Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add config read command #2078

Merged
merged 7 commits into from
May 11, 2023
Merged

add config read command #2078

merged 7 commits into from
May 11, 2023

Conversation

hanshasselberg
Copy link
Member

@hanshasselberg hanshasselberg commented Apr 23, 2023

Changes proposed in this PR:

For CCM Linking existing clusters we were trying to find a good way of retrieving the helm config from consul-k8s, but there was none. Following @lkysow 's suggestion, this PR adds consul-k8s config read command that returns helm configuration.

How I've tested this PR:

How I expect reviewers to test this PR:

Checklist:

  • Tests added
  • CHANGELOG entry added

    HashiCorp engineers only, community PRs should not add a changelog entry.
    Entries should use present tense (e.g. Add support for...)

@hanshasselberg hanshasselberg added the backport/1.1.x Backport to release/1.1.x branch label Apr 28, 2023
@hanshasselberg hanshasselberg marked this pull request as ready for review April 28, 2023 09:16
@david-yu
Copy link
Contributor

@hanshasselberg After this is merged we also should document this as a new command here: https://developer.hashicorp.com/consul/docs/k8s/k8s-cli

Copy link
Member

@jmurret jmurret left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, this looks great! Just had a couple of small questions.

valuesYaml, err := yaml.Marshal(rel.Config)
if err != nil {
c.UI.Output("%+v", err, terminal.WithErrorStyle())
} else {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we return the error here rather than outputting it and continuing?

Copy link
Member Author

@hanshasselberg hanshasselberg May 4, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed it here. I copied the code from another command, maybe proxy. In this repo I found the following variations:

  • output error and return nil (like above)
  • output error and return error
  • return error

🤷

returnCode := c.Run([]string{})
require.Equal(t, tc.expectedReturnCode, returnCode)
output := buf.String()
for _, msg := range tc.messages {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we have tests where this is used? It feels like this was set up with an idea of looking for some errors, so it would be great to see some added. but if not, this could jut be removed.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It could be worth validating the output in the "some config" case, and make sure you see the config you're setting

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jmurret added!
@ndhanushkodi That was an oversight on my part, I added the actual config check.

}
}

func TestTaskCreateCommand_AutocompleteFlags(t *testing.T) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious, are changes in this PR to prediction behavior? It feels like prediction tests should not he to go into ever command if predictions are global and the command does not do anything new.

(not looking for a code change, but just curious if these are here because other commands had them)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah most of the other commands have this boilerplate in it. I think it could be fine to keep or remove in this PR, but probably we should have a separate task to pull out the autocomplete code elsewhere

Copy link
Contributor

@ndhanushkodi ndhanushkodi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

returnCode := c.Run([]string{})
require.Equal(t, tc.expectedReturnCode, returnCode)
output := buf.String()
for _, msg := range tc.messages {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It could be worth validating the output in the "some config" case, and make sure you see the config you're setting

}
}

func TestTaskCreateCommand_AutocompleteFlags(t *testing.T) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah most of the other commands have this boilerplate in it. I think it could be fine to keep or remove in this PR, but probably we should have a separate task to pull out the autocomplete code elsewhere

@hanshasselberg hanshasselberg added pr/no-changelog PR does not need a corresponding .changelog entry and removed pr/no-changelog PR does not need a corresponding .changelog entry labels May 11, 2023
@hanshasselberg hanshasselberg merged commit ccb51c1 into main May 11, 2023
@hanshasselberg hanshasselberg deleted the hans/add_config_read_command branch May 11, 2023 09:57
hanshasselberg added a commit that referenced this pull request May 15, 2023
@david-yu
Copy link
Contributor

@hanshasselberg Any chance you could update the docs to include this new command? Looks like this went out with 1.0.7

hanshasselberg added a commit to hashicorp/consul that referenced this pull request May 25, 2023
This PR adds documentation for the functionality introduced in
hashicorp/consul-k8s#2078.
david-yu pushed a commit to hashicorp/consul that referenced this pull request May 25, 2023
* add docs for consul-k8s config read command

This PR adds documentation for the functionality introduced in
hashicorp/consul-k8s#2078.

* add output

---------

Co-authored-by: David Yu <[email protected]>
absolutelightning pushed a commit that referenced this pull request Aug 4, 2023
* add config read command

* add tests

* lint

* update docs

* add changelog

* fix linting errors

* PR feedback
absolutelightning added a commit that referenced this pull request Sep 12, 2023
* test image form consul-enterprise

* Revert "test image form consul-enterprise"

This reverts commit 2fb794450c8d64a502ebdb296f6836de7be06d59.

* Convert acceptance to use github actions (#2046)

* Terraform: increase node sizes
* update GKE to use already created subnets
* Dispatch: dispatch to consul-k8s-workflows

* Remove CircleCI (#2050)

* Update status on PRs (#2054)

* Update status on PRs
* Split pr and push into 2 different files so that context can be passed through

* Update backport assistant to support -gh-automerge (#2047)

* Add a cleanup cron job (#2059)

* Add a cleanup cron job

* add sameness group CRD (#2048)

* draft of adding sameness group CRD

* move sameness group tests to ent test file

* update tests

* fix lint issues

* generate yaml and update helm charts

* update field descriptions and validation and its test

* remove unwanted files, add license comments back

* rename samenessgroups to samenessgroup

* fix resource names

* update failing unit test

* Supply chain updates (#2072)

* Fix Sync Catalog ACL Token Environment Var Name (#2068)

* Fix Sync Catalog ACL Token Environment Var Name
* Update ACL variable name in tests

* Add changelog for NET 2422 (#2080)

* add sameness group to exported services (#2075)

* add sameness group to exported services

* update CRDs

* update deep copy

* re add license line

* check if sameness group is wildcard

* remove experimental tag on peering fields

* update error message case

* update error message case in webhook test

* Adjust API gateway controller deployment appropriately when Vault configured as secrets backend (#2083)

* Adjust mount based on whether Vault is enabled as secrets backend

* Add changelog entry

* Improve wording of changelog entry

* Use Vault serverca for CONSUL_CACERT when secrets backend enabled

* Add comment to Helm template explaining logic

* Add unit test for CONSUL_CACERT with Vault secret path

* Add unit tests for removing mounts when Vault is secrets backend

* Result of tsccr-helper -pin-all-workflows . (#2089)

Co-authored-by: hashicorp-tsccr[bot] <hashicorp-tsccr[bot]@users.noreply.github.com>

* set consul server locality from k8s node labels (#2093)

* add sameness group to service resolver, update manifests (#2086)

* add sameness group to service resolver, update manifests

* get the latest api and update acceptance tests

* get the latest api in acceptanc tests

* update validation code, remove dynamic validations, update tests

* check nil pointer

* go get latest api

* revert acceptance changes

* add sameness group to source intention (#2097)

* add sameness group to source intention

* add more test coverage

* add comment on metaValueMaxLength variable

* fix comment lint issue

* security: update Go version to 1.20.4 (#2102)

* Spatel/net 1646 add max ejection percent and base ejection time (#2064)

* Add MaxEjectionPercent and BaseEjectionTime to servicedefaults

* test with sister branch in consul repo

* missed one

* fix tag names

* fix json tags and duration type

* update test

* generate yaml files and fix imports

---------

Co-authored-by: Semir Patel <[email protected]>

* chore(ci): fix changelog action for non-main base branches (#2105)

* chore(ci): fix backport assistant not finding new branches (#2113)

* Customizing Vault Version for WanFed Test (#2043)

* Customizing Vault Version for WanFed Test

* Modified

* Changed according to the review comments

* Removed the commented line

* Vault server version type changed to String

* changed back to VaultServerVersion type

* Changing "VaultServerVersion" to type "String"

* add config read command (#2078)

* add config read command

* add tests

* lint

* update docs

* add changelog

* fix linting errors

* PR feedback

* Update CRDs for Permissive mTLS (#2100)

* Add mutualTLSMode to service-defaults and proxy-defaults
* Add allowEnablingPermisiveMutualTLS to mesh config entry

* helm: add HOST_IP to mesh-gateway (#1808)

* add HOST_IP to mesh-gateway

* chore(ci): fix typo in changelog checker (#2127)

* Add support for syncing Ingress hostname to the Consul Catalog (#2098)

* Add support for syncing Ingress hostname to the Consul Catalog
* fix changelog-checker syntax error

* Add telemetry collector deployment to consul-k8s (#2134)

* Create values.yaml section for telemetry-collector

* Initial telemetry-collector validation and bats test

* Add nodeSelector

* Add connect-init initContainer

* Add consul-dataplane container

* Conditionally add ca-cert volume

* Include vault annotations

* Prune tests to pertinent test cases

* Move consul server env vars

* Check ca mount for dataplane container

* Check correct env var

* Set default resources

* Set initContainer and tolerations

* Support priorityClassName

* Support setting initContainer resources

* Fix replicas unit test

* Turn off tproxy and remove unneeded security context

* Set -tls-disabled if global.tls.enabled=false

* Set -ca-certs correct if tls is enabled

* Set external server args

* Set partition flag tests

* Label bats tests, remove duplicate flags

* Bats tests for service, add metricsserver port

* Support annotations and imagePullSecret on serviceAccount

* Create configmap for custom configuration

* Add configmap to deployment

* Fix test names

* Remove unneeded cloud validation. fixup comment

* Comment values.yaml changes

* Switch from sidecar auth method to component auth method

* changelog

* Add PodSecurityPolicy for consul-telemetry-collector

* Rename init container + add comment

* Remove logLevel bats tests as it is unsupported right now

* Remove auth-method special cases

* Replace LOGIN_DATACENTER login with LOGIN_NAMESPACE

* Remove unneeded LOGIN_DATACENTER test

* NET-2619 - save ClusterIPs to manual vips table (#2124)

* Get the consul version from values.yaml (#2146)

* [COMPLIANCE] Add Copyright and License Headers (#2079)

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>

* Update go-discover (#2157)

* update go-discove so we're not pulling in a version of tencent cloud
that no longer exists

* Update go discover to latest

* add helm chart values to configure global server side rate limiting (#2170)

* add helm chart values to configure global server side rate limiting

* add changelog.

* update server checksum for configmap

* fix the other 2 checksums

* Disable DNS redirection when tproxy is disabled (#2176)

* Disable DNS redirection when tproxy is disabled

DNS redirection and the various settings that make that possible (like
the dataplane binding to a port for DNS) is only useful if tproxy is
enabled. Most of the code checked if tproxy was enabled but there
was one location where we didn't check. This resulted in a bug
with our multiport support where even though tproxy is disabled,
we tried to setup the dataplane to proxy DNS. This meant each dataplane
tried to bind to 8600 but because there are >1 dataplanes with
multiport, there was a port conflict.

This PR fixes the location where we didn't check if tproxy was enabled
and as a result fixes the multiport issue.

* Fix tests (#2181)

* [API Gateway] Add stub acceptance test (#2185)

* Update consul image so that acceptance tests run (#2189)

* API Gateways for Consul on Kubernetes `BETA` (#2152)

* Add API Gateway subcommand to Control Plane.
Co-authored-by: Thomas Eckert <[email protected]>

* Add GatewayClassConfig CRD (#2036)

* Update dependencies so that CRDs can be added

* Generate CRD for GatewayClassConfig

* Return empty logger instead of nil due to dependency update

* Update sidecar webhook to use ProbeHandler instead of Handler

* Update controller sub resources to use sub resource update options

* Re-add copyright header that got removed on generation

* Use NewTestLogger and ProbeHandler in tests

* Add api_gateway_types_test

* Remove boilerplate from ctrl-generate as it is no longer required

* Add app-copyright-header to Makefile

* Clarify GatewayClassConfig description

* Remove unneeded fields from GatewayClassConfig

* Fix lint issues

* Fix TestLogger in enterprise tests

* Add Changelog

* Fix TestLogger in enterprise test in one more place

* Remove the helpers

* Remove unused consts

* Adds API Gateway Class Config controller

* Add Hack for Generating CRDs from external sources (#2060)

* Add generate-external-crds to Makefile

* Add contributing docs

* Add comment about Helm ignoring kustomization.yaml

* Update Makefile

Co-authored-by: Luke Kysow <[email protected]>

* Update CONTRIBUTING.md

Co-authored-by: Nathan Coleman <[email protected]>

---------

Co-authored-by: Luke Kysow <[email protected]>
Co-authored-by: Nathan Coleman <[email protected]>

* Remove the api-gateway subcommand we decided not to use (#2062)

* APIGW Resource Translation (#2070)

* WIP: api-gateway resource conversion

* convert meta for apigw from k8s

* Added tests and updated config entry translation for APIGW

* Fix linting issue, move translation code to correct location

* Updates from PR comments

* Update config entry translation to use k8s type NamedNamespace, updated
tests

* switch to standard import rename for consul api

* Add GatewayClass Controller (#2055)

* Add permissions to connect-inject clusterrole

* Add gateway api crd deps

* Stub out the gatewayclass controller

* Add finalizer functions

* Use finalizer functions

* Add tests for GatewayClass Controller

* Change the controller name

* Only register gwv1beta1

* Run tests in parallel

* Remove RBAC comments

* Remove perms from resources not yet implemented

* shouldUpdate -> expectedDidUpdate

* Don't requeue if in use

* Address PR feedback

* Apply suggestions from code review

Co-authored-by: Andrew Stucki <[email protected]>

* Make gatewayClassFinalizer private

* Separate out indexers

* Move validation of parametersRef to a helper func

* Add reason to ensureStatus

* Rename GatewayClassReconciler -> GatewayClassController

* Add perms to list gateways

* Clean up status conditions

* Clean up indexes

* Set conditions properly and test them

* Test incorrect parametersRef

* Fix comments on indexer funcs

* Fix lint issues

* Set conditions without unnecessary updates

* Set ObservedGeneration from parent object

* Fix infinite loop issue with invalid config

* Fix update issue

* Return error if the GatewayClass cannot be reached

---------

Co-authored-by: Andrew Stucki <[email protected]>

* Updates GatewayClassConfig Controller to use common finalizer methods

* APIGW4CONK8S: HTTP Route/TCPRoute/Secrets Translation (#2088)

* Add http route translation

* Added copywrite headers

* Add namespace translation for service

* handle potential nil pointer on section name, check if parent ref if an
api gateway, fix comment from PR Review

* Added TCPRoute Translation

* Fix potential nil pointer deref in tcp service namespace, update
tcproute tests

* Add inline certs translation, clean up some potential nil pointer
derefs

* Clean up comments

* Linting

* Switch out env var usage for field on translator

* rename api-gateway/consul package to api-gateway/translation

* Adds stub for Gateway Controller

* Use the non-deprecated logr test (#2125)

* APIGW4CONK8s: Add Consul Cache (#2118)

* Added basic cache functionality with most tests, todo: add get method
for cache and expand tests

* Updated tests for Cache.Run function, removed tests of unexported
methods called by Run function

* Moved translation function def to translation package, added translate
apigw config entry

* Add translation for consul config entries to k8s namespaced name meta

* Added Get method to cache

* Add watch for contoller and setup in inject command

* Updated comments, renamed TranslateConsulInlineSecret method to
TranslateConsulInlineCertificate

* Updates from PR review

* Parallelize tests

* Bump consul api version

* Set api timeout for cache calls

* Revert "Bump consul api version"

This reverts commit c074b0f749d891f78ddff86b3a7eb62ba1e52a17.

* Linting fun

* Add Gatekeeper for managing gateway deployment resources (#2117)

* Stub out the gatewayclass controller

* Change the controller name

* Only register gwv1beta1

* Address PR feedback

* Adds stub of Gateway Controller

* cannot understand why the indexes are not working

* some updates, want to do cleanup

* rebase and cleanup

* Start adding deployer

* Flesh out tests

* Refactor into a "gatekeeper"

* Integrate the gatekeeper into the gateway controller

* Simplify the api

* Remove the creation of helm config until later

* Remove use and rename package to gatekeeper

* Add labels to apigateway

* Manage ServiceAccount

* Manage Deployment

* Add more to deployment

* Update Helm Values

* WIP fleshing out the gateway deployment upsert behavior

* Update role and service

* Fix merge conflicts

* Round out tests

* Add test for respecting replicas

* Change the Gatekeeper New API and add comments for Upsert and Delete

* implement joinResources

* accept suggestions from @jm96441n

* Use pointer receivers

* Separate out mutator

* Update deployment correctly

* Update Role and ServiceAccount

* Fix that silly linting error

* Comments on HelmConfig

* Add Image to deployment

* Merge api-gateway into branch

---------

Co-authored-by: Melisa Griffin <[email protected]>

* Net 3490/reference grants (#2122)

* Adds reference grant validation

* Adds all necessary methods and tests

* lint

* some cleanup, fix copypasta test errors

* lint

* more linting

* PR updates, fix capitalization

* Add a bunch of TODOs for teamwork

* Split out cleanup func and clear up todos

* APIGW4CONK8S: Serialize the GatewayClassConfig onto the Gateway for easier retrieval (#2126)

* Add serialization of gateway class config

* Parallelize tests

* Remove prints, fix cache tests

* Add outer managed check to ensure we don't fetch config if we don't need
to

* Stub out where the openshift role info will go (#2145)

* APIGW4CONK8S: Function to get all refs for a gateway (#2139)

* Added function to get all refs for a gateway

* Use k8s objects for references rather than consul objects

* Fix comment

* [API Gateway] API Gateway Binding Logic (#2142)

* initial commit

* Add additional TODO

* Add some basic lifecycle unit tests

* split up implementation

* Add more tests and fix some bugs

* remove one parallel call in a loop

* Fix binding

* Add resolvedRefs statuses for routes

* Fix issue with empty parent ref that k8s doesn't like

* Fix up updates/status ordering

* Add basic gateway status setting

* Finish up first pass on gateway statuses

* Re-organize and begin adding comments

* More comments

* More comments

* More comments

* More comments

* More comments

* Add file that wasn't saved

* Add utils unit tests

* Add more tests

* Final tests

* Fix tests

* Fix up gateway annotation with binding logic

* Update doc comments for linter

* Add forgotten file

* Fix block in tests due to buffered channel size and better handle context cancelation

* Add basic acceptance tests for route binding behavior (#2161)

* Configure Gateway Controller with Helm values (#2158)

* Stub out the gatewayclass controller

* Change the controller name

* Only register gwv1beta1

* Address PR feedback

* Adds stub of Gateway Controller

* cannot understand why the indexes are not working

* some updates, want to do cleanup

* rebase and cleanup

* Start adding deployer

* Flesh out tests

* Refactor into a "gatekeeper"

* Integrate the gatekeeper into the gateway controller

* Simplify the api

* Remove the creation of helm config until later

* Remove use and rename package to gatekeeper

* Add labels to apigateway

* Manage ServiceAccount

* Manage Deployment

* Add more to deployment

* Update Helm Values

* WIP fleshing out the gateway deployment upsert behavior

* Update role and service

* Fix merge conflicts

* Round out tests

* Add test for respecting replicas

* Change the Gatekeeper New API and add comments for Upsert and Delete

* implement joinResources

* accept suggestions from @jm96441n

* Use pointer receivers

* Separate out mutator

* Update deployment correctly

* Update Role and ServiceAccount

* Fix that silly linting error

* Comments on HelmConfig

* Add Image to deployment

* Add Gateway flags to inject-connect

* Pass through env vars

* Add environment variables to the deployment template

* Add conditional injection of environment variables

* Add env vars back in

* Fix up issues from merge

* Test default env vars

* Test all of the env vars

* Fix up more issues from merge

* Pass in values to HelmConfig then to Controller

* Just pass config in as a struct

* Add gateway-gatewayclass

* Add gateway-gatewayclassconfig

* Add DeploymentSpec to GatewayClassConfig

* Remove deployment configuration settings from HelmConfig

* Remove BATs on deployment configuration

* Expand gatewayclassconfig

* Set deployment replicas in test

* Place GatewayClassConfig in the crds/ dir

* Update control-plane/api-gateway/gatekeeper/gatekeeper_test.go

Co-authored-by: Andrew Stucki <[email protected]>

---------

Co-authored-by: Melisa Griffin <[email protected]>
Co-authored-by: Andrew Stucki <[email protected]>

* Net 4124/handle syncing consul lifecycle events (#2173)

* with type switch

* latest changes

* remove debugging panic

* Updated error in test

* Fix bug with capacity v length in the cache list and type that is being
subscribed to

* Fix linting issues/naming from PR review

* Added tests for delete function

* Plumbing for gatekeeper with snapshot

* [API Gateway] Hooking up API Gateways End-to-End (#2175)

* updated gatekeeper, added update call, still needs work

* still has some print statements, seeing issues with updates

* some linting

* run ctrl-manifests and generate

* get the whole gamut finally working in a minimum configuration

* Fix up tests

* Add some tests

* Move cache package

* Fix up tests after other fixes

* Fix up test lifecycle

* Fix up linter issues

* Remove unnecessary test that panics

* Add MeshService CRD

* fix bats tests

* bats bats bats

* baaaatttss

* Fix up acceptance test cleanup by introducing uninstall hook to cleanup managed GatewayClass and GatewayClassConfig resources

* Add test for deletion failures due to finalizers

* reorder commands

---------

Co-authored-by: Melisa Griffin <[email protected]>

* Fix crd loading (#2179)

* Fix CRD loading for CLI

* Adds crds directory to install with consul-k8s cli

* fix tests

* testing

* fix bats tests

---------

Co-authored-by: Thomas Eckert <[email protected]>
Co-authored-by: Andrew Stucki <[email protected]>

* Add Changelog

* Fix up issues after merge back

* Fix wildcard usage on enterprise

* Don't subscribe to peerings when not enabled

* Remove additional changelog entries since we're only going to use 1

---------

Co-authored-by: Melisa Griffin <[email protected]>
Co-authored-by: Luke Kysow <[email protected]>
Co-authored-by: Nathan Coleman <[email protected]>
Co-authored-by: John Maguire <[email protected]>
Co-authored-by: Andrew Stucki <[email protected]>
Co-authored-by: Melisa Griffin <[email protected]>

* Update consul image on prepare-dev and prepare-release (#2180)

Update consul image on prepare-dev and prepare-release

* Fix dev mode on main (#2193)

* Fix CVEs by updating controller-runtime (#2183)

* Bump version of controller runtime

* Use SubResourceUpdateOption

* Fix test loggr

* Fix ProbeHandler

* Set runtime to 0.14.6

* Add Changelog

* Fix up a few more breaking change issues

* Adding support for idleTimeout in Service Router spec (#2156)

* Adding support for idleTimeout in Service Router spec

* Changelog: add support for idleTimeout in Service Router config (#2200)

* add changelog

* build(deps): update controller UBI base to 9.2 (#2204)

* inject envoy_telemetry_bind_socket_dir proxy config when telemetry collector is enabled (#2143)

* inject envoy_telemetry_bind_socket_dir proxy config when telemetry collector is enabled

* use metrics.enableTelemetryCollector value to gate controller logic

* add changelog entry and unit test

* update cloud preset to enable telemetry collector (#2205)

* Consul Telemetry acceptance test (#2195)

* Fix bug on service intention CRDs causing source partitions and namespaces not to be compared. (#2194)

This bug means that swapping partitions and namespaces on sources wouldn't get
reflected in Consul.

* Add CRD for jwt-provider config entry (#2209)

* Add CRD for jwt-provider config entry
* Pin consul/api to versions containing the jwt-provider config entry
* Update Makefile to use v0.10.0 of sigs.k8s.io/controller-tools/cmd/controller-gen

* API Gateway tenancy tests + fixes (#2201)

* Initial scaffolding

* Fix up some infinite reconciliation issues and initial other bugs

* overhaul

* get basic e2e working again

* Add resource ref validation

* Fix up namespace/reference grants

* fix binding

* clean up logging

* cleanup

* Get some binder unit tests working again

* log guard

* Fix unit test

* Fix up more binder tests

* get more binder tests working

* finish binder tests

* fix setter test

* light touches and un-bak passing tests

* Remove controller test as the wiring of deployments is predominantly tests via acceptance tests

* Update reference grant tests

* fix linter issues

* fix acceptance test linters

* Fix validation tests

* Fix up consul cache tests

* fixing up a few more tests

* Finish up translation test work

* Fix last bit of tests

* Update ServiceIntentions CRD for JWT auth (#2213)

* Fix setting args for the telemetry-collector (#2224)

* Fix setting args for the telemetry-collector

Either the docker container or the execution method for the
telemetry-collector is making the args not get included on the process.
Switch to putting it directly in the command so we can ensure this works
as expected

* Fix bats test

* Fix telemetry collector issue and fix for bat test (#2223)

* Get consul-dataplane image from helm chart (#2232)

* Add acceptance test cleanup for API Gateway resources (#2237)

* improve code readability and fix flaky tests re acl token generation (#2210)

* Increase timeout and backoff for retry on flaky test (#2242)

* Add fake demo/crds to get around that expectation in chart install (#2245)

* NET-4285 add check for pointer (#2246)

* Persist virtual-ips for intentions / service-defaults. (#2222)

* Allow API Gateways to bind to privileged ports (#2253)

* API Gateway lifecycle acceptance tests (#2248)

* initial test

* More lifecycle work

* functional lifecycle tests

* accepance: extend api gateway lifecycle test retryCheck timeouts (#2256)

To reduce the likelihood of flakes.

* api-gateway: create RoleBinding attaching Role to ServiceAccount (#2252)

* Create RoleBinding attaching Role to ServiceAccount

* Update ClusterRole for controller to allow management of RoleBindings

* Separate logic for RoleBinding management from logic for Role

* Use pointer receiver for all functions on Gatekeeper struct

* Use more descriptive name for NamespacedName arg on delete

* Clean up missed code in cherrypick

* Remove out-of-scope TODO

* Make Upsert docstring more robust, explaining dependency ordering

* Add RoleBindings to unit tests for Gatekeeper

* Add missing resources to kustomization.yaml (#2255)

* Add missing JWT provider resource to kustomization.yaml
- Add missing assertions for JWT provider too.
* Add OSS tests for exported-services

* Fix Gateway trigger for when secret is modified (#2261)

* Fix Gateway trigger for when secret is modified

* Add some simple unit tests

* up some testing timeouts for acceptance tests

* Add CRD for ControlPlane RequestLimits (#2166)

* Update casing of json tag for ServiceDefault field (#2266)

* Add the endpoint ignoring logic for triggering gateway reconciliation (#2227)

* [COMPLIANCE] Add Copyright and License Headers (#2271)

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>

* Add additional helm hook for resource management (#2259)

* Add additional helm hook for resource management

* Move GatewayClassConfig CRD to templates

* Add CRDs to templates

* Add value to values.yaml

* Remove GatewayClass and GatewayClassConfig bats

* Fix CRD ExportedServices

* Change -release to -release-name on gateway-resources subcommand

* switch to pointer to avoid lock copy for linter

* Move forcible test cleanup to before helm delete since it will now drop CRDs

* adjust cleanup logic since it looks like the testing framework sometimes uninstalls the helm chart early

* Fix cli unit test and drop CRD reading data since it's no longer embedded in the CLI

* Add BATs for Gateway CRDs

* Add BATs for Gateway Resources

* Update Contributing

---------

Co-authored-by: Thomas Eckert <[email protected]>

* Add missing entries to main CHANGELOG (#2275)

* Fixing changelog for 2195 (#2277)

* [API Gateway] Add external consul servers test (#2270)

* [API Gateway] Add external consul servers test

* Fix up releaseName usage on CLI-based tests to mirror helm-based tests

* Add check for timeout error (#2280)

* Add Consul status to routes and gateways (#2281)

* Update alpine to 3.18 to fix CVE-2023-2650 (#2284)

* Update alpine to 3.18

* Remove check for reference grant for route to gateway (#2283)

* Remove check for reference grant for route to gateway

* Fix tenancy tests

* Final cleaning up of acceptance test

* [API Gateway] Add partition test (#2278)

* Add partition test

* drop superfluous sprintf

* fix linter issue on acceptance test

* Add predicated watch for pods

* Update memory defaults for connect inject controller (#2249)

* Update memory defaults for connect inject controllers

* Add changelog entry

* Bump up Consul server statefulset memory defaults too

* Mw/fix pipeline 1 1 6 (#2282)

* update eks and aks to use latest kubernetes version

* updated the terraform provider as some fields were deprecated

* Add bug to changelog so that go-changelog works (#2276)

* Fix retry loops that use `t` (#2311)

* Add FIPS builds (#2165)

* Add FIPS builds for linux amd64

* add version check

* fix CI labels and add local dev commands

* fix ci version tagging

* switch to ubuntu 20.04

* add CLI version tag

* add gcompat for alpine glibc cgo compatibility

* remove FIPS version check from connect-init

* address comments

* activated weekly acceptance tests for 1-2-x (#2315)

- making this trigger nightly until after 1.2.0 GA
- leaving 0.49.x active until after 1.2.0 GA

* Net 4230/add tcp to basic acceptance test (#2297)

* first run through, needs help

* still need to make secure pass

* left something uncommented

* it works and also cleanup

* fix acceptance tests

* [API Gateway] Add acceptance test for cluster peering (#2306)

* [API Gateway] Add acceptance test for cluster peering

* Fix linter

* Fix random unrelated linter errors to get CI to run: revert later?

* one more linter fix to later probably revert

* more linter fixes

* Revert "more linter fixes"

This reverts commit 6210dff0e51bbcf2f754f6d666c08292ba958aaa.

* Revert "one more linter fix to later probably revert"

This reverts commit 030c563bbe0b0a9ef73b33cbea32464416156d8f.

* Revert "Fix random unrelated linter errors to get CI to run: revert later?"

This reverts commit fdeccabb2f6c4418168cad9be5b2459435b7e30b.

* Mw/net 3598 update kind for consul k8s acceptance tests with latest version of kind and k8s 1.27 (#2304)

* update cloud tests to use 1.24, 1.25 and 1.26 version of kubernetes for more coverage

* updated readme for supported kubernetes versions

* added changelog

* [API Gateway] WAN Federation test and fixes (#2295)

* [API Gateway] WAN Federation test and fixes

* Fix unit tests

* [API Gateway] fix dangling service registrations (#2321)

* Fix when gateways are deleted before we get services populated into cache

* a bit of cleanup

* api-gateway: add unit tests verifying scaling parameters on GatewayClassConfig are obeyed (#2272)

* Add unit tests verifying that scaling parameters on GatewayClassConfig are obeyed

* Add test case for scaling w/ no min or max configured

* Rename GatewayClassController to prevent name collision (#2317)

* Rename GatewayClassController to prevent name collision

* Use gateway instead of gatewayclass in name

* Use the constant in ownership checks

* Change GatewayClass name to "consul"

* Change GatewayClass name in cases

* Change ApiGatewayClass back

* [API Gateway] Conformance Test Fixes (#2326)

* Fix SupportedKinds array to be what Conformance test expects

* Fix cert validation status condition for listeners

* Add programmed condition for listeners

* Fix unit test

---------

Co-authored-by: Nathan Coleman <[email protected]>

* pin for 1.2.x-rc latest Consul submodules (#2327)

* Ensure Reconciliation Stops (#2305)

* first pass at halting: got httproute and api-gateway done

* clean up test

* Handle all set for infinite reconcile check

* Add table tests for minimal setup

* Added some odd field names to test normalization is handled correctly

* Use funky casing http routes

* Add CRT docker changes for release workflow (#2333)

* Update var check with appropriate quotes (#2330)

* Revert "Ensure Reconciliation Stops (#2305)" (#2341)

This reverts commit 7f6e1cb5c4c2d8797944c1a3e0dcd12943f75138.

* Improvement- [NET-189] Added helm inputs for managing audit logs (#2265)

* Added helm inputs for managing audit logs
* Remove unwanted changes from values

* Set Consul service instance localities from K8s node labels (#2346)

* fix: use correct flag when translating namespaces (#2353)

* fix: use correct flag when translating namespaces

* Use non-normalized namespace when deregistering services

* Guard against namespace queries when namespaces not enabled in cache

* added imagePullPolicy for images in values.yaml (#2310)

* added imagePullPolicy for images in values.yaml

* fix: renamed pullPolicy key according to image

* fixed dafault always in tmpl

* changed structure of image in yaml

* revert changes

* added global imagePullPolicy

* fixed typo

* added changelog file

* [chore]: Pin github action workflows (#2356)

* ci: update backport assistant to 0.3.4 (#2365)

This brings consul-k8s in line with consul.
Most importantly, the backport assistant was updated to automatically assign created PRs to the author of the PR that is being backported.

* update changelog based on changes made to 1.2.x (#2348)

* update changelog based on changes made to 1.2.x

* fixed test cases
- enterprise cases were in the OSS test cases

* api-gateway: nightly conformance test action (#2257)

* trigger conformance tests nightly, squash

* remove extra line

* Update nightly-api-gateway-conformance.yml

* add crds for prioritize by locality (#2357)

* set everything to correct version (#2342)

making scripts more robust and removing changing helm chart

* api-gateway: fix cache and service deletion issue (#2377)

* Fix cache and service deletion issue

* Add comments

* add in acceptance test

* Fix indentation

* Fix unit test for deleting gateway w/ consul services

* Remove redundant service deregistration code

* Exit loop early once registration is found for service

* Fix import blocking

* Set status on pods added to test

* Apply suggestions from code review

* Reduce count of test gateways to 10 from 100

---------

Co-authored-by: Nathan Coleman <[email protected]>
Co-authored-by: Sarah Alsmiller <[email protected]>

* Adding support for weighted k8s service (#2293)

* Adding support for weighted k8s service

* Adding changelog

* if per-app weight is 0 then pull the weight to 1

* Addressing review comments

* Addressing review comments

* Addressing review comments

* Comment update

* Comment update

* Parameterized table test

* Parameterized table test

* fixing linting issue

* fixing linting issue

---------

Co-authored-by: srahul3 <[email protected]>

* Bumping go-discover to the lastest version (#2390)

* Bumping go-discover to the lastest version

* Pin Kind versions on release branches (#2384)

* pinned kind configuration for CI tests
- created a yaml file with the desired pinned versions
- created a script to read the yaml
- added a make target which can be used in CI to get the desired kind inputs/config

---------

Co-authored-by: Curt Bushko <[email protected]>

* [COMPLIANCE] Add Copyright and License Headers (#2400)

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>

* update consul-dataplane on main to use 1.2-dev (#2325)

* Acceptance test for permissive mTLS (#2378)

* Revert "added imagePullPolicy for images in values.yaml (#2310)" (#2415)

This reverts commit 285096241e0d5c5b6d53dd8a37889ab3ea5a8af2.

* update with new make targets (#2411)

- allow configuration of acceptance testing matrices

* feat(helm): add configurable server-acl-init and cleanup resource limits (#2416)

* feat(helm): add configurable server-acl-init and cleanup resource limits

* Apply suggestions from code review

Co-authored-by: Ashwin Venkatesh <[email protected]>

* bugfix yaml path

* fix bats test

---------

Co-authored-by: Ashwin Venkatesh <[email protected]>

* update redhat registry id (#2337)

* Fix auditlog config (#2434)

* Add acceptance test to test sync + ingress (#2421)

* [COMPLIANCE] Add Copyright and License Headers (#2456)

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>

* Fix GatewayClassConfig Test Timing Issue (#2409)

* Add retryCheckWithWait func

* Fix retry timing on GatewayClassConfig test

* remove redundant scale, make scale up number max + 1

* NET-4627, fix acceptance tests flake

---------

Co-authored-by: Sarah Alsmiller <[email protected]>

* always update acl policy if it exists (#2392)

* always update acl policy if it exists

* added changelog

* added unit test

* fix typo

* added some additional assertions to test

* refactored create_or_update unit test

* Proxy Lifecycle helm, connect-inject and acceptance tests (#2233)

Proxy Lifecycle helm, connect-inject and acceptance tests (#2233)

Co-authored-by: Nitya Dhanushkodi <[email protected]>

* PR breaking change release note change (#2469)

* Add breaking change to release notes

* Adds back gateway controller halting integration test (#2412)

Co-authored-by: John Maguire <[email protected]>

* api-gateway: Fix nil pointer exception panic (#2487)

* fix nil pointer exception

* add unit test

* added changelog

* delete changelog

* Use correct length for certificate RSA key for tests (#2490)

* Use correct length for certificate RSA key

* api-gateway: Fix nil pointer exception panic (#2487)

* fix nil pointer exception

* add unit test

* added changelog

* delete changelog

* Remove skip for fixed test

---------

Co-authored-by: sarahalsmiller <[email protected]>

* APIGW: Validate length of RSA Keys (#2478)

* Validate length of RSA key for inline certs

* Bring key length check functions over from consul

* move validation of key length from certificate parsing into validation
of cert

* Update to use sentinel errors

* Add changelog

* Addressing PR comments: fixing text in changelog, fixing import blocks,
slight refactor of cert validation for readability

* Ensure cert is removed from consul if an invalid one is presented

* Fix linting issues, added tests for validating keys

* add changelog for 1.2.0 dataplane and consul 1.16.0 (#2496)

* add changelog for Consul 1.16.0
* add changelog for dataplane 1.2.0

* Adds chanelog values for 0.49.7 (#2501)

* ci: fix eks terraform quota error by cleaning up oidc providers (#2470)

cleans up oidc providers older than 8 hours.

* build: update versions to 1.3.0-dev (#2511)

* [COMPLIANCE] Add Copyright and License Headers (#2507)

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>

* values.yaml - replace connect with service mesh for some instances (#2516)

* fix connect/service mesh
* Update values.yaml

* docs: self service changelog instructions (#2526)

* feat: adding security context and annotations to tls and acl init/cleanup jobs (#2525)

* feat: adding security context and annotations to tls and acl init/cleanup jobs

* changelog

---------

Co-authored-by: Chinikins <[email protected]>

* NET-4813: Fix issue where virtual IP saving had insufficient ACLs. (#2520)

Fix issue where virtual IP saving had insufficient ACLs.

* reactivate proxy-lifecycle tests (#2532)

* Fix test flakes. (#2483)

* Update chart to use OSS image (#2528)

* Remove todo.txt (#2548)

* makes gateway controllers less chatty (#2524)

* HCP Observability acceptance test (#2254)

* HCP bootstrap preset to always downcase datacenter (#2551)

* Lowercase datacenter name from HCP bootstrap response

* Add test cases to cloud bootstrap

* api-gateway: when multiple listeners have the same port, only add to K8s Service once (#2413)

* Modify unit tests to include multiple listeners w/ same port

Running the tests on this commit will demonstrate the bug

* When multiple listeners have the same port, only add to K8s Service once

* Add changelog entry

* NET-4482: set route condition appropriately when parent ref includes non-existent section (#2420)

* Set route accepted condition appropriately when no listener with section name matching parent

* Adjust error message for bind errors that aren't specific to one listener

* Include section name in message for NoMatchingParent when available

* Add unit test coverage for conditions derived from binding results

* Add changelog entry

* test: update nightly tests to consul 1.17-dev (#2556)

* Update Release Scripts (#2558)

* update environment variables with CONSUL_K8s prefix
- This will let us check that we have all the environment variables set more easily with `printenv | grep "CONSUL_K8S"`

* update imageConsulDataplane without quotes
- this makes it consistent with the other images
- allows scripting to work similarly to other images

* updated utils script
- handle replace case where consul-enterprise is in the values.yaml file and charts.yaml file
- handle adding pre-release tag in changelog
- handle updating consul-dataplane

* added missing changelogs (#2565)

* added missing changelogs

* Update CHANGELOG.md for 0.49.8

---------

Co-authored-by: Curt Bushko <[email protected]>

* Refactor test framework to allow for more than two kube contexts (#2534)

* updated contributing example with new configuration lists

add new make target "kind" to makefile
* This lets us setup our standard kind environment for testing

refactor framework to take config list flags
* removed primary/secondary kube flags as this limited us to only two clusters
* added flags for kube configs, contexts and namespaces. This way we can support n clusters where n is the length of the longest list. The flags are then combined into a list of objects for use in testing

added tests for new helper methods

refactored tests
* now TestMain for multicluster check that the test arguments contain the expected number of clusters
* use helper method `env.GetSecondaryContextKey(t)` which grabs the second context in the list instead of using the defunct environment.SecondaryContextName

refactored flag test to use new config lists

refactored cli cluster to use get primary helper

added multicluster check for vault acceptance
* vault tests are multi-cluster but we weren't performing the necessary checks

* [COMPLIANCE] Add Copyright and License Headers (#2577)

Add copyright and license headers

* Consume gateway-api v0.7.1 for acceptance testing (#2578)

Changes proposed in this PR:
- Consume the same version of gateway-api for acceptance testing that
we're consuming in the control plane:

https://github.com/hashicorp/consul-k8s/blob/29b6ed36923498afc8f377455d4275653960230f/control-plane/go.mod#L42

How I've tested this PR:
- 👀 
- 🤖  tests pass

How I expect reviewers to test this PR:
- See above

Checklist:
- [ ] Tests added
- [ ] [CHANGELOG entry
added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry)

* Update to handle validation endpoints (#2580)

Changes proposed in this PR:
- add in new validation call in endpoint

How I've tested this PR:
Ran it locally and tested the changes

How I expect reviewers to test this PR:
Read the code and run the command themselves to verify: 
```
./consul-k8s/acceptance/tests/cloud && go test -run TestBasicCloud -v -p 1 -timeout 20m \
                -use-kind \
                -kubecontext="kind-dc1" \
                -consul-image hashicorppreview/consul-enterprise:1.17-dev -consul-k8s-image hashicorppreview/consul-k8s-control-plane:1.3.0-dev -consul-collector-image hashicorp/consul-telemetry-collector:0.0.1 \
                -enable-enterprise
         
```


Checklist:
- [X] Tests added
- [n/a] [CHANGELOG entry
added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry)

* test(eks): fix deprecated CSI driver terraform (#2584)

Changes proposed in this PR:
- Replacing the deprecated
[`resolve_conflicts`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon#resolve_conflicts)
with the new attributes. I don't know if we really need this setting
since it is optional and the addon has no user-defined config, but I'm
keeping this to keep the behavior consistent.

How I've tested this PR: I did not.

How I expect reviewers to test this PR: 👀 


Checklist:
- [ ] ~Tests added~
- [ ] ~[CHANGELOG entry
added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry)~

* Add a check to prevent a nil-pointer dereference on Ingress LB (#2592)

* test: remove unused workflow inputs (#2589)

Changes proposed in this PR:
- Removed unused workflow inputs.

* chore: Update actions for security (#2601)

Changes proposed in this PR:
- Update actions that are out of date

How I've tested this PR:

👀 

How I expect reviewers to test this PR:

👀 


Checklist:
- [ ] Tests added
- [ ] [CHANGELOG entry
added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry)

* [NET-4122] Doc guidance for federation with externalServers (#2583)

Add guidance for proper configuration when joining to a secondary
cluster using WAN fed with external servers also enabled.

Also clarify federation requirements and fix formatting for an unrelated
value.

Changes proposed in this PR:
- Update base content for generating Helm chart docs to clarify the use
case encountered in https://github.com/hashicorp/consul-k8s/issues/2138
- Minor additional fixes
- _Follow-up: propagate generated doc changes to `consul` and
additionally update
https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/servers-outside-kubernetes
there_

How I've tested this PR: N/A (docs only)

How I expect reviewers to test this PR: 👀 


Checklist:
- [ ] Tests added
- [ ] [CHANGELOG entry
added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry)

* Handle errors properly when services are de-registered from the catalog (#2571)

- In the past, kubernetes nodes were used as the source of truth to
determine the list of services that should exist in Consul.
- In most cases this was ok but becomes a problem when nodes are quickly
deleted from kubernetes such as the case when using spot instances.
- Instead, use consul synthetic-nodes to get the list of services and
deregister the services that do not have endpoint addresses.

---------
Co-authored-by: mr-miles <[email protected]>

* Adding support for Enterprise and other improvement on the Customizing Vault Version for WanFed Test (#2481)

* Adding support for Enterprise and other improvement on the Customizing Vault Version for WanFed Test
This is the extension of the PR -
https://github.com/hashicorp/consul-k8s/pull/2043

In this PR, the followings were addressed -

1. Now the vault enterprise version can be provided in the cli command.  The previous PR only addressed Vault OSS.
2. Two flags “-no-cleanup-wan-fed” and “test-duration” were introduced to not to cleanup the test environment after successful setup to give it time to do manual testing for features/to reproduce customer issues.  Default is 1 hour.
3. This was tested in Kind environment and it works fine.  The following was taken out to use the “use-kind” option for WanFed test.

    //if cfg.UseKind {
    //  t.Skipf("Skipping this test because it's currently flaky on kind")
    //}

* Fix indentation

* Fix unit test for deleting gateway w/ consul services

* Remove redundant service deregistration code

* Exit loop early once registration is found for service

* Fix import blocking

* Set status on pods added to test

* Apply suggestions from code review

* Reduce count of test gateways to 10 from 100

---------

Co-authored-by: Nathan Coleman <[email protected]>
Co-authored-by: Sarah Alsmiller <[email protected]>

Changes proposed in this PR:
-
-

How I've tested this PR:

How I expect reviewers to test this PR:

Checklist:
- [ ] Tests added
- [ ] CHANGELOG entry added
  > HashiCorp engineers only, community PRs should not add a changelog entry.
  > Entries should use present tense (e.g. Add support for...)

* Removing the changes in vault_namespaces_test.go

* Introducing new flag no-cleanup

* Removed "go 1.20" from go.work file

* cfg.USEKind check is added back

* Removed previousy added "Test Duration" flag

* Some changes

* Some changes

* Differentiate FIPS linux package names (#2599)

* added make target for checking for hashicorppreview (#2603)

* added make target for checking for hashicorppreview

* added check to prepare-release make target

* Increase golangci-lint timeout to 10m (#2621)

This is meant to solve for recurrent timeouts in several steps,
particularly `golangci-lint-control-plane` and `golang-ci-lint-cli`.

An accompanying change in `consul-k8s-workflows` should disable caching
until the (unclear) root of the issue can be resolved, or we can disable
or clear cache in a more targeted way that solves for these cases.

* Fix TestAPIGateway_GatewayClassConfig (#2631)

* Fix TestAPIGateway_GatewayClassConfig
* Remove stray files from bad merge

* Support running with restricted PSA enforcement enabled (part 1) (#2572)

Support restricted PSA enforcement in a basic setup. This is enough to get a basic setup with ACLs and TLS working and an acceptance test passing (but does not update every component).

On OpenShift, we have the option to set the security context or not. If the security context is unset, then it is set automatically by OpenShift SCCs. However, we prefer to set the security context to avoid useless warnings on OpenShift and to reduce the config difference between OpenShift and plain Kube. By default, OpenShift namespaces have the audit and warn PSA labels set to restricted, so we receive pod security warnings when deploying Consul to OpenShift even though the pods will be able to run.

Helm chart changes:

* Add a helper to the helm chart to define a "restricted" container security context (when pod security policies are not enabled)
* Update the following container securityContexts to use the "restricted" settings (not exhaustive)

  - gateway-cleanup-job.yaml
  - gateway-resources-job.yaml
  - gossip-encryption-autogenerate-job.yaml
  - server-acl-init-cleanup-job.yaml - only if `.Values.server.containerSecurityContext.server.acl-init` is unset
  - server-acl-init-job.yaml - only if `.Values.server.containerSecurityContext.server.acl-init` is unset
  - server-statefulset.yaml:
     - the locality-init container receives the restricted context
     - the consul container receives the restricted context only if `.Values.server.containerSecurityContext.server` is unset
  - tls-init-cleanup-job.yaml - only if `.Values.server.containerSecurityContext.server.tls-init` is unset
  - tls-init-job.yaml - only if `.Values.server.containerSecurityContext.server.tls-init` is unset
  - webhook-cert-manager-deployment.yaml

Acceptance test changes:

* When `-enable-openshift` and `-enable-cni` are set, configure the CNI
  settings correctly for OpenShift.
* Add the `-enable-restricted-psa-enforcement` test flag. When this is set,
  the tests assume the Consul namespace has restricted PSA enforcement enabled.
  The tests will deploy the CNI (if enabled) into the `kube-system` namespace.
  Compatible test cases will deploy applications outside of the Consul namespace.
* Update the ConnectHelper to configure the NetworkAttachmentDefinition
  required to be compatible with the CNI on OpenShift.
* Add fixtures for static-client and static-server for OpenShift. This
  is necessary because the deployment configs must reference the network
  attachment definition when using the CNI on OpenShift.
* Update tests in the `acceptance/tests/connect` directory to either
  run or skip based on -enable-cni and -enable-openshift

* change fips delimiter to + (#2480) (#2591)

* [NET-4865] security: Upgrade Go and net/http CVE-2023-29406 (#2642)

security: Upgrade Go and net/http

Upgrade to Go 1.20.6 and `net/http` 1.12.0 to resolve CVE-2023-29406.

* Consul client always logs into the local datacenter (#2652)

The consul client always logs into the local datacenter

* Add support for requestTimeout in Service Resolver spec (#2641)

* Add support for requestTimeout in Service Resolver spec
* preserve serviceresolvers.yaml
Preserving yaml from main, only adding requesttimeout property.
* update generated.deepcopy.go
* Use latest controller-gen to generate CRDs
---------

Co-authored-by: Ashwin Venkatesh <[email protected]>

* Increase timeout for acl replication to 60 seconds and poll every 500 ms (#2656)

increase timeout for acl replication to 60 seconds and poll every 500 ms

* Update changelog to address cloud auto-join change in 1.0.0 (#2667)

* NET-4967: Fix helm install when setting copyAnnotations or nodeSelector for apiGateway (#2597)

* Support multiline nodeSelector arg

* Support multiline service annotations arg

* Update test assertions

* Add changelog entry

* Fix ordering of licence in templates (#2675)

* Mw/net 4260 phase 2 automate the k8s sameness tests (#2579)

* add kustomize files
- These reflect the different test cases
- sameness.yaml defines the ordered list of failovers
- static-server responds with a unique name so we can track failover order
- static-client includes both DNS and CURL in the image used so we can exec in for testing

* add sameness tests
- We do a bunch of infra setup for peering and partitions, but after the initial setup only partitions are tested
- We test service failover, dns failover and PQ failover scenarios

* add 4 kind clusters to make target
- The sameness tests require 4 kind clusters, so the make target will now spin up 4 kind clusters
- not all tests need 4 kind clusters, but the entire suite of tests can be run with 4

* increase kubectl timeout to 90s
- add variable for configuring timeout
- timeout was triggering locally on intel mac machine, so this timeout should cover our devs lowest performing machines

* add sameness test to test packages

* Fix comments on partition connect test

* Added logLevel field for components  (#2302)

* Added logLevel field for components

* Add changelog

* Fix tests

* Rename 2298.txt to 2302.txt

* Address comments

* Fix tests

* Fix helm tests

* Address comments

* Add client and server loglevels

* Fix bats

* Update changelog

* Fix bats tests

* Add missing tsccr entries (#2682)

* Use controller-gen 0.8.0 for CRDs (#2684)

- Add missing license headers.

* Fix ingress (#2687)

* [NET-4865] Bump golang.org/x/net to 0.12.0 in cni (#2668)

* Bump golang.org/x/net to 0.12.0 in cni

This was missed in 5b57e6340dff44157cb7a984ac7220e47849dfb9 as part of a
general upgrade of that dependency.

* Bump server-connection-manager to v0.1.3

Tidying up following CVE dependency bumps, leading to a new release of
this library.

* Fix default Ent image tag in acceptance tests (#2683)

* Fix default Ent image tag in acceptance tests

Rather than hard-coding the Docker repository and parsing the non-Ent
image tag for a version, simply replace the image name and retain other
coordinates. This is consistent with our tagging scheme introduced in
https://github.com/hashicorp/consul/pull/13541 and will allow for using
`hashicorppreview` images seamlessly regardless of whether OSS or Ent is
being tested.

* Add make target for loading images in kind

Complement other multi-cluster make targets by supporting image loading
across kind clusters.

* [NET-5146] security: Upgrade Go and `x/net` (#2710)

security: Upgrade Go and x/net

Upgrade to Go 1.20.7 and `x/net` 1.13.0 to resolve
[CVE-2023-29409](https://nvd.nist.gov/vuln/detail/CVE-2023-29409) and
[CVE-2023-3978](https://nvd.nist.gov/vuln/detail/CVE-2023-3978).

* Increase timeout while waiting for vault server to be ready (#2709)

increase timeout while waiting for server to be ready and fix require.Equal check

* Acceptance tests: increase api-gateway retries (#2716)

* Increase the retries and add config entry retries

* NET-3908: allow configuration of SecurityContextConstraints when running on OpenShift (#2184)

Co-authored-by: Melisa Griffin <[email protected]>

* Gateway privileged port mapping (#2707)

* Adds port mapping to Gateway Class Config to avoid running container on privileged ports

Co-authored-by: Nathan Coleman <[email protected]>

* Support restricted PSA enforcement part 2 (#2702)

* NET-4413 Implement translation + validation of TLS options (#2711)

* Implement validation of TLS options

* Use constants for annotation keys

* Add changelog entry

* Implement TLS options translation

* Update changelog entry

* Add unit test coverage for TLS option validation

* Code review feedback

* NET-4993 JWT auth basic acceptance test (#2706)

* JWT auth basic acceptance test

* Update to run only in enterprise mode, update comment to be correct

* Remove usage of `testing.t` in retry block

* Fixed last `t` in retry block in tests

* Update acceptance/tests/api-gateway/api_gateway_test.go

Co-authored-by: Nathan Coleman <[email protected]>

* Update acceptance/tests/api-gateway/api_gateway_test.go

Co-authored-by: Nathan Coleman <[email protected]>

* Updating filenames for gw jwt cases and adding message about why this
test is skipped

---------

Co-authored-by: Nathan Coleman <[email protected]>

* [NET-5217] Apply K8s node locality to services and sidecars (#2748)

Apply K8s node locality to services and sidecars

Locality-aware routing is based on proxy locality rather than the
proxied service. Ensure we propagate locality to both when registering
services.

* Adds changelog for release of 1.1.4 (#2754)

* Set privileged to false unless on OpenShift without CNI (#2755)

* Set privileged to false unless on OpenShift without CNI

* Update consul-enterprise-version script to add -ent (#2756)

* Automate the k8s sameness tests add peering (#2725)

* added fixtures

* removed fixtures
- intentions only gets added now if acls are enabled
- payment-service-resolver is only for locality aware which isn't in scope for this PR

* updated sameness tests to include peering
- refactored with some helper functions for members (now TestClusters)
- made names more uniform, tend more towards the cluster-01-a/cluster-02-a/etc. nomenclature

* added 4 clusters to cni make target

* disable proxy lifecycle

* Updates changelog to include 1.0.9 (#2758)

* Adds changelog for 1.2.1, reorders 1.1.4 and 1.0.9 (#2768)

* Mw/net 4260 add tproxy coverage (#2776)

* add additional tproxy static-client
- this doesn't specify an upstream so that tproxy will be able to handle routing

* add tproxy coverage
- add control-flow to handle using the virtual host name when tproxy is enabled

* [NET-2880] Add `PrioritizeByLocality` to `ProxyDefaults` CRD (#2784)

Add `PrioritizeByLocality` to `ProxyDefaults` CRD

In addition to service resolver, add this field to the CRD for proxy
defaults for parity with Consul config options.

* AKS 1.24 is deprecated, update to latest 1.25 patch (#2792)

* Net 4889 implement retry feature on the api gateway (#2735)

* squash, add support for retry loops and timeouts to api-gateway NET-4889, NET-4890

* Update .changelog/2735.txt

Co-authored-by: Andrew Stucki <[email protected]>

* clean up extra files

* delete custom struct, just use client.Object

* delete

* revert kustomization

* lint cleanups

* fix merge reversion, last bit of cleanup

---------

Co-authored-by: Andrew Stucki <[email protected]>

* Update Kustomize to use `patches` instead of `patchesStrategicMerge` (#2786)

* Fix Kustomization for cases

* Fix patches in config

* Update `Contributing`

* [NET-4498] Test locality propagation to services from k8s (#2791)

Test locality propagation to services from k8s

Verify that we propagate locality (region and zone) from standard k8s
annotations to services registered by consul-k8s.

This will later be expanded to exercise multi-cluster locality-based
failover.

* Use Kubernetes 1.25 on AKS (#2801)

* Point mod to main to fix build errors (#2805)

point mod to main to fix build errors

* Fix peer test flakes. (#2812)

This commit fixes an issue where the peering tests would flake due
to the fact that we were concurrently modifying a global map. It
also adds in retry logic so that the consul servers have sufficient
time to initialize before attempting to generate peering tokens.

* NET-4806: Fix ACL tokens for pods don't have pod name set (#2808)

Fix issue where tokens had missing pod name.

Prior to this commit, tokens descriptions would have a missing
pod name and would have the form: {pod: "default/"}
This poses issues for the endpoints controller, which will try to
parse the metadata and use it to clean up the token. Without the
pod name, consul-k8s will continually leak tokens.

* net-1776,  add job lifecycle test and changes to connhelper (#2669)

* changes to connhelper, add job lifecycle test

* yaml fixes

* move around job yaml files, update grace period times

* yaml change

* timer change

* wait for job to start when deploying

* fix file paths

* Skip Lifecycle Test on t-proxy

---------

Co-authored-by: Thomas Eckert <[email protected]>

* Net 1784 inject sidecar first (#2743)

* change container creation order.

Change order of container creation so that envoy container is created before app container.

* change tests to fit proxy container added first

* add sidecar first iff lifecycle enabled

* update tests to include/exclude lifecycle

* container ordering in multiport + lifecycle, test case

* create changelog

* change exec calls to specify container

specify containers when exec'ing

* Update 2743.txt

* small fixes to appending sidecar

* Add readOnlyRootFilesystem to security context (#2771) (#2789)

* Add readOnlyRootFilesystem to security context (#2771)

---------

Co-authored-by: mr-miles <[email protected]>
Co-authored-by: Paul Glass <[email protected]>

* feat: func to create V2 resource client (#2823)

* feat: add helm value for consul resource-apis experiment (#2800)

* feat: add helm value for consul resource-apis experiment

* Apply suggestions from code review

Co-authored-by: John Murret <[email protected]>

* PR feedback part 2

---------

Co-authored-by: John Murret <[email protected]>

* add sameness testing performance enhancement (#2822)

* NET-5186 Add NET_BIND_SERVICE capability to Consul's restricted securityContext (#2787)

* Add NET_BIND_SERVICE capability to Consul's restricted securityContext

* Add changelog entry

* Update related bats tests

* Change type of release note

* Added tests for partition dns/pq (#2816)

* Added tests for partition dns/pq
- did some light refactoring

* Mw/net 4888 add namespace tests failover wan fed (#2797)

* added fixtures

* modified connHelper Create Intention
- Function can now take optional intention ops. For now just supports overriding the source/destination namespaces

* added WAN Federation test
- split out into own test because TestWANFederation also does some PSA related tests. Didn't want to change this test too much, and my test requires consul-k8s mirroring
- added new test TestWANFederationFailover which tests some failover scenarios, including to different namespaces and datacenters

* refactored connHelper to use opts

* fix: lifecycle enabled iptables mismatch (#2842)

* refactor: make space for v2 controllers (#2832)

refator: make space for v2 controllers

* build: update SDK version to use commit from (#2846)

* Revert "Add readOnlyRootFilesystem to security context (#2771)" (#2847)

Revert "Add readOnlyRootFilesystem to security context (#2771) (#2789)"

This reverts commit b75d8034b96ae1e21c0cca66ad5ee9a63af20505.

* Fix issue where CLI install test was running Tproxy manually (#2843)

* Configure Gateway Deployment Resources (#2723)

* Update comments on Deployment

* Move resources into managedGatewayClass

* Add resource configuration to GatewayClassConfig

* Regenerate CRDs

* Pass resource configuration into the gateway-resources-job

* Pull in resources from GatewayClassConfig

* Add flag for resources in `gateway-resources` subcommand

* Clean up some comments in existing code

* Add gateway-resources configmap

* Load configmap into gateway-resources job

* Load resources from json

* Update CRDs

* Read resources in from the configmap

* Add BATs for Gateway Resources Configmap

* Add Changelog

* Fix unquoted value in BATs

* Fix how resources.json is read

* Fix BATs errors for real

* Fix seg fault bug

* Fix reading of resources file

* Quote "$actual"

* Fix zsh/sh differences in BATs

* Update control-plane/api-gateway/common/helm_config.go

Co-authored-by: Nathan Coleman <[email protected]>

* Move resources into DeploymentSpec

* Remove extra split in crds

---------

Co-authored-by: Nathan Coleman <[email protected]>

* correct prometheus port and scheme annotations if tls is enabled (#2782)

* correct prometheus port and scheme annotations if tls is enabled

* Adds missing fields for PassiveHealthCheck on IngressGateway and ServiceDefault CRDs (#2796…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport/1.1.x Backport to release/1.1.x branch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants