* Add FIPS builds for linux amd64

* add version check

* fix CI labels and add local dev commands

* fix ci version tagging

* switch to ubuntu 20.04

* add CLI version tag

* add gcompat for alpine glibc cgo compatibility

* remove FIPS version check from connect-init

* address comments

- making this trigger nightly until after 1.2.0 GA
- leaving 0.49.x active until after 1.2.0 GA

* first run through, needs help

* still need to make secure pass

* left something uncommented

* it works and also cleanup

* fix acceptance tests

* [API Gateway] Add acceptance test for cluster peering

* Fix linter

* Fix random unrelated linter errors to get CI to run: revert later?

* one more linter fix to later probably revert

* more linter fixes

* Revert "more linter fixes"

This reverts commit 6210dff.

* Revert "one more linter fix to later probably revert"

This reverts commit 030c563.

* Revert "Fix random unrelated linter errors to get CI to run: revert later?"

This reverts commit fdeccab.

…ersion of kind and k8s 1.27 (#2304)

* update cloud tests to use 1.24, 1.25 and 1.26 version of kubernetes for more coverage

* updated readme for supported kubernetes versions

* added changelog

* [API Gateway] WAN Federation test and fixes

* Fix unit tests

* Fix when gateways are deleted before we get services populated into cache

* a bit of cleanup

…assConfig are obeyed (#2272)

* Add unit tests verifying that scaling parameters on GatewayClassConfig are obeyed

* Add test case for scaling w/ no min or max configured

* Rename GatewayClassController to prevent name collision

* Use gateway instead of gatewayclass in name

* Use the constant in ownership checks

* Change GatewayClass name to "consul"

* Change GatewayClass name in cases

* Change ApiGatewayClass back

* Fix SupportedKinds array to be what Conformance test expects

* Fix cert validation status condition for listeners

* Add programmed condition for listeners

* Fix unit test

---------

Co-authored-by: Nathan Coleman <[email protected]>

* first pass at halting: got httproute and api-gateway done

* clean up test

* Handle all set for infinite reconcile check

* Add table tests for minimal setup

* Added some odd field names to test normalization is handled correctly

* Use funky casing http routes

This reverts commit 7f6e1cb.

* Added helm inputs for managing audit logs
* Remove unwanted changes from values

* fix: use correct flag when translating namespaces

* Use non-normalized namespace when deregistering services

* Guard against namespace queries when namespaces not enabled in cache

* added imagePullPolicy for images in values.yaml

* fix: renamed pullPolicy key according to image

* fixed dafault always in tmpl

* changed structure of image in yaml

* revert changes

* added global imagePullPolicy

* fixed typo

* added changelog file

This brings consul-k8s in line with consul.
Most importantly, the backport assistant was updated to automatically assign created PRs to the author of the PR that is being backported.

* update changelog based on changes made to 1.2.x

* fixed test cases
- enterprise cases were in the OSS test cases

* trigger conformance tests nightly, squash

* remove extra line

* Update nightly-api-gateway-conformance.yml

making scripts more robust and removing changing helm chart

* Fix cache and service deletion issue

* Add comments

* add in acceptance test

* Fix indentation

* Fix unit test for deleting gateway w/ consul services

* Remove redundant service deregistration code

* Exit loop early once registration is found for service

* Fix import blocking

* Set status on pods added to test

* Apply suggestions from code review

* Reduce count of test gateways to 10 from 100

---------

Co-authored-by: Nathan Coleman <[email protected]>
Co-authored-by: Sarah Alsmiller <[email protected]>

* Adding support for weighted k8s service

* Adding changelog

* if per-app weight is 0 then pull the weight to 1

* Addressing review comments

* Addressing review comments

* Addressing review comments

* Comment update

* Comment update

* Parameterized table test

* Parameterized table test

* fixing linting issue

* fixing linting issue

---------

Co-authored-by: srahul3 <[email protected]>

* Bumping go-discover to the lastest version

* pinned kind configuration for CI tests
- created a yaml file with the desired pinned versions
- created a script to read the yaml
- added a make target which can be used in CI to get the desired kind inputs/config

---------

Co-authored-by: Curt Bushko <[email protected]>

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>

This reverts commit 2850962.

- allow configuration of acceptance testing matrices

…its (#2416)

* feat(helm): add configurable server-acl-init and cleanup resource limits

* Apply suggestions from code review

Co-authored-by: Ashwin Venkatesh <[email protected]>

* bugfix yaml path

* fix bats test

---------

Co-authored-by: Ashwin Venkatesh <[email protected]>

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>

* Add retryCheckWithWait func

* Fix retry timing on GatewayClassConfig test

* remove redundant scale, make scale up number max + 1

* NET-4627, fix acceptance tests flake

---------

Co-authored-by: Sarah Alsmiller <[email protected]>

* always update acl policy if it exists

* added changelog

* added unit test

* fix typo

* added some additional assertions to test

* refactored create_or_update unit test

Proxy Lifecycle helm, connect-inject and acceptance tests (#2233)

Co-authored-by: Nitya Dhanushkodi <[email protected]>

* Add breaking change to release notes

Co-authored-by: John Maguire <[email protected]>

* fix nil pointer exception

* add unit test

* added changelog

* delete changelog

* Use correct length for certificate RSA key

* api-gateway: Fix nil pointer exception panic (#2487)

* fix nil pointer exception

* add unit test

* added changelog

* delete changelog

* Remove skip for fixed test

---------

Co-authored-by: sarahalsmiller <[email protected]>

* Validate length of RSA key for inline certs

* Bring key length check functions over from consul

* move validation of key length from certificate parsing into validation
of cert

* Update to use sentinel errors

* Add changelog

* Addressing PR comments: fixing text in changelog, fixing import blocks,
slight refactor of cert validation for readability

* Ensure cert is removed from consul if an invalid one is presented

* Fix linting issues, added tests for validating keys

* add changelog for Consul 1.16.0
* add changelog for dataplane 1.2.0

cleans up oidc providers older than 8 hours.

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>

…2516)

* fix connect/service mesh
* Update values.yaml

…anup jobs (#2525)

* feat: adding security context and annotations to tls and acl init/cleanup jobs

* changelog

---------

Co-authored-by: Chinikins <[email protected]>

…2520)

Fix issue where virtual IP saving had insufficient ACLs.

* Lowercase datacenter name from HCP bootstrap response

* Add test cases to cloud bootstrap

…K8s Service once (#2413)

* Modify unit tests to include multiple listeners w/ same port

Running the tests on this commit will demonstrate the bug

* When multiple listeners have the same port, only add to K8s Service once

* Add changelog entry

…non-existent section (#2420)

* Set route accepted condition appropriately when no listener with section name matching parent

* Adjust error message for bind errors that aren't specific to one listener

* Include section name in message for NoMatchingParent when available

* Add unit test coverage for conditions derived from binding results

* Add changelog entry

* update environment variables with CONSUL_K8s prefix
- This will let us check that we have all the environment variables set more easily with `printenv | grep "CONSUL_K8S"`

* update imageConsulDataplane without quotes
- this makes it consistent with the other images
- allows scripting to work similarly to other images

* updated utils script
- handle replace case where consul-enterprise is in the values.yaml file and charts.yaml file
- handle adding pre-release tag in changelog
- handle updating consul-dataplane

* added missing changelogs

* Update CHANGELOG.md for 0.49.8

---------

Co-authored-by: Curt Bushko <[email protected]>

* updated contributing example with new configuration lists

add new make target "kind" to makefile
* This lets us setup our standard kind environment for testing

refactor framework to take config list flags
* removed primary/secondary kube flags as this limited us to only two clusters
* added flags for kube configs, contexts and namespaces. This way we can support n clusters where n is the length of the longest list. The flags are then combined into a list of objects for use in testing

added tests for new helper methods

refactored tests
* now TestMain for multicluster check that the test arguments contain the expected number of clusters
* use helper method `env.GetSecondaryContextKey(t)` which grabs the second context in the list instead of using the defunct environment.SecondaryContextName

refactored flag test to use new config lists

refactored cli cluster to use get primary helper

added multicluster check for vault acceptance
* vault tests are multi-cluster but we weren't performing the necessary checks

Add copyright and license headers

Changes proposed in this PR:
- Consume the same version of gateway-api for acceptance testing that
we're consuming in the control plane:

https://github.com/hashicorp/consul-k8s/blob/29b6ed36923498afc8f377455d4275653960230f/control-plane/go.mod#L42

How I've tested this PR:
- 👀 
- 🤖  tests pass

How I expect reviewers to test this PR:
- See above

Checklist:
- [ ] Tests added
- [ ] [CHANGELOG entry
added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry)

Changes proposed in this PR:
- add in new validation call in endpoint

How I've tested this PR:
Ran it locally and tested the changes

How I expect reviewers to test this PR:
Read the code and run the command themselves to verify: 
```
./consul-k8s/acceptance/tests/cloud && go test -run TestBasicCloud -v -p 1 -timeout 20m \
                -use-kind \
                -kubecontext="kind-dc1" \
                -consul-image hashicorppreview/consul-enterprise:1.17-dev -consul-k8s-image hashicorppreview/consul-k8s-control-plane:1.3.0-dev -consul-collector-image hashicorp/consul-telemetry-collector:0.0.1 \
                -enable-enterprise
         
```


Checklist:
- [X] Tests added
- [n/a] [CHANGELOG entry
added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry)

Changes proposed in this PR:
- Replacing the deprecated
[`resolve_conflicts`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon#resolve_conflicts)
with the new attributes. I don't know if we really need this setting
since it is optional and the addon has no user-defined config, but I'm
keeping this to keep the behavior consistent.

How I've tested this PR: I did not.

How I expect reviewers to test this PR: 👀 


Checklist:
- [ ] ~Tests added~
- [ ] ~[CHANGELOG entry
added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry)~

Changes proposed in this PR:
- Removed unused workflow inputs.

Changes proposed in this PR:
- Update actions that are out of date

How I've tested this PR:

👀 

How I expect reviewers to test this PR:

👀 


Checklist:
- [ ] Tests added
- [ ] [CHANGELOG entry
added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry)

Add guidance for proper configuration when joining to a secondary
cluster using WAN fed with external servers also enabled.

Also clarify federation requirements and fix formatting for an unrelated
value.

Changes proposed in this PR:
- Update base content for generating Helm chart docs to clarify the use
case encountered in #2138
- Minor additional fixes
- _Follow-up: propagate generated doc changes to `consul` and
additionally update
https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/servers-outside-kubernetes
there_

How I've tested this PR: N/A (docs only)

How I expect reviewers to test this PR: 👀 


Checklist:
- [ ] Tests added
- [ ] [CHANGELOG entry
added](https://github.com/hashicorp/consul-k8s/blob/main/CONTRIBUTING.md#adding-a-changelog-entry)

…og (#2571)

- In the past, kubernetes nodes were used as the source of truth to
determine the list of services that should exist in Consul.
- In most cases this was ok but becomes a problem when nodes are quickly
deleted from kubernetes such as the case when using spot instances.
- Instead, use consul synthetic-nodes to get the list of services and
deregister the services that do not have endpoint addresses.

---------
Co-authored-by: mr-miles <[email protected]>

…g Vault Version for WanFed Test (#2481)

* Adding support for Enterprise and other improvement on the Customizing Vault Version for WanFed Test
This is the extension of the PR -
#2043

In this PR, the followings were addressed -

1. Now the vault enterprise version can be provided in the cli command.  The previous PR only addressed Vault OSS.
2. Two flags “-no-cleanup-wan-fed” and “test-duration” were introduced to not to cleanup the test environment after successful setup to give it time to do manual testing for features/to reproduce customer issues.  Default is 1 hour.
3. This was tested in Kind environment and it works fine.  The following was taken out to use the “use-kind” option for WanFed test.

    //if cfg.UseKind {
    //  t.Skipf("Skipping this test because it's currently flaky on kind")
    //}

* Fix indentation

* Fix unit test for deleting gateway w/ consul services

* Remove redundant service deregistration code

* Exit loop early once registration is found for service

* Fix import blocking

* Set status on pods added to test

* Apply suggestions from code review

* Reduce count of test gateways to 10 from 100

---------

Co-authored-by: Nathan Coleman <[email protected]>
Co-authored-by: Sarah Alsmiller <[email protected]>

Changes proposed in this PR:
-
-

How I've tested this PR:

How I expect reviewers to test this PR:

Checklist:
- [ ] Tests added
- [ ] CHANGELOG entry added
  > HashiCorp engineers only, community PRs should not add a changelog entry.
  > Entries should use present tense (e.g. Add support for...)

* Removing the changes in vault_namespaces_test.go

* Introducing new flag no-cleanup

* Removed "go 1.20" from go.work file

* cfg.USEKind check is added back

* Removed previousy added "Test Duration" flag

* Some changes

* Some changes

* added make target for checking for hashicorppreview

* added check to prepare-release make target

This is meant to solve for recurrent timeouts in several steps,
particularly `golangci-lint-control-plane` and `golang-ci-lint-cli`.

An accompanying change in `consul-k8s-workflows` should disable caching
until the (unclear) root of the issue can be resolved, or we can disable
or clear cache in a more targeted way that solves for these cases.

* Fix TestAPIGateway_GatewayClassConfig
* Remove stray files from bad merge

Support restricted PSA enforcement in a basic setup. This is enough to get a basic setup with ACLs and TLS working and an acceptance test passing (but does not update every component).

On OpenShift, we have the option to set the security context or not. If the security context is unset, then it is set automatically by OpenShift SCCs. However, we prefer to set the security context to avoid useless warnings on OpenShift and to reduce the config difference between OpenShift and plain Kube. By default, OpenShift namespaces have the audit and warn PSA labels set to restricted, so we receive pod security warnings when deploying Consul to OpenShift even though the pods will be able to run.

Helm chart changes:

* Add a helper to the helm chart to define a "restricted" container security context (when pod security policies are not enabled)
* Update the following container securityContexts to use the "restricted" settings (not exhaustive)

  - gateway-cleanup-job.yaml
  - gateway-resources-job.yaml
  - gossip-encryption-autogenerate-job.yaml
  - server-acl-init-cleanup-job.yaml - only if `.Values.server.containerSecurityContext.server.acl-init` is unset
  - server-acl-init-job.yaml - only if `.Values.server.containerSecurityContext.server.acl-init` is unset
  - server-statefulset.yaml:
     - the locality-init container receives the restricted context
     - the consul container receives the restricted context only if `.Values.server.containerSecurityContext.server` is unset
  - tls-init-cleanup-job.yaml - only if `.Values.server.containerSecurityContext.server.tls-init` is unset
  - tls-init-job.yaml - only if `.Values.server.containerSecurityContext.server.tls-init` is unset
  - webhook-cert-manager-deployment.yaml

Acceptance test changes:

* When `-enable-openshift` and `-enable-cni` are set, configure the CNI
  settings correctly for OpenShift.
* Add the `-enable-restricted-psa-enforcement` test flag. When this is set,
  the tests assume the Consul namespace has restricted PSA enforcement enabled.
  The tests will deploy the CNI (if enabled) into the `kube-system` namespace.
  Compatible test cases will deploy applications outside of the Consul namespace.
* Update the ConnectHelper to configure the NetworkAttachmentDefinition
  required to be compatible with the CNI on OpenShift.
* Add fixtures for static-client and static-server for OpenShift. This
  is necessary because the deployment configs must reference the network
  attachment definition when using the CNI on OpenShift.
* Update tests in the `acceptance/tests/connect` directory to either
  run or skip based on -enable-cni and -enable-openshift

security: Upgrade Go and net/http

Upgrade to Go 1.20.6 and `net/http` 1.12.0 to resolve CVE-2023-29406.

The consul client always logs into the local datacenter

* Add support for requestTimeout in Service Resolver spec
* preserve serviceresolvers.yaml
Preserving yaml from main, only adding requesttimeout property.
* update generated.deepcopy.go
* Use latest controller-gen to generate CRDs
---------

Co-authored-by: Ashwin Venkatesh <[email protected]>

… ms (#2656)

increase timeout for acl replication to 60 seconds and poll every 500 ms