backport of commit 13aae0e

.changelog/21984.txt

@@ -1,3 +1,3 @@
 ```release-note:bug
 api-gateway: Fixed TLS configuration to properly enforce listener TLS versions and cipher suites
-```
+```

.github/CODEOWNERS

@@ -1,18 +1,10 @@
 * @hashicorp/consul-selfmanage-maintainers
 
+# Techical Writer Review
 
-# engineering and web presence get notified of, and can approve changes to web tooling, but not content.
-
-/website/           @hashicorp/web-presence @hashicorp/consul-selfmanage-maintainers
-/website/data/
-/website/public/
-/website/content/
-
-# education and engineering get notified of, and can approve changes to web content.
-
-/website/data/          @hashicorp/consul-docs @hashicorp/consul-selfmanage-maintainers
-/website/public/        @hashicorp/consul-docs @hashicorp/consul-selfmanage-maintainers
-/website/content/       @hashicorp/consul-docs @hashicorp/consul-selfmanage-maintainers
+/website/content/docs/ @hashicorp/consul-docs
+/website/content/commands/ @hashicorp/consul-docs
+/website/content/api-docs/ @hashicorp/consul-docs
 
 
 # release configuration

.github/workflows/nightly-test-integrations.yml

@@ -217,7 +217,7 @@ jobs:
       # matrix.consul-version (i.e. whenever the highest common Envoy version across active
       # Consul versions changes). The minor Envoy version does not necessarily need to be
       # kept current for the purpose of these tests, but the major (1.N) version should be.
-      ENVOY_VERSION: 1.28.7
+      ENVOY_VERSION: 1.27.6
     steps:
       - name: Checkout code
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

.github/workflows/test-integrations.yml

@@ -83,7 +83,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        nomad-version: ['v1.8.3', 'v1.7.7', 'v1.6.10']
+        nomad-version: ['v1.7.7', 'v1.6.10', 'v1.5.17']
     steps:
       - name: Checkout Nomad
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
@@ -166,7 +166,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        vault-version: ["1.17.5", "1.16.3", "1.15.6"]
+        vault-version: ["1.16.2", "1.15.6", "1.14.10"]
     env:
       VAULT_BINARY_VERSION: ${{ matrix.vault-version }}
     steps:

.gitignore

@@ -71,6 +71,3 @@ terraform.rc
 /go.work
 /go.work.sum
 .docker
-
-# Avoid accidental commits of consul-k8s submodule used by some dev environments
-consul-k8s/

agent/agent.go

@@ -1434,9 +1434,6 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co
 	cfg.GRPCTLSPort = runtimeCfg.GRPCTLSPort
 
 	cfg.Segment = runtimeCfg.SegmentName
-
-	cfg.RaftConfig.PreVoteDisabled = runtimeCfg.RaftPreVoteDisabled
-
 	if len(runtimeCfg.Segments) > 0 {
 		segments, err := segmentConfig(runtimeCfg)
 		if err != nil {

agent/config/builder.go

@@ -1073,7 +1073,6 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 		RaftSnapshotThreshold:             intVal(c.RaftSnapshotThreshold),
 		RaftSnapshotInterval:              b.durationVal("raft_snapshot_interval", c.RaftSnapshotInterval),
 		RaftTrailingLogs:                  intVal(c.RaftTrailingLogs),
-		RaftPreVoteDisabled:               boolVal(c.RaftPreVoteDisabled),
 		RaftLogStoreConfig:                b.raftLogStoreConfigVal(&c.RaftLogStore),
 		ReconnectTimeoutLAN:               b.durationVal("reconnect_timeout", c.ReconnectTimeoutLAN),
 		ReconnectTimeoutWAN:               b.durationVal("reconnect_timeout_wan", c.ReconnectTimeoutWAN),

agent/config/config.go

@@ -8,9 +8,8 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/mitchellh/mapstructure"
-
 	"github.com/hashicorp/hcl"
+	"github.com/mitchellh/mapstructure"
 
 	"github.com/hashicorp/consul/lib/decode"
 )
@@ -215,7 +214,6 @@ type Config struct {
 	RaftSnapshotThreshold            *int                `mapstructure:"raft_snapshot_threshold" json:"raft_snapshot_threshold,omitempty"`
 	RaftSnapshotInterval             *string             `mapstructure:"raft_snapshot_interval" json:"raft_snapshot_interval,omitempty"`
 	RaftTrailingLogs                 *int                `mapstructure:"raft_trailing_logs" json:"raft_trailing_logs,omitempty"`
-	RaftPreVoteDisabled              *bool               `mapstructure:"raft_prevote_disabled" json:"raft_prevote_disabled,omitempty"`
 	ReconnectTimeoutLAN              *string             `mapstructure:"reconnect_timeout" json:"reconnect_timeout,omitempty"`
 	ReconnectTimeoutWAN              *string             `mapstructure:"reconnect_timeout_wan" json:"reconnect_timeout_wan,omitempty"`
 	RejoinAfterLeave                 *bool               `mapstructure:"rejoin_after_leave" json:"rejoin_after_leave,omitempty"`

agent/config/default.go

@@ -146,7 +146,6 @@ func DefaultSource() Source {
 		raft_snapshot_threshold = ` + strconv.Itoa(int(cfg.RaftConfig.SnapshotThreshold)) + `
 		raft_snapshot_interval =  "` + cfg.RaftConfig.SnapshotInterval.String() + `"
 		raft_trailing_logs = ` + strconv.Itoa(int(cfg.RaftConfig.TrailingLogs)) + `
-		raft_prevote_disabled =  false
 		raft_logstore {
 			wal {
 				segment_size_mb = 64

agent/config/runtime.go

@@ -10,9 +10,8 @@ import (
 	"strings"
 	"time"
 
-	"golang.org/x/time/rate"
-
 	"github.com/hashicorp/go-uuid"
+	"golang.org/x/time/rate"
 
 	"github.com/hashicorp/consul/agent/cache"
 	"github.com/hashicorp/consul/agent/consul"
@@ -1005,9 +1004,6 @@ type RuntimeConfig struct {
 	// hcl: raft_trailing_logs = int
 	RaftTrailingLogs int
 
-	// hcl: raft_prevote_disabled = bool
-	RaftPreVoteDisabled bool
-
 	RaftLogStoreConfig consul.RaftLogStoreConfig
 
 	// ReconnectTimeoutLAN specifies the amount of time to wait to reconnect with

agent/config/runtime_test.go

@@ -6594,7 +6594,6 @@ func TestLoad_FullConfig(t *testing.T) {
 		RaftSnapshotThreshold:   16384,
 		RaftSnapshotInterval:    30 * time.Second,
 		RaftTrailingLogs:        83749,
-		RaftPreVoteDisabled:     false,
 		ReconnectTimeoutLAN:     23739 * time.Second,
 		ReconnectTimeoutWAN:     26694 * time.Second,
 		RequestLimitsMode:       consulrate.ModePermissive,

agent/config/testdata/TestRuntimeConfig_Sanitize.golden

@@ -71,7 +71,6 @@
     "AutopilotDisableUpgradeMigration": false,
     "AutopilotLastContactThreshold": "0s",
     "AutopilotMaxTrailingLogs": 0,
-
     "AutopilotMinQuorum": 0,
     "AutopilotRedundancyZoneTag": "",
     "AutopilotServerStabilizationTime": "0s",
@@ -300,7 +299,6 @@
     "RaftSnapshotInterval": "0s",
     "RaftSnapshotThreshold": 0,
     "RaftTrailingLogs": 0,
-    "RaftPreVoteDisabled": false,
     "ReadReplica": false,
     "ReconnectTimeoutLAN": "0s",
     "ReconnectTimeoutWAN": "0s",

agent/consul/internal_endpoint_test.go

@@ -3899,15 +3899,12 @@ func TestInternal_AssignManualServiceVIPs(t *testing.T) {
 		}
 
 		var resp structs.AssignServiceManualVIPsResponse
-		idx1 := s1.raft.CommitIndex()
 		err := msgpackrpc.CallWithCodec(codec, "Internal.AssignManualServiceVIPs", tc.req, &resp)
-		idx2 := s1.raft.CommitIndex()
 		if tc.expectErr != "" {
 			testutil.RequireErrorContains(t, err, tc.expectErr)
 		} else {
 			if again {
 				require.Equal(t, tc.expectAgain, resp)
-				require.Equal(t, idx1, idx2, "no raft operations occurred")
 			} else {
 				require.Equal(t, tc.expect, resp)
 			}

agent/consul/server.go

@@ -53,6 +53,7 @@ import (
 	"github.com/hashicorp/consul/agent/consul/xdscapacity"
 	"github.com/hashicorp/consul/agent/grpc-external/services/peerstream"
 	"github.com/hashicorp/consul/agent/hcp"
+	"github.com/hashicorp/consul/agent/hcp/bootstrap"
 	hcpclient "github.com/hashicorp/consul/agent/hcp/client"
 	logdrop "github.com/hashicorp/consul/agent/log-drop"
 	"github.com/hashicorp/consul/agent/metadata"
@@ -64,6 +65,7 @@ import (
 	"github.com/hashicorp/consul/agent/token"
 	"github.com/hashicorp/consul/internal/controller"
 	"github.com/hashicorp/consul/internal/gossip/librtt"
+	hcpctl "github.com/hashicorp/consul/internal/hcp"
 	"github.com/hashicorp/consul/internal/multicluster"
 	"github.com/hashicorp/consul/internal/resource"
 	"github.com/hashicorp/consul/internal/resource/demo"
@@ -836,6 +838,25 @@ func NewServer(config *Config, flat Deps, externalGRPCServer *grpc.Server,
 	// to enable RPC forwarding.
 	s.grpcLeaderForwarder = flat.LeaderForwarder
 
+	if s.config.Cloud.IsConfigured() {
+		// Start watching HCP Link resource. This needs to be created after
+		// the GRPC services are set up in order for the resource service client to
+		// function. This uses the insecure grpc channel so that it doesn't need to
+		// present a valid ACL token.
+		go hcp.RunHCPLinkWatcher(
+			&lib.StopChannelContext{StopCh: shutdownCh},
+			logger.Named("hcp-link-watcher"),
+			pbresource.NewResourceServiceClient(s.insecureSafeGRPCChan),
+			hcp.HCPManagerLifecycleFn(
+				s.hcpManager,
+				hcpclient.NewClient,
+				bootstrap.LoadManagementToken,
+				flat.HCP.Config,
+				flat.HCP.DataDir,
+			),
+		)
+	}
+
 	s.controllerManager = controller.NewManager(
 		// Usage of the insecure + unsafe grpc chan is required for the controller
 		// manager. It must be unauthorized so that controllers do not need to
@@ -907,7 +928,15 @@ func NewServer(config *Config, flat Deps, externalGRPCServer *grpc.Server,
 	return s, nil
 }
 
-func (s *Server) registerControllers(_ Deps) error {
+func (s *Server) registerControllers(deps Deps) error {
+	if s.config.Cloud.IsConfigured() {
+		hcpctl.RegisterControllers(
+			s.controllerManager, hcpctl.ControllerDependencies{
+				CloudConfig: deps.HCP.Config,
+			},
+		)
+	}
+
 	shim := NewExportedServicesShim(s)
 	multicluster.RegisterCompatControllers(s.controllerManager, multicluster.DefaultCompatControllerDependencies(shim))
 

agent/consul/testdata/v2-resource-dependencies.md

@@ -7,11 +7,13 @@ flowchart TD
   demo/v1/recordlabel
   demo/v2/album
   demo/v2/artist
+  hcp/v2/link
+  hcp/v2/telemetrystate
   internal/v1/tombstone
   multicluster/v2/computedexportedservices --> multicluster/v2/exportedservices
   multicluster/v2/computedexportedservices --> multicluster/v2/namespaceexportedservices
   multicluster/v2/computedexportedservices --> multicluster/v2/partitionexportedservices
   multicluster/v2/exportedservices
   multicluster/v2/namespaceexportedservices
   multicluster/v2/partitionexportedservices
-```
+```

agent/consul/type_registry.go

@@ -4,6 +4,7 @@
 package consul
 
 import (
+	"github.com/hashicorp/consul/internal/hcp"
 	"github.com/hashicorp/consul/internal/multicluster"
 	"github.com/hashicorp/consul/internal/resource"
 	"github.com/hashicorp/consul/internal/resource/demo"
@@ -21,6 +22,7 @@ func NewTypeRegistry() resource.Registry {
 
 	demo.RegisterTypes(registry)
 	multicluster.RegisterTypes(registry)
+	hcp.RegisterTypes(registry)
 
 	return registry
 }

agent/hcp/link_watch.go

@@ -0,0 +1,68 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package hcp
+
+import (
+	"context"
+	"time"
+
+	"github.com/hashicorp/go-hclog"
+
+	hcpctl "github.com/hashicorp/consul/internal/hcp"
+	"github.com/hashicorp/consul/lib/retry"
+	pbhcp "github.com/hashicorp/consul/proto-public/pbhcp/v2"
+	"github.com/hashicorp/consul/proto-public/pbresource"
+)
+
+type LinkEventHandler = func(context.Context, hclog.Logger, *pbresource.WatchEvent)
+
+func handleLinkEvents(ctx context.Context, logger hclog.Logger, watchClient pbresource.ResourceService_WatchListClient, linkEventHandler LinkEventHandler) {
+	for {
+		select {
+		case <-ctx.Done():
+			logger.Debug("context canceled, exiting")
+			return
+		default:
+			watchEvent, err := watchClient.Recv()
+
+			if err != nil {
+				logger.Error("error receiving link watch event", "error", err)
+				return
+			}
+
+			linkEventHandler(ctx, logger, watchEvent)
+		}
+	}
+}
+
+func RunHCPLinkWatcher(
+	ctx context.Context, logger hclog.Logger, client pbresource.ResourceServiceClient, linkEventHandler LinkEventHandler,
+) {
+	errorBackoff := &retry.Waiter{
+		MinFailures: 10,
+		MinWait:     0,
+		MaxWait:     1 * time.Minute,
+	}
+	for {
+		select {
+		case <-ctx.Done():
+			logger.Debug("context canceled, exiting")
+			return
+		default:
+			watchClient, err := client.WatchList(
+				ctx, &pbresource.WatchListRequest{
+					Type:       pbhcp.LinkType,
+					NamePrefix: hcpctl.LinkName,
+				},
+			)
+			if err != nil {
+				logger.Error("failed to create watch on Link", "error", err)
+				errorBackoff.Wait(ctx)
+				continue
+			}
+			errorBackoff.Reset()
+			handleLinkEvents(ctx, logger, watchClient, linkEventHandler)
+		}
+	}
+}