_bind_socket_dir proxy config when telemetry collector is enabled * use metrics.enableTelemetryCollector value to gate controller logic * add changelog entry and unit test

…paces not to be compared. (#2194) This bug means that swapping partitions and namespaces on sources wouldn't get reflected in Consul.

* Add CRD for jwt-provider config entry * Pin consul/api to versions containing the jwt-provider config entry * Update Makefile to use v0.10.0 of sigs.k8s.io/controller-tools/cmd/controller-gen

* Initial scaffolding * Fix up some infinite reconciliation issues and initial other bugs * overhaul * get basic e2e working again * Add resource ref validation * Fix up namespace/reference grants * fix binding * clean up logging * cleanup * Get some binder unit tests working again * log guard * Fix unit test * Fix up more binder tests * get more binder tests working * finish binder tests * fix setter test * light touches and un-bak passing tests * Remove controller test as the wiring of deployments is predominantly tests via acceptance tests * Update reference grant tests * fix linter issues * fix acceptance test linters * Fix validation tests * Fix up consul cache tests * fixing up a few more tests * Finish up translation test work * Fix last bit of tests

* Fix setting args for the telemetry-collector Either the docker container or the execution method for the telemetry-collector is making the args not get included on the process. Switch to putting it directly in the command so we can ensure this works as expected * Fix bats test

…2210)

…2245)

* initial test * More lifecycle work * functional lifecycle tests

To reduce the likelihood of flakes.

* Create RoleBinding attaching Role to ServiceAccount * Update ClusterRole for controller to allow management of RoleBindings * Separate logic for RoleBinding management from logic for Role * Use pointer receiver for all functions on Gatekeeper struct * Use more descriptive name for NamespacedName arg on delete * Clean up missed code in cherrypick * Remove out-of-scope TODO * Make Upsert docstring more robust, explaining dependency ordering * Add RoleBindings to unit tests for Gatekeeper

* Add missing JWT provider resource to kustomization.yaml - Add missing assertions for JWT provider too. * Add OSS tests for exported-services

* Fix Gateway trigger for when secret is modified * Add some simple unit tests * up some testing timeouts for acceptance tests

…#2227)

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>

* Add additional helm hook for resource management * Move GatewayClassConfig CRD to templates * Add CRDs to templates * Add value to values.yaml * Remove GatewayClass and GatewayClassConfig bats * Fix CRD ExportedServices * Change -release to -release-name on gateway-resources subcommand * switch to pointer to avoid lock copy for linter * Move forcible test cleanup to before helm delete since it will now drop CRDs * adjust cleanup logic since it looks like the testing framework sometimes uninstalls the helm chart early * Fix cli unit test and drop CRD reading data since it's no longer embedded in the CLI * Add BATs for Gateway CRDs * Add BATs for Gateway Resources * Update Contributing --------- Co-authored-by: Thomas Eckert <teckert@hashicorp.com>

* [API Gateway] Add external consul servers test * Fix up releaseName usage on CLI-based tests to mirror helm-based tests

* Update alpine to 3.18

* Remove check for reference grant for route to gateway * Fix tenancy tests * Final cleaning up of acceptance test

* Add partition test * drop superfluous sprintf * fix linter issue on acceptance test * Add predicated watch for pods

* Update memory defaults for connect inject controllers * Add changelog entry * Bump up Consul server statefulset memory defaults too

* update eks and aks to use latest kubernetes version * updated the terraform provider as some fields were deprecated

* Add FIPS builds for linux amd64 * add version check * fix CI labels and add local dev commands * fix ci version tagging * switch to ubuntu 20.04 * add CLI version tag * add gcompat for alpine glibc cgo compatibility * remove FIPS version check from connect-init * address comments

- making this trigger nightly until after 1.2.0 GA - leaving 0.49.x active until after 1.2.0 GA

* first run through, needs help * still need to make secure pass * left something uncommented * it works and also cleanup * fix acceptance tests

* [API Gateway] Add acceptance test for cluster peering * Fix linter * Fix random unrelated linter errors to get CI to run: revert later? * one more linter fix to later probably revert * more linter fixes * Revert "more linter fixes" This reverts commit 6210dff. * Revert "one more linter fix to later probably revert" This reverts commit 030c563. * Revert "Fix random unrelated linter errors to get CI to run: revert later?" This reverts commit fdeccab.

…ersion of kind and k8s 1.27 (#2304) * update cloud tests to use 1.24, 1.25 and 1.26 version of kubernetes for more coverage * updated readme for supported kubernetes versions * added changelog

* [API Gateway] WAN Federation test and fixes * Fix unit tests

* Fix when gateways are deleted before we get services populated into cache * a bit of cleanup

…assConfig are obeyed (#2272) * Add unit tests verifying that scaling parameters on GatewayClassConfig are obeyed * Add test case for scaling w/ no min or max configured

* Rename GatewayClassController to prevent name collision * Use gateway instead of gatewayclass in name * Use the constant in ownership checks * Change GatewayClass name to "consul" * Change GatewayClass name in cases * Change ApiGatewayClass back

* Fix SupportedKinds array to be what Conformance test expects * Fix cert validation status condition for listeners * Add programmed condition for listeners * Fix unit test --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

* first pass at halting: got httproute and api-gateway done * clean up test * Handle all set for infinite reconcile check * Add table tests for minimal setup * Added some odd field names to test normalization is handled correctly * Use funky casing http routes

This reverts commit 7f6e1cb.

* Added helm inputs for managing audit logs * Remove unwanted changes from values

* fix: use correct flag when translating namespaces * Use non-normalized namespace when deregistering services * Guard against namespace queries when namespaces not enabled in cache

* added imagePullPolicy for images in values.yaml * fix: renamed pullPolicy key according to image * fixed dafault always in tmpl * changed structure of image in yaml * revert changes * added global imagePullPolicy * fixed typo * added changelog file

This brings consul-k8s in line with consul. Most importantly, the backport assistant was updated to automatically assign created PRs to the author of the PR that is being backported.

* update changelog based on changes made to 1.2.x * fixed test cases - enterprise cases were in the OSS test cases

* trigger conformance tests nightly, squash * remove extra line * Update nightly-api-gateway-conformance.yml

making scripts more robust and removing changing helm chart

* Fix cache and service deletion issue * Add comments * add in acceptance test * Fix indentation * Fix unit test for deleting gateway w/ consul services * Remove redundant service deregistration code * Exit loop early once registration is found for service * Fix import blocking * Set status on pods added to test * Apply suggestions from code review * Reduce count of test gateways to 10 from 100 --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>

* Adding support for weighted k8s service * Adding changelog * if per-app weight is 0 then pull the weight to 1 * Addressing review comments * Addressing review comments * Addressing review comments * Comment update * Comment update * Parameterized table test * Parameterized table test * fixing linting issue * fixing linting issue --------- Co-authored-by: srahul3 <rahulsharma@hashicorp.com>

* Bumping go-discover to the lastest version

* pinned kind configuration for CI tests - created a yaml file with the desired pinned versions - created a script to read the yaml - added a make target which can be used in CI to get the desired kind inputs/config --------- Co-authored-by: Curt Bushko <cbushko@gmail.com>

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>

This reverts commit 2850962.

- allow configuration of acceptance testing matrices

…its (#2416) * feat(helm): add configurable server-acl-init and cleanup resource limits * Apply suggestions from code review Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com> * bugfix yaml path * fix bats test --------- Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>

* Add retryCheckWithWait func * Fix retry timing on GatewayClassConfig test * remove redundant scale, make scale up number max + 1 * NET-4627, fix acceptance tests flake --------- Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>

* always update acl policy if it exists * added changelog * added unit test * fix typo * added some additional assertions to test * refactored create_or_update unit test

Proxy Lifecycle helm, connect-inject and acceptance tests (#2233) Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* Add breaking change to release notes

Co-authored-by: John Maguire <john.maguire@hashicorp.com>

* fix nil pointer exception * add unit test * added changelog * delete changelog

* Use correct length for certificate RSA key * api-gateway: Fix nil pointer exception panic (#2487) * fix nil pointer exception * add unit test * added changelog * delete changelog * Remove skip for fixed test --------- Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com>

* Validate length of RSA key for inline certs * Bring key length check functions over from consul * move validation of key length from certificate parsing into validation of cert * Update to use sentinel errors * Add changelog * Addressing PR comments: fixing text in changelog, fixing import blocks, slight refactor of cert validation for readability * Ensure cert is removed from consul if an invalid one is presented * Fix linting issues, added tests for validating keys

* add changelog for Consul 1.16.0 * add changelog for dataplane 1.2.0

cleans up oidc providers older than 8 hours.

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>

…2516) * fix connect/service mesh * Update values.yaml

…anup jobs (#2525) * feat: adding security context and annotations to tls and acl init/cleanup jobs * changelog --------- Co-authored-by: Chinikins <Chinikins@gmail.com>

…2520) Fix issue where virtual IP saving had insufficient ACLs.

* Lowercase datacenter name from HCP bootstrap response * Add test cases to cloud bootstrap

…K8s Service once (#2413) * Modify unit tests to include multiple listeners w/ same port Running the tests on this commit will demonstrate the bug * When multiple listeners have the same port, only add to K8s Service once * Add changelog entry

…non-existent section (#2420) * Set route accepted condition appropriately when no listener with section name matching parent * Adjust error message for bind errors that aren't specific to one listener * Include section name in message for NoMatchingParent when available * Add unit test coverage for conditions derived from binding results * Add changelog entry

* update environment variables with CONSUL_K8s prefix - This will let us check that we have all the environment variables set more easily with `printenv | grep "CONSUL_K8S"` * update imageConsulDataplane without quotes - this makes it consistent with the other images - allows scripting to work similarly to other images * updated utils script - handle replace case where consul-enterprise is in the values.yaml file and charts.yaml file - handle adding pre-release tag in changelog - handle updating consul-dataplane

* added missing changelogs * Update CHANGELOG.md for 0.49.8 --------- Co-authored-by: Curt Bushko <cbushko@gmail.com>

* updated contributing example with new configuration lists add new make target "kind" to makefile * This lets us setup our standard kind environment for testing refactor framework to take config list flags * removed primary/secondary kube flags as this limited us to only two clusters * added flags for kube configs, contexts and namespaces. This way we can support n clusters where n is the length of the longest list. The flags are then combined into a list of objects for use in testing added tests for new helper methods refactored tests * now TestMain for multicluster check that the test arguments contain the expected number of clusters * use helper method `env.GetSecondaryContextKey(t)` which grabs the second context in the list instead of using the defunct environment.SecondaryContextName refactored flag test to use new config lists refactored cli cluster to use get primary helper added multicluster check for vault acceptance * vault tests are multi-cluster but we weren't performing the necessary checks

Add copyright and license headers

Changes proposed in this PR: - Consume the same version of gateway-api for acceptance testing that we're consuming in the control plane: https://github.com/hashicorp/consul-k8s/blob/29b6ed36923498afc8f377455d4275653960230f/control-plane/go.mod#L42 How I've tested this PR: - 👀 - 🤖 tests pass How I expect reviewers to test this PR: - See above Checklist: - [ ] Tests added - [ ] [CHANGELOG entry added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry)

Changes proposed in this PR: - add in new validation call in endpoint How I've tested this PR: Ran it locally and tested the changes How I expect reviewers to test this PR: Read the code and run the command themselves to verify: ``` ./consul-k8s/acceptance/tests/cloud && go test -run TestBasicCloud -v -p 1 -timeout 20m \ -use-kind \ -kubecontext="kind-dc1" \ -consul-image hashicorppreview/consul-enterprise:1.17-dev -consul-k8s-image hashicorppreview/consul-k8s-control-plane:1.3.0-dev -consul-collector-image hashicorp/consul-telemetry-collector:0.0.1 \ -enable-enterprise ``` Checklist: - [X] Tests added - [n/a] [CHANGELOG entry added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry)

Changes proposed in this PR: - Replacing the deprecated [`resolve_conflicts`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon#resolve_conflicts) with the new attributes. I don't know if we really need this setting since it is optional and the addon has no user-defined config, but I'm keeping this to keep the behavior consistent. How I've tested this PR: I did not. How I expect reviewers to test this PR: 👀 Checklist: - [ ] ~Tests added~ - [ ] ~[CHANGELOG entry added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry)~

Changes proposed in this PR: - Removed unused workflow inputs.

Changes proposed in this PR: - Update actions that are out of date How I've tested this PR: 👀 How I expect reviewers to test this PR: 👀 Checklist: - [ ] Tests added - [ ] [CHANGELOG entry added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry)

Add guidance for proper configuration when joining to a secondary cluster using WAN fed with external servers also enabled. Also clarify federation requirements and fix formatting for an unrelated value. Changes proposed in this PR: - Update base content for generating Helm chart docs to clarify the use case encountered in #2138 - Minor additional fixes - _Follow-up: propagate generated doc changes to `consul` and additionally update https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/servers-outside-kubernetes there_ How I've tested this PR: N/A (docs only) How I expect reviewers to test this PR: 👀 Checklist: - [ ] Tests added - [ ] [CHANGELOG entry added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry)

…og (#2571) - In the past, kubernetes nodes were used as the source of truth to determine the list of services that should exist in Consul. - In most cases this was ok but becomes a problem when nodes are quickly deleted from kubernetes such as the case when using spot instances. - Instead, use consul synthetic-nodes to get the list of services and deregister the services that do not have endpoint addresses. --------- Co-authored-by: mr-miles <miles.waller@gmail.com>

…g Vault Version for WanFed Test (#2481) * Adding support for Enterprise and other improvement on the Customizing Vault Version for WanFed Test This is the extension of the PR - #2043 In this PR, the followings were addressed - 1. Now the vault enterprise version can be provided in the cli command. The previous PR only addressed Vault OSS. 2. Two flags “-no-cleanup-wan-fed” and “test-duration” were introduced to not to cleanup the test environment after successful setup to give it time to do manual testing for features/to reproduce customer issues. Default is 1 hour. 3. This was tested in Kind environment and it works fine. The following was taken out to use the “use-kind” option for WanFed test. //if cfg.UseKind { // t.Skipf("Skipping this test because it's currently flaky on kind") //} * Fix indentation * Fix unit test for deleting gateway w/ consul services * Remove redundant service deregistration code * Exit loop early once registration is found for service * Fix import blocking * Set status on pods added to test * Apply suggestions from code review * Reduce count of test gateways to 10 from 100 --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Changes proposed in this PR: - - How I've tested this PR: How I expect reviewers to test this PR: Checklist: - [ ] Tests added - [ ] CHANGELOG entry added > HashiCorp engineers only, community PRs should not add a changelog entry. > Entries should use present tense (e.g. Add support for...) * Removing the changes in vault_namespaces_test.go * Introducing new flag no-cleanup * Removed "go 1.20" from go.work file * cfg.USEKind check is added back * Removed previousy added "Test Duration" flag * Some changes * Some changes

* added make target for checking for hashicorppreview * added check to prepare-release make target

This is meant to solve for recurrent timeouts in several steps, particularly `golangci-lint-control-plane` and `golang-ci-lint-cli`. An accompanying change in `consul-k8s-workflows` should disable caching until the (unclear) root of the issue can be resolved, or we can disable or clear cache in a more targeted way that solves for these cases.

* Fix TestAPIGateway_GatewayClassConfig * Remove stray files from bad merge

Support restricted PSA enforcement in a basic setup. This is enough to get a basic setup with ACLs and TLS working and an acceptance test passing (but does not update every component). On OpenShift, we have the option to set the security context or not. If the security context is unset, then it is set automatically by OpenShift SCCs. However, we prefer to set the security context to avoid useless warnings on OpenShift and to reduce the config difference between OpenShift and plain Kube. By default, OpenShift namespaces have the audit and warn PSA labels set to restricted, so we receive pod security warnings when deploying Consul to OpenShift even though the pods will be able to run. Helm chart changes: * Add a helper to the helm chart to define a "restricted" container security context (when pod security policies are not enabled) * Update the following container securityContexts to use the "restricted" settings (not exhaustive) - gateway-cleanup-job.yaml - gateway-resources-job.yaml - gossip-encryption-autogenerate-job.yaml - server-acl-init-cleanup-job.yaml - only if `.Values.server.containerSecurityContext.server.acl-init` is unset - server-acl-init-job.yaml - only if `.Values.server.containerSecurityContext.server.acl-init` is unset - server-statefulset.yaml: - the locality-init container receives the restricted context - the consul container receives the restricted context only if `.Values.server.containerSecurityContext.server` is unset - tls-init-cleanup-job.yaml - only if `.Values.server.containerSecurityContext.server.tls-init` is unset - tls-init-job.yaml - only if `.Values.server.containerSecurityContext.server.tls-init` is unset - webhook-cert-manager-deployment.yaml Acceptance test changes: * When `-enable-openshift` and `-enable-cni` are set, configure the CNI settings correctly for OpenShift. * Add the `-enable-restricted-psa-enforcement` test flag. When this is set, the tests assume the Consul namespace has restricted PSA enforcement enabled. The tests will deploy the CNI (if enabled) into the `kube-system` namespace. Compatible test cases will deploy applications outside of the Consul namespace. * Update the ConnectHelper to configure the NetworkAttachmentDefinition required to be compatible with the CNI on OpenShift. * Add fixtures for static-client and static-server for OpenShift. This is necessary because the deployment configs must reference the network attachment definition when using the CNI on OpenShift. * Update tests in the `acceptance/tests/connect` directory to either run or skip based on -enable-cni and -enable-openshift

security: Upgrade Go and net/http Upgrade to Go 1.20.6 and `net/http` 1.12.0 to resolve CVE-2023-29406.

The consul client always logs into the local datacenter

* Add support for requestTimeout in Service Resolver spec * preserve serviceresolvers.yaml Preserving yaml from main, only adding requesttimeout property. * update generated.deepcopy.go * Use latest controller-gen to generate CRDs --------- Co-authored-by: Ashwin Venkatesh <ashwin.what@gmail.com>

… ms (#2656) increase timeout for acl replication to 60 seconds and poll every 500 ms

…or for apiGateway (#2597) * Support multiline nodeSelector arg * Support multiline service annotations arg * Update test assertions * Add changelog entry

* add kustomize files - These reflect the different test cases - sameness.yaml defines the ordered list of failovers - static-server responds with a unique name so we can track failover order - static-client includes both DNS and CURL in the image used so we can exec in for testing * add sameness tests - We do a bunch of infra setup for peering and partitions, but after the initial setup only partitions are tested - We test service failover, dns failover and PQ failover scenarios * add 4 kind clusters to make target - The sameness tests require 4 kind clusters, so the make target will now spin up 4 kind clusters - not all tests need 4 kind clusters, but the entire suite of tests can be run with 4 * increase kubectl timeout to 90s - add variable for configuring timeout - timeout was triggering locally on intel mac machine, so this timeout should cover our devs lowest performing machines * add sameness test to test packages * Fix comments on partition connect test

* Added logLevel field for components * Add changelog * Fix tests * Rename 2298.txt to 2302.txt * Address comments * Fix tests * Fix helm tests * Address comments * Add client and server loglevels * Fix bats * Update changelog * Fix bats tests

- Add missing license headers.

* Bump golang.org/x/net to 0.12.0 in cni This was missed in 5b57e63 as part of a general upgrade of that dependency. * Bump server-connection-manager to v0.1.3 Tidying up following CVE dependency bumps, leading to a new release of this library.

* Fix default Ent image tag in acceptance tests Rather than hard-coding the Docker repository and parsing the non-Ent image tag for a version, simply replace the image name and retain other coordinates. This is consistent with our tagging scheme introduced in hashicorp/consul#13541 and will allow for using `hashicorppreview` images seamlessly regardless of whether OSS or Ent is being tested. * Add make target for loading images in kind Complement other multi-cluster make targets by supporting image loading across kind clusters.

security: Upgrade Go and x/net Upgrade to Go 1.20.7 and `x/net` 1.13.0 to resolve [CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) and [CVE-2023-3978](https://nvd.nist.gov/vuln/detail/CVE-2023-3978).

increase timeout while waiting for server to be ready and fix require.Equal check

* Increase the retries and add config entry retries

…ing on OpenShift (#2184) Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com>

* Adds port mapping to Gateway Class Config to avoid running container on privileged ports Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

* Implement validation of TLS options * Use constants for annotation keys * Add changelog entry * Implement TLS options translation * Update changelog entry * Add unit test coverage for TLS option validation * Code review feedback

* JWT auth basic acceptance test * Update to run only in enterprise mode, update comment to be correct * Remove usage of `testing.t` in retry block * Fixed last `t` in retry block in tests * Update acceptance/tests/api-gateway/api_gateway_test.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update acceptance/tests/api-gateway/api_gateway_test.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Updating filenames for gw jwt cases and adding message about why this test is skipped --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

Apply K8s node locality to services and sidecars Locality-aware routing is based on proxy locality rather than the proxied service. Ensure we propagate locality to both when registering services.

* Set privileged to false unless on OpenShift without CNI

* added fixtures * removed fixtures - intentions only gets added now if acls are enabled - payment-service-resolver is only for locality aware which isn't in scope for this PR * updated sameness tests to include peering - refactored with some helper functions for members (now TestClusters) - made names more uniform, tend more towards the cluster-01-a/cluster-02-a/etc. nomenclature * added 4 clusters to cni make target * disable proxy lifecycle

…repeatedly-composed-whale

Commits on Mar 2, 2023

disable go mod scanning (#1974 )

wilkermichael authored Mar 2, 2023

Configuration menu

View commit details

Copy full SHA for 1ea918e

Browse repository at this point

Copy the full SHA

1ea918e View commit details

Browse the repository at this point in the history

Commits on Mar 13, 2023

added more retries for tests (#2006 )

wilkermichael authored Mar 13, 2023

Configuration menu

View commit details

Copy full SHA for 6fbb20f

Browse repository at this point

Copy the full SHA

6fbb20f View commit details

Browse the repository at this point in the history

Commits on Apr 20, 2023

Supply chain updates (#2072 )

curtbushko authored Apr 20, 2023

Configuration menu

View commit details

Copy full SHA for 7145b02

Browse repository at this point

Copy the full SHA

7145b02 View commit details

Browse the repository at this point in the history

Backport of correct prometheus port and scheme annotations if tls is enabled into release/1.0.x #2855

Backport of correct prometheus port and scheme annotations if tls is enabled into release/1.0.x #2855

Commits on Mar 2, 2023

Commits on Mar 3, 2023

Commits on Mar 6, 2023

Commits on Mar 8, 2023

Commits on Mar 9, 2023

Commits on Mar 13, 2023

Commits on Mar 14, 2023

Commits on Mar 15, 2023

Commits on Mar 20, 2023

Commits on Mar 21, 2023

Commits on Mar 24, 2023

Commits on Mar 25, 2023

Commits on Mar 27, 2023

Commits on Mar 28, 2023

Commits on Apr 3, 2023

Commits on Apr 4, 2023

Commits on Apr 5, 2023

Commits on Apr 10, 2023

Commits on Apr 13, 2023

Commits on Apr 14, 2023

Commits on Apr 17, 2023

Commits on Apr 18, 2023

Commits on Apr 20, 2023

Commits on Apr 21, 2023

Commits on Apr 24, 2023

Commits on Apr 27, 2023

Commits on Apr 28, 2023

Commits on May 4, 2023

Commits on May 8, 2023

Commits on May 10, 2023

Commits on May 11, 2023

Commits on May 12, 2023

Commits on May 15, 2023

Commits on May 16, 2023

Commits on May 17, 2023

Commits on May 18, 2023

Commits on May 23, 2023

Commits on May 25, 2023

Commits on May 26, 2023

Commits on May 29, 2023

Commits on May 30, 2023

Commits on May 31, 2023

Commits on Jun 1, 2023

Commits on Jun 2, 2023

Commits on Jun 3, 2023

Commits on Jun 5, 2023

Commits on Jun 6, 2023

Commits on Jun 7, 2023

Commits on Jun 8, 2023

Commits on Jun 9, 2023

Commits on Jun 10, 2023

Commits on Jun 11, 2023

Commits on Jun 12, 2023

Commits on Jun 13, 2023

Commits on Jun 14, 2023

Commits on Jun 15, 2023

Commits on Jun 19, 2023

Commits on Jun 20, 2023

Commits on Jun 21, 2023

Commits on Jun 22, 2023

Commits on Jun 23, 2023

Commits on Jun 26, 2023

Commits on Jun 27, 2023

Commits on Jun 28, 2023

Commits on Jun 29, 2023

Commits on Jun 30, 2023

Commits on Jul 3, 2023

Commits on Jul 6, 2023

Commits on Jul 7, 2023

Commits on Jul 10, 2023

Commits on Jul 11, 2023

Commits on Jul 12, 2023

Commits on Jul 14, 2023

Commits on Jul 17, 2023

Commits on Jul 18, 2023

Commits on Jul 19, 2023

Commits on Jul 20, 2023

Commits on Jul 21, 2023