backport of commit 0299f95

.github/workflows/nightly-test-integrations.yml

@@ -217,7 +217,7 @@ jobs:
       # matrix.consul-version (i.e. whenever the highest common Envoy version across active
       # Consul versions changes). The minor Envoy version does not necessarily need to be
       # kept current for the purpose of these tests, but the major (1.N) version should be.
-      ENVOY_VERSION: 1.28.7
+      ENVOY_VERSION: 1.27.6
     steps:
       - name: Checkout code
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

.github/workflows/test-integrations.yml

@@ -83,7 +83,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        nomad-version: ['v1.8.3', 'v1.7.7', 'v1.6.10']
+        nomad-version: ['v1.7.7', 'v1.6.10', 'v1.5.17']
     steps:
       - name: Checkout Nomad
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
@@ -166,7 +166,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        vault-version: ["1.17.5", "1.16.3", "1.15.6"]
+        vault-version: ["1.16.2", "1.15.6", "1.14.10"]
     env:
       VAULT_BINARY_VERSION: ${{ matrix.vault-version }}
     steps:

.gitignore

@@ -71,6 +71,3 @@ terraform.rc
 /go.work
 /go.work.sum
 .docker
-
-# Avoid accidental commits of consul-k8s submodule used by some dev environments
-consul-k8s/

CHANGELOG.md

@@ -52,11 +52,11 @@ SECURITY:
 * Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [[GH-21704](https://github.com/hashicorp/consul/issues/21704)]
 * Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [[GH-21711](https://github.com/hashicorp/consul/issues/21711)]
 * UI: Remove codemirror linting due to package dependency [[GH-21726](https://github.com/hashicorp/consul/issues/21726)]
-* Upgrade Go to use 1.22.7. This addresses CVE
-  [CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-21705](https://github.com/hashicorp/consul/issues/21705)]
+* Upgrade Go to use 1.22.7. This addresses CVE 
+[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-21705](https://github.com/hashicorp/consul/issues/21705)]
 * Upgrade to support aws/aws-sdk-go `v1.55.5 or higher`. This resolves CVEs
-  [CVE-2020-8911](https://nvd.nist.gov/vuln/detail/cve-2020-8911) and
-  [CVE-2020-8912](https://nvd.nist.gov/vuln/detail/cve-2020-8912). [[GH-21684](https://github.com/hashicorp/consul/issues/21684)]
+[CVE-2020-8911](https://nvd.nist.gov/vuln/detail/cve-2020-8911) and 
+[CVE-2020-8912](https://nvd.nist.gov/vuln/detail/cve-2020-8912). [[GH-21684](https://github.com/hashicorp/consul/issues/21684)]
 * ui: Pin a newer resolution of Braces [[GH-21710](https://github.com/hashicorp/consul/issues/21710)]
 * ui: Pin a newer resolution of Codemirror [[GH-21715](https://github.com/hashicorp/consul/issues/21715)]
 * ui: Pin a newer resolution of Markdown-it [[GH-21717](https://github.com/hashicorp/consul/issues/21717)]
@@ -75,38 +75,6 @@ BUG FIXES:
 
 * jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [[GH-21703](https://github.com/hashicorp/consul/issues/21703)]
 
-## 1.19.3 Enterprise (October 29, 2024)
-BREAKING CHANGES:
-
-* mesh: **(Enterprise Only)** Enable Envoy `HttpConnectionManager.normalize_path` by default on inbound traffic to mesh proxies. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005).
-
-SECURITY:
-
-* Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [[GH-21704](https://github.com/hashicorp/consul/issues/21704)]
-* Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [[GH-21711](https://github.com/hashicorp/consul/issues/21711)]
-* UI: Remove codemirror linting due to package dependency [[GH-21726](https://github.com/hashicorp/consul/issues/21726)]
-* Upgrade Go to use 1.22.7. This addresses CVE 
-[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-21705](https://github.com/hashicorp/consul/issues/21705)]
-* Upgrade to support aws/aws-sdk-go `v1.55.5 or higher`. This resolves CVEs
-[CVE-2020-8911](https://nvd.nist.gov/vuln/detail/cve-2020-8911) and 
-[CVE-2020-8912](https://nvd.nist.gov/vuln/detail/cve-2020-8912). [[GH-21684](https://github.com/hashicorp/consul/issues/21684)]
-* mesh: **(Enterprise Only)** Add `contains` and `ignoreCase` to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
-* mesh: **(Enterprise Only)** Add `http.incoming.requestNormalization` to Mesh configuration entry to support inbound service traffic request normalization. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005) and [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
-* ui: Pin a newer resolution of Braces [[GH-21710](https://github.com/hashicorp/consul/issues/21710)]
-* ui: Pin a newer resolution of Codemirror [[GH-21715](https://github.com/hashicorp/consul/issues/21715)]
-* ui: Pin a newer resolution of Markdown-it [[GH-21717](https://github.com/hashicorp/consul/issues/21717)]
-* ui: Pin a newer resolution of ansi-html [[GH-21735](https://github.com/hashicorp/consul/issues/21735)]
-
-IMPROVEMENTS:
-
-* security: upgrade ubi base image to 9.4 [[GH-21750](https://github.com/hashicorp/consul/issues/21750)]
-* api: remove dependency on proto-public, protobuf, and grpc [[GH-21780](https://github.com/hashicorp/consul/issues/21780)]
-* xds: configures Envoy to load balance over all instances of an external service configured with hostnames when "envoy_dns_discovery_type" is set to "STRICT_DNS" [[GH-21655](https://github.com/hashicorp/consul/issues/21655)]
-
-BUG FIXES:
-
-* jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [[GH-21703](https://github.com/hashicorp/consul/issues/21703)]
-
 ## 1.19.2 (August 26, 2024)
 
 SECURITY:
@@ -121,39 +89,6 @@ BUG FIXES:
 
 * api-gateway: **(Enterprise only)** ensure clusters are properly created for JWT providers with a remote URI for the JWKS endpoint [[GH-21604](https://github.com/hashicorp/consul/issues/21604)]
 
-## 1.18.5 Enterprise (October 29, 2024)
-
-Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.
-BREAKING CHANGES:
-
-* mesh: **(Enterprise Only)** Enable Envoy `HttpConnectionManager.normalize_path` by default on inbound traffic to mesh proxies. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005).
-
-SECURITY:
-
-* Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [[GH-21704](https://github.com/hashicorp/consul/issues/21704)]
-* Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [[GH-21711](https://github.com/hashicorp/consul/issues/21711)]
-* Upgrade Go to use 1.22.7. This addresses CVE 
-[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-21705](https://github.com/hashicorp/consul/issues/21705)]
-* Upgrade to support aws/aws-sdk-go `v1.55.5 or higher`. This resolves CVEs
-[CVE-2020-8911](https://nvd.nist.gov/vuln/detail/cve-2020-8911) and 
-[CVE-2020-8912](https://nvd.nist.gov/vuln/detail/cve-2020-8912). [[GH-21684](https://github.com/hashicorp/consul/issues/21684)]
-* mesh: **(Enterprise Only)** Add `contains` and `ignoreCase` to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
-* mesh: **(Enterprise Only)** Add `http.incoming.requestNormalization` to Mesh configuration entry to support inbound service traffic request normalization. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005) and [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
-* ui: Pin a newer resolution of Braces [[GH-21710](https://github.com/hashicorp/consul/issues/21710)]
-* ui: Pin a newer resolution of Codemirror [[GH-21715](https://github.com/hashicorp/consul/issues/21715)]
-* ui: Pin a newer resolution of Markdown-it [[GH-21717](https://github.com/hashicorp/consul/issues/21717)]
-* ui: Pin a newer resolution of ansi-html [[GH-21735](https://github.com/hashicorp/consul/issues/21735)]
-
-IMPROVEMENTS:
-
-* security: upgrade ubi base image to 9.4 [[GH-21750](https://github.com/hashicorp/consul/issues/21750)]
-* api: remove dependency on proto-public, protobuf, and grpc [[GH-21780](https://github.com/hashicorp/consul/issues/21780)]
-* xds: configures Envoy to load balance over all instances of an external service configured with hostnames when "envoy_dns_discovery_type" is set to "STRICT_DNS" [[GH-21655](https://github.com/hashicorp/consul/issues/21655)]
-
-BUG FIXES:
-
-* jwt-provider: change dns lookup family from the default of AUTO which would prefer ipv6 to ALL if LOGICAL_DNS is used or PREFER_IPV4 if STRICT_DNS is used to gracefully handle transitions to ipv6. [[GH-21703](https://github.com/hashicorp/consul/issues/21703)]
-
 ## 1.18.4 Enterprise (August 26, 2024)
 
 Enterprise LTS: Consul Enterprise 1.18 is a Long-Term Support (LTS) release.
@@ -174,35 +109,6 @@ IMPROVEMENTS:
 
 * Use Envoy's default for a route's validate_clusters option, which is false. This fixes a case where non-existent clusters could cause a route to no longer route to any of its backends, including existing ones. [[GH-21587](https://github.com/hashicorp/consul/issues/21587)]
 
-## 1.15.15 Enterprise (October 29, 2024)
-
-Enterprise LTS: Consul Enterprise 1.15 is a Long-Term Support (LTS) release.
-BREAKING CHANGES:
-
-* mesh: **(Enterprise Only)** Enable Envoy `HttpConnectionManager.normalize_path` by default on inbound traffic to mesh proxies. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005).
-
-SECURITY:
-
-* Explicitly set 'Content-Type' header to mitigate XSS vulnerability. [[GH-21704](https://github.com/hashicorp/consul/issues/21704)]
-* Implement HTML sanitization for user-generated content to prevent XSS attacks in the UI. [[GH-21711](https://github.com/hashicorp/consul/issues/21711)]
-* UI: Remove codemirror linting due to package dependency [[GH-21726](https://github.com/hashicorp/consul/issues/21726)]
-* Upgrade Go to use 1.22.7. This addresses CVE 
-[CVE-2024-34155](https://nvd.nist.gov/vuln/detail/CVE-2024-34155) [[GH-21705](https://github.com/hashicorp/consul/issues/21705)]
-* Upgrade to support aws/aws-sdk-go `v1.55.5 or higher`. This resolves CVEs
-[CVE-2020-8911](https://nvd.nist.gov/vuln/detail/cve-2020-8911) and 
-[CVE-2020-8912](https://nvd.nist.gov/vuln/detail/cve-2020-8912). [[GH-21684](https://github.com/hashicorp/consul/issues/21684)]
-* mesh: **(Enterprise Only)** Add `contains` and `ignoreCase` to L7 Intentions HTTP header matching criteria to support configuration resilient to variable casing and multiple values. This resolves [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
-* mesh: **(Enterprise Only)** Add `http.incoming.requestNormalization` to Mesh configuration entry to support inbound service traffic request normalization. This resolves [CVE-2024-10005](https://nvd.nist.gov/vuln/detail/CVE-2024-10005) and [CVE-2024-10006](https://nvd.nist.gov/vuln/detail/CVE-2024-10006).
-* ui: Pin a newer resolution of Braces [[GH-21710](https://github.com/hashicorp/consul/issues/21710)]
-* ui: Pin a newer resolution of Codemirror [[GH-21715](https://github.com/hashicorp/consul/issues/21715)]
-* ui: Pin a newer resolution of Markdown-it [[GH-21717](https://github.com/hashicorp/consul/issues/21717)]
-* ui: Pin a newer resolution of ansi-html [[GH-21735](https://github.com/hashicorp/consul/issues/21735)]
-
-IMPROVEMENTS:
-
-* security: upgrade ubi base image to 9.4 [[GH-21750](https://github.com/hashicorp/consul/issues/21750)]
-* xds: configures Envoy to load balance over all instances of an external service configured with hostnames when "envoy_dns_discovery_type" is set to "STRICT_DNS" [[GH-21655](https://github.com/hashicorp/consul/issues/21655)]
-
 ## 1.15.14 Enterprise (August 26, 2024)
 
 Enterprise LTS: Consul Enterprise 1.15 is a Long-Term Support (LTS) release.

agent/agent.go

@@ -1434,9 +1434,6 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co
 	cfg.GRPCTLSPort = runtimeCfg.GRPCTLSPort
 
 	cfg.Segment = runtimeCfg.SegmentName
-
-	cfg.RaftConfig.PreVoteDisabled = runtimeCfg.RaftPreVoteDisabled
-
 	if len(runtimeCfg.Segments) > 0 {
 		segments, err := segmentConfig(runtimeCfg)
 		if err != nil {

agent/config/builder.go

@@ -1073,7 +1073,6 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 		RaftSnapshotThreshold:             intVal(c.RaftSnapshotThreshold),
 		RaftSnapshotInterval:              b.durationVal("raft_snapshot_interval", c.RaftSnapshotInterval),
 		RaftTrailingLogs:                  intVal(c.RaftTrailingLogs),
-		RaftPreVoteDisabled:               boolVal(c.RaftPreVoteDisabled),
 		RaftLogStoreConfig:                b.raftLogStoreConfigVal(&c.RaftLogStore),
 		ReconnectTimeoutLAN:               b.durationVal("reconnect_timeout", c.ReconnectTimeoutLAN),
 		ReconnectTimeoutWAN:               b.durationVal("reconnect_timeout_wan", c.ReconnectTimeoutWAN),

agent/config/config.go

@@ -8,9 +8,8 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/mitchellh/mapstructure"
-
 	"github.com/hashicorp/hcl"
+	"github.com/mitchellh/mapstructure"
 
 	"github.com/hashicorp/consul/lib/decode"
 )
@@ -215,7 +214,6 @@ type Config struct {
 	RaftSnapshotThreshold            *int                `mapstructure:"raft_snapshot_threshold" json:"raft_snapshot_threshold,omitempty"`
 	RaftSnapshotInterval             *string             `mapstructure:"raft_snapshot_interval" json:"raft_snapshot_interval,omitempty"`
 	RaftTrailingLogs                 *int                `mapstructure:"raft_trailing_logs" json:"raft_trailing_logs,omitempty"`
-	RaftPreVoteDisabled              *bool               `mapstructure:"raft_prevote_disabled" json:"raft_prevote_disabled,omitempty"`
 	ReconnectTimeoutLAN              *string             `mapstructure:"reconnect_timeout" json:"reconnect_timeout,omitempty"`
 	ReconnectTimeoutWAN              *string             `mapstructure:"reconnect_timeout_wan" json:"reconnect_timeout_wan,omitempty"`
 	RejoinAfterLeave                 *bool               `mapstructure:"rejoin_after_leave" json:"rejoin_after_leave,omitempty"`

agent/config/default.go

@@ -146,7 +146,6 @@ func DefaultSource() Source {
 		raft_snapshot_threshold = ` + strconv.Itoa(int(cfg.RaftConfig.SnapshotThreshold)) + `
 		raft_snapshot_interval =  "` + cfg.RaftConfig.SnapshotInterval.String() + `"
 		raft_trailing_logs = ` + strconv.Itoa(int(cfg.RaftConfig.TrailingLogs)) + `
-		raft_prevote_disabled =  false
 		raft_logstore {
 			wal {
 				segment_size_mb = 64

agent/config/runtime.go

@@ -10,9 +10,8 @@ import (
 	"strings"
 	"time"
 
-	"golang.org/x/time/rate"
-
 	"github.com/hashicorp/go-uuid"
+	"golang.org/x/time/rate"
 
 	"github.com/hashicorp/consul/agent/cache"
 	"github.com/hashicorp/consul/agent/consul"
@@ -1005,9 +1004,6 @@ type RuntimeConfig struct {
 	// hcl: raft_trailing_logs = int
 	RaftTrailingLogs int
 
-	// hcl: raft_prevote_disabled = bool
-	RaftPreVoteDisabled bool
-
 	RaftLogStoreConfig consul.RaftLogStoreConfig
 
 	// ReconnectTimeoutLAN specifies the amount of time to wait to reconnect with

agent/config/runtime_test.go

@@ -6594,7 +6594,6 @@ func TestLoad_FullConfig(t *testing.T) {
 		RaftSnapshotThreshold:   16384,
 		RaftSnapshotInterval:    30 * time.Second,
 		RaftTrailingLogs:        83749,
-		RaftPreVoteDisabled:     false,
 		ReconnectTimeoutLAN:     23739 * time.Second,
 		ReconnectTimeoutWAN:     26694 * time.Second,
 		RequestLimitsMode:       consulrate.ModePermissive,

agent/config/testdata/TestRuntimeConfig_Sanitize.golden

@@ -71,7 +71,6 @@
     "AutopilotDisableUpgradeMigration": false,
     "AutopilotLastContactThreshold": "0s",
     "AutopilotMaxTrailingLogs": 0,
-
     "AutopilotMinQuorum": 0,
     "AutopilotRedundancyZoneTag": "",
     "AutopilotServerStabilizationTime": "0s",
@@ -300,7 +299,6 @@
     "RaftSnapshotInterval": "0s",
     "RaftSnapshotThreshold": 0,
     "RaftTrailingLogs": 0,
-    "RaftPreVoteDisabled": false,
     "ReadReplica": false,
     "ReconnectTimeoutLAN": "0s",
     "ReconnectTimeoutWAN": "0s",

agent/consul/server.go

@@ -53,6 +53,7 @@ import (
 	"github.com/hashicorp/consul/agent/consul/xdscapacity"
 	"github.com/hashicorp/consul/agent/grpc-external/services/peerstream"
 	"github.com/hashicorp/consul/agent/hcp"
+	"github.com/hashicorp/consul/agent/hcp/bootstrap"
 	hcpclient "github.com/hashicorp/consul/agent/hcp/client"
 	logdrop "github.com/hashicorp/consul/agent/log-drop"
 	"github.com/hashicorp/consul/agent/metadata"
@@ -64,6 +65,7 @@ import (
 	"github.com/hashicorp/consul/agent/token"
 	"github.com/hashicorp/consul/internal/controller"
 	"github.com/hashicorp/consul/internal/gossip/librtt"
+	hcpctl "github.com/hashicorp/consul/internal/hcp"
 	"github.com/hashicorp/consul/internal/multicluster"
 	"github.com/hashicorp/consul/internal/resource"
 	"github.com/hashicorp/consul/internal/resource/demo"
@@ -836,6 +838,25 @@ func NewServer(config *Config, flat Deps, externalGRPCServer *grpc.Server,
 	// to enable RPC forwarding.
 	s.grpcLeaderForwarder = flat.LeaderForwarder
 
+	if s.config.Cloud.IsConfigured() {
+		// Start watching HCP Link resource. This needs to be created after
+		// the GRPC services are set up in order for the resource service client to
+		// function. This uses the insecure grpc channel so that it doesn't need to
+		// present a valid ACL token.
+		go hcp.RunHCPLinkWatcher(
+			&lib.StopChannelContext{StopCh: shutdownCh},
+			logger.Named("hcp-link-watcher"),
+			pbresource.NewResourceServiceClient(s.insecureSafeGRPCChan),
+			hcp.HCPManagerLifecycleFn(
+				s.hcpManager,
+				hcpclient.NewClient,
+				bootstrap.LoadManagementToken,
+				flat.HCP.Config,
+				flat.HCP.DataDir,
+			),
+		)
+	}
+
 	s.controllerManager = controller.NewManager(
 		// Usage of the insecure + unsafe grpc chan is required for the controller
 		// manager. It must be unauthorized so that controllers do not need to
@@ -907,7 +928,15 @@ func NewServer(config *Config, flat Deps, externalGRPCServer *grpc.Server,
 	return s, nil
 }
 
-func (s *Server) registerControllers(_ Deps) error {
+func (s *Server) registerControllers(deps Deps) error {
+	if s.config.Cloud.IsConfigured() {
+		hcpctl.RegisterControllers(
+			s.controllerManager, hcpctl.ControllerDependencies{
+				CloudConfig: deps.HCP.Config,
+			},
+		)
+	}
+
 	shim := NewExportedServicesShim(s)
 	multicluster.RegisterCompatControllers(s.controllerManager, multicluster.DefaultCompatControllerDependencies(shim))
 

agent/consul/testdata/v2-resource-dependencies.md

@@ -7,11 +7,13 @@ flowchart TD
   demo/v1/recordlabel
   demo/v2/album
   demo/v2/artist
+  hcp/v2/link
+  hcp/v2/telemetrystate
   internal/v1/tombstone
   multicluster/v2/computedexportedservices --> multicluster/v2/exportedservices
   multicluster/v2/computedexportedservices --> multicluster/v2/namespaceexportedservices
   multicluster/v2/computedexportedservices --> multicluster/v2/partitionexportedservices
   multicluster/v2/exportedservices
   multicluster/v2/namespaceexportedservices
   multicluster/v2/partitionexportedservices
-```
+```

agent/consul/type_registry.go

@@ -4,6 +4,7 @@
 package consul
 
 import (
+	"github.com/hashicorp/consul/internal/hcp"
 	"github.com/hashicorp/consul/internal/multicluster"
 	"github.com/hashicorp/consul/internal/resource"
 	"github.com/hashicorp/consul/internal/resource/demo"
@@ -21,6 +22,7 @@ func NewTypeRegistry() resource.Registry {
 
 	demo.RegisterTypes(registry)
 	multicluster.RegisterTypes(registry)
+	hcp.RegisterTypes(registry)
 
 	return registry
 }