Backport of Add NET_BIND_SERVICE to the security context in the deployment of Mesh Gateway (NET-6463) into release/1.0.x #3567

…ityContext (#2787) * Add NET_BIND_SERVICE capability to Consul's restricted securityContext * Add changelog entry * Update related bats tests * Change type of release note

* Added tests for partition dns/pq - did some light refactoring

* added fixtures * modified connHelper Create Intention - Function can now take optional intention ops. For now just supports overriding the source/destination namespaces * added WAN Federation test - split out into own test because TestWANFederation also does some PSA related tests. Didn't want to change this test too much, and my test requires consul-k8s mirroring - added new test TestWANFederationFailover which tests some failover scenarios, including to different namespaces and datacenters * refactored connHelper to use opts

refator: make space for v2 controllers

Revert "Add readOnlyRootFilesystem to security context (#2771) (#2789)" This reverts commit b75d803.

* Update comments on Deployment * Move resources into managedGatewayClass * Add resource configuration to GatewayClassConfig * Regenerate CRDs * Pass resource configuration into the gateway-resources-job * Pull in resources from GatewayClassConfig * Add flag for resources in `gateway-resources` subcommand * Clean up some comments in existing code * Add gateway-resources configmap * Load configmap into gateway-resources job * Load resources from json * Update CRDs * Read resources in from the configmap * Add BATs for Gateway Resources Configmap * Add Changelog * Fix unquoted value in BATs * Fix how resources.json is read * Fix BATs errors for real * Fix seg fault bug * Fix reading of resources file * Quote "$actual" * Fix zsh/sh differences in BATs * Update control-plane/api-gateway/common/helm_config.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Move resources into DeploymentSpec * Remove extra split in crds --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

* correct prometheus port and scheme annotations if tls is enabled

…iceDefault CRDs (#2796) Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com>

* added check if anonymous token policy exists * changed checkIfAnonymousTokenPolicyExists impl * made consts private * added test for configureAnonymousPolicy * fixed unit test * fixed test and minor refactoring * fix typo * changed some var names * added changelog

* enable argocd * adds bats test and setting argo annotations if global.argocd.enabled = true * update comment * added change log * Update charts/consul/templates/gateway-cleanup-job.yaml Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com> * comments fixes * fix line diff * change log fix * fix comment * Update .changelog/2785.txt Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> --------- Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com> Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>

* Update values.yaml Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>

… from Gateway Resources Jobs (#2869) * Remove and from Gateway Resources Jobs * changelog * Remove acl annotations from gateway resources unit tests

…nnect (#2880) * Reduce api-gateway logging * add changelog

* removed deprecated `patchesStrategicMerge` * fixed some extra whitespace

…eployments (#2890) Add NET_BIND_SERVICE to built-in PSPs for consul-dataplane deployments

* feat: add v2 pod controller w/ workload lifecycle

* Update values.yaml Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>

* Fix audit log parse error * Add changelog * Fix filename * Address comments

* added namespace * namespace in connect ca * updated tests * fix test desc * changelog * Update .changelog/2841.txt Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Update charts/consul/values.yaml Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * removed new line added * fix templates * bats test * fix double colon * fix template * added 2 more tests * fixes bats tests * fix json in api gateway * updated bats test * Update charts/consul/values.yaml Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * fix client daemon set bats * fix bats test * fix bats * api gateway fix * fix bats * fix clientdaemon set and api gateway controller * fix connect inject deployment * fix mesh gateway deployment * added tests for partition init job * server acl init job tests added * fix server stateful bats * fix sync catalog * fix includes check * bats test fixes * fix connect inject * fix yaml * fix yaml * fix assertions in bats * fix client daemon set bats * Update charts/consul/values.yaml Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Update charts/consul/templates/server-config-configmap.yaml Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * change yaml * added addional config test * fix tests * added more tests * fix bats * Update charts/consul/test/unit/server-config-configmap.bats Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Update charts/consul/test/unit/server-config-configmap.bats Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Update .changelog/2841.txt Co-authored-by: David Yu <dyu@hashicorp.com> * Update .changelog/2841.txt Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * added dummy commit to run CI * fix change log * fix comment --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> Co-authored-by: David Yu <dyu@hashicorp.com>

…r. (#2910) Improve token fetching performance for endpoints controller. Prior to this change, the endpoints controller would list all ACL tokens in a namespace when a service instance is being deleted. This commit improves the performance by querying only the necessary subset of tokens by service-identity / service-name.

Update README.md

Implement the basic requirements of a new Endpoints controller that registers Services via Consul's V2 API. Further tests and TODOs will be addressed in follow-up changes.

* tests: Respect UseAppNamespace in ConnectHelper * tests: Auto-configure restricted PSA enforcement when enabled --------- Co-authored-by: Paul Glass <pglass@hashicorp.com>

* Fix for acceptance tests * fix accpetance test * fix spaces * fix get * added bats test * fix test name * fix bats

Update Go version to 1.20.8 This resolves several CVEs (see changelog entry).

* mesh webhook v2

…nsul config entry (#2904) * Translate response header modifier(s) from HTTPRoute onto Consul config entry * Update dependency pins to include response filter changes in consul modules * Add changelog entry * Account for response filters when determining whether an HTTPRoute change requires a sync * Stop setting empty header modifier in Consul when not present in HTTPRoute * Remove unnecessary len check * Make comments more robust for replace directives Also use same pin for `sdk` that we're using for `api` and `proto-public`

* feat: v2 mesh-init command * bugfix mesh-init test * add mesh-init args to webhook * fix: remove v2 flags from partition-init * update telemetry-collector with v2 flags * Apply suggestions from code review Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * PR feedback Part II * bugfix test * fix: endpoints v2 selector stability --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>

* feat: add node controller * lint fix * Apply suggestions from code review Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> Co-authored-by: Michael Wilkerson <62034708+wilkermichael@users.noreply.github.com> * PR feedback Part II --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> Co-authored-by: Michael Wilkerson <62034708+wilkermichael@users.noreply.github.com>

* GKE Autopilot support

Limit v2 Service port registration to L4 TCP ports Ignore non-TCP L4 ports in K8s services. This is expected behavior and also prevents unintended duplication of Service port values registered to Consul (which is not supported) when ports have multiplexed L4 traffic.

* NET-4978: New CRDs for GW JWT Auth (#2734) * Added CRDs for gateway policy and httproute auth filter * Added bats tests * Correctly configured http route auth filter extension * Small docs update for operator-sdk usage * updated docs a bit, added gateway policy CRD * removed extra crd, updated bats tests * Added changelog * Added periods for consistency * Revert unnecessary changes * make jwt requirement optional * Updated jwt config to be optional to allow for other auth types * Rename HTTPRouteAuthFilter to RouteAuthFilter * Fix typo for omitempty * finish httprouteauthfilters rename to routeauthfilters * Added target reference for gateway policies * Add period to sentence for linter * Rename APIGatewayJWT* fields to GatewayJWT* and fixed spots of renaming of HTTPRouteAuthFilter to RouteAuthFilter * Gateway policy translation NET 4980 (#2835) * squash * reset crd-gatewaypolicies * reset * reset * fix lint issues * fix nil pointer issue * checkpoint * change to resourseref key * update to pull all policies * add nil checks * more nil pointer checks for defensice programing * fix lint issue * delete comment * add unit test, fix add function * Update control-plane/api-gateway/common/translation.go Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Translate HTTPAuthFilter onto HTTPRoute (#2836) * Add function * Add RouteAuthFilterKind export * Add ServicesForRoute function * Start adding translateHTTPRouteAuth * Added translation filter to existing filter processing * Split out formatting into subfunctions * Remove original function * Remove ServicesForRoute * Change httprouteauthfilter to routeauthfilter * Reuse GatewayJWT type for Routes * Match Sarah's style for translation functions * Start adding filter tests * Wrap up test for filters * Uncomment other tests * Use existing v1alpha1 import for group * Remove old make* function * Use ConvertSliceFunc * Fix group in translation_test * Manually un-diff CRDs * cleanup * cleanup * clean up * update index function --------- Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Added validating webhook for gateway policy (#2912) * Added validating webhook for gateway policy * Change denied message to provide more information to the operator * [APIGW] Add comparison of gateway policies to diffing logic (#2939) * Fix bug in comparison of gateway policies * fix fmting * Added gateway equal test * Finished adding tests and refactored to use slices convencience functions * Reconcile Route Auth Filter changes (#2954) * Group indices by resource * Add index for HTTPRoutes referencing RouteAuthFilters * Add watch for HTTPRoutes referencing RouteAuthFilters * Add permissions to connect-inject clusterrole * Compare JWT filters for equality * Add RouteAuthFilter to resource translator * [NET-5017] APIGW Status Conditions for Gateway for JWT/Reconcile on JWTProvider Changes (#2950) * Added watches and status condition on gateway listeners for JWT validation * Only append errors if they're non-nil * Added tests for validating jwt on listener and for adding/retrieving jwt from resource map * fix fmting * Clean up from PR review * Use two value form of map access * Rename function * clean up from PR review * [NET-5017] APIGW Status Conditions for Gateway Policies (#2955) * Adding status conditions for gw policy * Fixed issue where status was not being propagated for policies * Moved code to correct places * Revert formatting * Cleaned up error creation, added validation tests * Added results tests, updated binding test * Updates from PR review: clean up comments/appends, use correct conditions for defaults * [NET-5017] APIGW Status Conditions for RouteAuthFilter and Routes wrt JWT (#2961) * NET-4978: New CRDs for GW JWT Auth (#2734) * Added CRDs for gateway policy and httproute auth filter * Added bats tests * Correctly configured http route auth filter extension * Small docs update for operator-sdk usage * updated docs a bit, added gateway policy CRD * removed extra crd, updated bats tests * Added changelog * Added periods for consistency * Revert unnecessary changes * make jwt requirement optional * Updated jwt config to be optional to allow for other auth types * Rename HTTPRouteAuthFilter to RouteAuthFilter * Fix typo for omitempty * finish httprouteauthfilters rename to routeauthfilters * Added target reference for gateway policies * Add period to sentence for linter * Rename APIGatewayJWT* fields to GatewayJWT* and fixed spots of renaming of HTTPRouteAuthFilter to RouteAuthFilter * Gateway policy translation NET 4980 (#2835) * squash * reset crd-gatewaypolicies * reset * reset * fix lint issues * fix nil pointer issue * checkpoint * change to resourseref key * update to pull all policies * add nil checks * more nil pointer checks for defensice programing * fix lint issue * delete comment * add unit test, fix add function * Update control-plane/api-gateway/common/translation.go Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Translate HTTPAuthFilter onto HTTPRoute (#2836) * Add function * Add RouteAuthFilterKind export * Add ServicesForRoute function * Start adding translateHTTPRouteAuth * Added translation filter to existing filter processing * Split out formatting into subfunctions * Remove original function * Remove ServicesForRoute * Change httprouteauthfilter to routeauthfilter * Reuse GatewayJWT type for Routes * Match Sarah's style for translation functions * Start adding filter tests * Wrap up test for filters * Uncomment other tests * Use existing v1alpha1 import for group * Remove old make* function * Use ConvertSliceFunc * Fix group in translation_test * Manually un-diff CRDs * cleanup * cleanup * clean up * update index function --------- Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Added status conditions for JWT for auth filters and for routes * Extract function * Use more generic error for invalid filter * Re-run ctrl-manifests with correct controller-generate version * Clean up from pr review * gofmt --------- Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Added changelog * clean up some renames from httprouteauthfilter -> routeauthfilter * Fix broken webhook test, added new test --------- Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Thomas Eckert <teckert@hashicorp.com>

feat: add v2 service account controller Implement the basic requirements of a new Service Account controller that registers Workload Identities via Consul's V2 API. Also lightly refactor some of the shared controller data in V2. Further tests and TODOs will be addressed in follow-up changes.

We are currently registering all services in k8s regardless of whether they represent mesh-injected workloads. This is both creating "junk" registrations for Consul and k8s components, but additionally can create issues in Consul core when generating routes with TProxy enabled, since these services will not have endpoints. To solve for both of these issues, selectively sync k8s services to Consul in the v2 Endpoints controller only when at least one of its pods is injected. Follow-up work will address edge cases where we want to maintain a service entry even without workloads, such as when the global inject flag is set, and when a service temporarily loses endpoints but is already registered and part of the mesh.

These were necessary to get tests to pass during the merge of several PRs across `consul` and `consul-k8s` but are no longer needed.

* feat: Add HCP Observability ClientID and ClientSecret * go mod tidy * changelog

* wip: controllers are running, and now multiport mesh init is stuck, with workloads not being synced to consul and error logs from endpoints v2 controller * explicitly specify dataplane tenancy (needed from manual testing) * connect inject deployment was missing a \ to complete the command * server statefulset was also missing a \ so v2 mode wasn't being turned on. --- Thanks for pairing, I may have missed a few names of folks who've hopped in to help debug these: Co-authored-by: Iryna Shustava <iryna@hashicorp.com> Co-authored-by: Dan Stough <dan.stough@hashicorp.com> Co-authored-by: Michael Wilkerson <mwilkerson@hashicorp.com> Co-authored-by: John Murret <john.murret@hashicorp.com> Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>

* fixed some comments and old things - spelling mistakes - clarity on old controller also removed peer from unlabeled as this is unsupported * added explicit upstreams writing/deleting - added processing for pod annotations to handle labeled and unlabeled case. This is heavily based on what was done in the endpoints controller - one deviation is instead of looking for the first key to determine the labeled case, I scan for all keys. I think this will provide us with more meaningful errors since the ordering matters. * added explicit upstream write/delete tests - most of the tests cases are based on what is currently in the endpoint controller - split some of the write cases into just testing the processing logic so that we don't have to spin up a Consul client each time which made the test very slow. * disable support for peers and dcs in annotations, this will be added back when supported

Disable flaky Vault namespace test

* test(control-plane): add ENT tests for pod controller * Apply suggestions from code review Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Add Upstreams ENT tests --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com>

v2: Conditional target port when numeric in k8s When choosing a Consul service TargetPort (name) in the v2 Endpoints Controller, attempt to find the best match among endpoint container ports when the K8s service target port value is a number. This bridges an existing gap between Consul (which always expects a Workload port to be named), and K8s (where container ports need not be named, and names are ignored when the K8s service targets by number). This change will be mostly reverted in a future release once Consul's v2 data model allows for target ports to be a name or number in alignment w/ K8s behavior.

Co-authored-by: DanStough <dan.stough@hashicorp.com>

Consul now will default tenancy for traffic permission sources. This PR changes unit tests to account for that

* added explicit upstream write/delete tests - most of the tests cases are based on what is currently in the endpoint controller - split some of the write cases into just testing the processing logic so that we don't have to spin up a Consul client each time which made the test very slow.

* refactored annotation processing for reuse

…able (#2995) * added logic for injecting environment variable based on annotations * fixed a bug in annotation processor - nil pointer exception because we weren't checking for a length of two in the unlabeled case - added a test to make sure it's covered * added container env logic for injecting env variables - due to refactoring can support same labeled/unlabeld parsing logic as when pod controller processes the annotations * added an error check to the `containerEnvVars(pod)` call

* Rename pbmesh.Upstreams to pbmesh.Destinations * fix traffic perm acceptance tests fixture * more mesh v2 acceptance test fixes * kick off k8s tests * update images

* docs: add V2 RC changelog

* flaky proxy-lifecycle * flaky rate limiting

* CC-6461 Cleanup load test * Reset values to main * Fix lint failures in changed module

- include the "consul.hashicorp.com/mesh-inject-status" when checking if traffic redirection can be skipped

Clean up TODOs in Endpoints Controller V2

This commit fixes typo in ControlPlaneRequestLimits CRD where the `preparedQuery` rate limit config was exposed as `perparedQuery`.

…Consul NS (#3029) feat(control-plane): ServiceAccount v2 backoff on missing Consul NS Add backoff for missing Consul NS similar to other v2 controllers.

* add make target for preparing rc branch * added rc branch enterprise handling

* fix check * add better check for load balancing

…#3034) * Fixing validating cert webhooks, fixing replace statements for go mod * Fixed nil pointer error, added test

* Update ci.hcl This update, moves consul-k8s to use the prepare workflow. This workflow encapsulates several previous workflows, running jobs in parallel to reduce the artifact processing time. See https://hashicorp.atlassian.net/wiki/spaces/RELENG/pages/2489712686/Dec+7th+2022+-+Introducing+the+new+Prepare+workflow for more info. * Update ci.hcl add branch for testing * Update build.yml add branch for testing * Update ci.hcl remove branch used for testing * Update build.yml remove branch used for testing

…d pods (#3039) feat(control-plane): v2 only register services for injected pods Rather than indiscriminately registering any service that is not excluded due to NS allow/deny-listing, selectively register services that target injected pods (i.e. in alignment with the mesh webhook). Do not deregister services that already exist when endpoints are empty; rather, predicate registration on pod injection and deletion on service deletion from Kubernetes. In the future, we can layer on explicit allow/deny annotations for services as needed. This is already implemented by existing workload selector logic that filters on mesh-inject status; this change removes TODOs, updates comments, and adds tests for the desired behavior.

Update jira-pr.yaml

* Update backport assistant to use merge commits * update to true

* Fix gw policy status to mimic routes when referenced gateway cannot be found * Added test for binding when gateway is deleted

* Added test for route missing external ref * Add test for missing JWT reference, fix message for status condition * Added test for when route auth filter references invalid filter type * Added tests for binding results status

* Regenerate external Gateway CRDs * Remove errant .yml * Add external CRDs to copywrite ignore

…ad identity meta (#3068) feat(control-plane): v2 add service account name to workload identity meta

…gateway pod on OpenShift (#3070) * Add NET_BIND_SERVICE capability in security context for api-gateway pod(s) * Add changelog entry * Use proper casing for ALL capabilities constant * Add test assertion verifying security context is set for every api-gateway pod * Update .changelog/3070.txt * Update 3070.txt

v2: Debounce unnecessary Service writes to Consul Endpoints Controller v2 should not write services every time endpoints change, as this can occur far more frequently and be subject to rapid updates in the case of large clusters or flapping pod health. Instead, track writes by storing a fingerprint of the written payload along with the Consul resource generation, and compare each potential write and existing Consul resource to them, writing only if a discrepancy is detected or the fingerprint read/compare itself fails (pessimistically fall back to blind writes).

test: fix tests that are failing on main

* Create sub-folders for auth and mesh * Support CRDs for L7 mesh - TCPRoute - HTTPRoute - GRPCRoute - ProxyConfiguration Update TrafficPermissions to embed proto type directly.

security: Upgrade Go and x/net Upgrade to Go 1.20.10 and `x/net` 1.17.0 to resolve [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) / [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487).

add new make target

* Added jwt to routes for halting test * GW Policy halting tests added

* prepare main for 1.4 dev * add cloud tests * add patch version for dataplane, now required. * test: use only minor versions for tests * build: remove last set-output from yaml * add patch version for dataplane, now required. * fixed error message change --------- Co-authored-by: DanStough <dan.stough@hashicorp.com>

* kind of running * WIP * Unskip test and setup so it works correctly * revert typo * Move tokens into constants * Adds test scenario for adding a second gateway policy to a gateway, should and will fail * linter * Add case for multiple routes on listener with only one defining JWT configuration * Multiple routes referencing the same external ref * Add check for route referencing route extension outside of local namespace failing --------- Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com>

* Remove copyright headers from externally-defined CRDs not owned by HashiCorp * Make comment more accurate in .copywrite.hcl config * Fix exclude path in .copywrite.hcl

* better handle gateway timeout errors * strings not refs * changelog * Add missing import, fix import blocking --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

…2946) * Setup observability metrics tests * Cleanup http_client.go and observability_test.go * Refactor tests by using table driven approach * Refactor and add comments to the client * Remove param to token function * remove consul export test redundant * Remove hardcoded collector image * Move metrics validation from server to consul-k8s tests and update to use the /records endpoint * Change to achooo docker hub and fix lint errors

…44487) (#3139) Bump google.golang.org/grpc to 1.56.3 This resolves [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487). Also bump `consul-server-connection-manager` to latest to align with that library's matching gRPC upgrade.

* Update kind to 1.28.0

Revert "Update chart version (#3152)" This reverts commit fbf09e6.

* Add terminating gateway and external server to peering test Add external server and terminating gateway to cluster peered acceptance test * Export terminating gateway common functions Write the new terminating gateway role * Move other helper functions into the common file Add service defaults and destination Update terminating gateway section with proper config Change the address we are trying to hit Remove own external-server WIP * Move RegisterExternalService to helpers Register external service for terminating gateway Remove external static-server case Remove tgw.yaml * Add external services to exported services * Remove the old test output * Use HTTP instead of HTTPS for connection * Clean up tests * Remove test.sh * Remove ip hostname * Add a comment to RegisterExternalService * Log the name of the service created in RegisterExternalService * Apply suggestions from code review Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Move `terminatinggateway` to the correct import block --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

* fix(controller): v2 pod controller errors for acl deletion * test: fix tests for unsupported L7 TPs

* NET-5392 Replace dev dependencies w/ latest release tags * go mod tidy * Adjust api-gateway logic based on changes in consul/api * Stop setting removed field EnvoyExtensions in test The field was intentionally removed in hashicorp/consul#19186 * gofmt

* init * fix help and synopsis * added some tests * change log * some fixes * rename var name * tests for get envoy stats * fix tests * Update cli/cmd/envoy-stats/envoy_stats.go Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * proxy stats command * fix command options * pr comment resolved * fix globaloptions * fix lint --------- Co-authored-by: Thomas Eckert <teckert@hashicorp.com>

Helm Chart: Support StatefulSet PVC retention Add new variable on the Helm chart to define the PVC retention policy for the StatefulSet Co-authored-by: Aleix Murtra <alemurbcn@gmail.com>

Add 1.3.0 notes to changelog

…the latest Consul submodules (#3194) * Add replace directive in Go mod for Control Plane so that we pull in the latest Consul submodules * Add a comment to explain why we need a replace directive

Add MeshGateway to `mesh.consul.hashicorp.com/v2beta1`

add validation to account for type change

* checkpoint * checkpoint, passing test * kitchen sink, NET-4992 * lint issue * clean up unneeded calls --------- Co-authored-by: Sarah Alsmiller <sarah.alsmiller@sarah.alsmiller-RQQ26PQ2L5>

…eway-reso… (#3200) * Adds GatewayClassConfig and MeshGateway resources to the gateway-resources-configmap.yaml in the Helm chart * Updates the configmap to include more fields for the gatewayClassConfig for mesh gateways

* chore: skaffold build experiment * feedback: add experiment comments

…PU request (#3209)

* NET-6401 Stub MeshGateway controller * Add MeshGateways resource to connect-inject-clusterrole * Setup v2controller for MeshGateway * Add bats test assertion for connect-inject-clusterrole * Regenerate control-plane/config/rbac/role.yaml

…3175)

* Add -o json to consul-k8s proxy list command * added changelog * dummy commit to trigger ci * fix tests

remove nightly and weekly jobs

* Stub createUpdate and delete handlers in MeshGatewayController * Add unit test coverage * Fix import blocking * Move TODOs inside CRUD hooks * Specify scheme when initializing controller for tests

* Add gateway_class_types.go * Update dependencies so that CRDs can be added * Generate the CRD

* feat: add named prom port to dataplane sidecar Co-authored-by: Hamish <hamish.forbes@gmail.com> * PR Feedback --------- Co-authored-by: Hamish <hamish.forbes@gmail.com>

* Update the Consul package dependency to my branch * Add the stubbed gateway_configuration * Update proto-public dependency * Add deepcopy * Run make ctrl-manifests * Fix comment on MeshConfig struct

* CRD file gneration * update to cluster scope * cluster scope

…`global.cloud.enabled` is false (#3219)

Specify cluster scope for MeshGateway CRD

…3215)

Add refreshes and retries to server-acl-init job

* organize the sections * tag the image * add phony to all targets

security: Bump github.com/golang-jwt/jwt/v4 to 4.5.0 This version is accepted by Prisma/Twistlock, resolving scan results for issue PRISMA-2022-0270. Chosen over later versions to avoid a major version with breaking changes that is otherwise unnecessary. Note that in practice this is a false positive (see golang-jwt/jwt#258), but we should update the version to aid customers relying on scanners that flag it.

) * Adds stub of GatewayClass controller into v2 controllers * regen without weird spaces * Update control-plane/config-entries/controllersv2/gateway_class_controller.go --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

* fixed acl deletetion in endpoints controller * fixed tests * fixed other tests * fixed ent tests * added changelog * updated TestReconcileDeleteEndpoint to support deleting token by pod uid * passed pod-uid to dataplane * fixed tests * fixed more tests * fixed dataplane env * fixed test * fixed passing env to dataplane * fixed unit test

- Amalgamate UBI with Dockerhub and Redhat tags into one step - Avoids a production incident that errors on duplicate tags: hashicorp/releng-support#123

…#3244) * Create/update/delete ServiceAccount on MeshGateway reconcile * Implement owner ref checking for existing objects before create/update * Use builder struct for creating k8s resources * Extend upsert function to handle delete as well * Add unit tests asserting ServiceAccount CRUD w/ ownership enforcement * Update list of TODOs in reconcile handlers * Uncomment call to MeshConfigController.ReconcileEntry * Check error returned by SetControllerReference * Add unit test coverage for MeshGatewayBuilder.serviceAccount() * Omit namespace on MeshGateway's resource ID tenancy The MeshGateway is partition-scoped which means that it should never include a namespace in its resource ID * Provide existing object to operation This enables any future merge operations than need to be done before writing the new object, such as setting a value that needs to carry forward from the existing object onto the new object. * Declare ownership of ServiceAccount when setting up controller * Fix typo * Rely on garbage collector to delete resource instead of deleting explicitly

* rename v1 crd * gatewayclass controller stub * register controller * old version * reorder cluster role * fix accidental find and replace error

Set jobs to weekly

* Regenerates MeshGateway CRD with new fields added in Consul Proto * Fixes spacing issue in Makefile causing ensure-controller-gen-version to fail * Remove file that wasn't supposed to be added

* Refactor MeshConfigController to ConsulResouceController * Rename controller file * Rename MeshConfig to ConsulResource * Rename Controller to ResourceController * Update some references to meshConfig * Fixup some comments * Change MeshConfigController to ConsulResourceController in all implementations * Change MeshConfigController to ConsulResourceController in instances * Fix references to MeshConfigController in some tests * Rename mockMeshConfig to mockConsulResource * Rename meshConfigReconciler to consulResourceReconciler * Rename ConsulResourceController to Controller * Fix calls to validate * Use "Controller" instead of "Reconciler" * Empty commit to retrigger tests

* Update MatchesConsul to normalize partitions during comparison. * Update test cases with valid datasets

* Change scope of MeshGateway CRD to Namespaced This matches the scope of the corresponding Gateway CRD in the Kubernetes Gateway API, which we will one day use. It also prevents some undesirable side effects of being cluster-scoped. Namely, the cluster-scoped MeshGateway always resides in the "default" namespace implicitly and thus cannot be referenced as the owner of Deployments, ServiceAccounts, etc in any other namespace due to the fact that cross-namespace owner references are not allowed. * Specify namespace in serviceaccount builder test * Set namespace for meshGateways in resource job config map * Modify unit test to use non-default namespace

* Stop syncing GatewayClass + GatewayClassConfig into Consul * gofmt

* Create GatewayClassConfig CRD using kubebuilder instead of Consul proto * Hardcode inapplicable Consul resource logic * Restructure to embed labels/annotations + remove .kubernetes * Remove implementation of Consul resource interface This will prevent the GatewayClassConfig from ever being accidentally assumed to be syncable into Consul * Use existing GatewayClassConfig structure This allows us to keep the discussion about the new structure of the GatewayClassConfig in a separate PR for discussion

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>

* create gateway class and gateway class config for mesh gateway if config file is present * Comment method, add mesh gw config to existing run test * use generic gateway names rather than specific mesh gateway, add test for when file is not found * Update control-plane/subcommand/gateway-resources/command.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/subcommand/gateway-resources/command.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/subcommand/gateway-resources/command_test.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Modified test name, made function more generic * Rebase main, add tests for loading json * use k8s yaml * Use json for config file, move resources to separate config map * back to yaml * Use kubebuilder built gatewayclassconfig * Fix creating gatewayclass and classconfig resources * Fix bats tests for config map * Appease the linter --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

* checkpoint * checkpoint, deployment spec intial skeleton * set up reconcile * checkpoint * checkpoint * checkpoint * working deployment * cleaning up todos, working deployment * cleaned up todos, changed namespaces back from hardcoded default * unit test finished * fix pointer added in rebase * Update control-plane/config-entries/controllersv2/mesh_gateway_controller.go * additional cleanup/linting issues * rename files, clean up configuration to reuse tenacy config * import grouping * responding to code review * gofmt * Update control-plane/config-entries/controllersv2/mesh_gateway_controller.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * clean up incorrect comment * add gcc nil test to cover potential nil use cases, add log statment for gcc fetch error * clean up nit picks * checkpoint * fix typing * Update control-plane/gateways/config.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/gateways/deployment_init_container.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/gateways/deployment_init_container.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/config-entries/controllersv2/mesh_gateway_controller.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Add rudimentary Deployment assertions to mesh_gateway_controller_test.go * Fix command assertion whitespace * Use full GCC instead of GCCSpec so we have future access to annotations --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

There is currently a diff when running `make ctrl-generate ctrl-manifests` on main. This makes development cycles tedious as we generally try to avoid including unrelated changes in new PRs.

* Create role and role binding for mesh gateways * add some whitespace

* add volume mount * fix spacing

Restructure v2 GatewayClassConfig CRD

…3285) * Allow meshGateway.enabled when resource-apis experiment is enabled * Exclude v1 mesh gateway templates when resource-apis experiment enabled * Enable mesh gateway for bats test where new gate added * Combine if statements for gating v2 configmap component

…luster's addresses when global.cloud.enabled (#3218)

…anaged cluster's addresses when global.cloud.enabled" (#3314) Revert "Add validation that externalServers.hosts is not set to HCP-managed cluster's addresses when global.cloud.enabled (#3218)" This reverts commit 7f79d29.

…3306) * create mesh gateway from resources job * remove whitespace change * Update config map to be more complete representation of object, clean up cluster role * Update charts/consul/templates/gateway-resources-configmap.yaml Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * fix tests --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

* Bold section headers in PR template * Use proper header markers instead of just bolding * Update pull_request_template.md

Specify require RoleRef on RoleBinding

* chore: add license to gateways files * feat(crds): add support for retryOn in service router Co-authored-by: ilpianista <andrea@scarpino.dev> --------- Co-authored-by: ilpianista <andrea@scarpino.dev>

* Update class config for port modifier field * Add copywrite headers * Update test for port modifier value * Add comment from PR review, setup dataplane to include the port mapping * revise setup so the wan port is the one modified * linting * Cleaning up comments and regen

add github actor to workflow inputs

* cleanup existing gatewayclasses and gatewayclassconfigs * add tests for v2 * fixed test to actually run against v2 resources, found issue where loop was failing out early * add TODO with jira ticket * cleanup debug line * delete extra newline

fixed flake with peering test - test was performing the wrong connection check, since http should be checking for a '403' - added cluster creation in parallel to speed up test

This introduces an annotation that allows for generically setting data in the opaque config map for proxy service registrations. Use of this annotation is not encouraged in most situations, but it is necessary for certain circumstances. Notably, this new annotation allows users to specify the `xds_fetch_timeout_ms` configuration during service registration, which is sometimes needed by proxies with a large number of upstreams.

…luster's addresses when global.cloud.enabled (#3315)

* Read in node selector object * Ensure node selector is part of deployment * cleaning up implementation after testing * Remove custom unmarshal, fix chart to handle incoming yaml string * Update control-plane/api/mesh/v2beta1/gateway_class_config_types.go Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Update comments and use `toJson` over `toYaml` to avoid worrying about indentation * gofmt * Fix type for test * Fix deployment of gateway class and gatewayclass config * add comment for common constants * linting --------- Co-authored-by: Thomas Eckert <teckert@hashicorp.com>

…controller (#3364) * Declare ownership of Deployment, Role and RoleBinding on MeshGateway controller * Add Service ownership declaration

Replace usage of t with r for handling retries

* initial change, unit test updated * rename get gatewayconfig function * fixed name change, add newline

…t config) on clients and servers (#3337) * wip: testing with server works when you add segments as extraValues. Todos: * make similar changes to clients * potentially upgrade test? * consider locality having its own volume, rather than 2 volumes with extra in them * move extra-config out of /consul/config so it does not get applied twice * add comments about use of additional config maps * remove temporary inclusion of values.yaml in root that was used for hand off * get rid of temporary config.file * add segments test * test using 3 servers in a single cluster * add changelog * fix linting issues. * add comment to test. remove extra lines from config map. * fix bats tests --------- Co-authored-by: Nitya Dhanushkodi <nitya@hashicorp.com>

* add tolerations support for mesh gateway deployment * Add tests for minimal configuration, patch bug with default resource requirements not being set

… to hang on failure (#3366) * add a smaller multi kind cluster make target for dev * fix bug where parallel cluster creation caused tests to hang on failure * add a retry for cluster creation - Sometimes when creating a cluster the previous cluster is not fully deleted - Fixes NET-6909 * remove warn loglevel * disable the NET-5819 skip so that we can monitor if other changes to Consul since the issue was first logged may have fixed the issue

* Add replicas support for mesh gateways * handle nil values for replicas fields

…Gateway Pod (#3365) Set gateway-kind in Workload metadata when it represents a xGateway Pod By setting the gateway-kind annotation on the Pods for a MeshGateway, we indicate to the Pod controller in consul-k8s that the Pod represents a mesh gateway (or api/terminating in the future). The Pod controller then passes this along as metadata on the Workload that it creates in Consul. The end result is that the sidecar and gateway proxy controllers can determine which Workloads they should generate ProxyStateTemplates for.

Add configuration for host network for mesh gateway deployments

* initial pass * update unit test * fix unit test

* NET-6393: Create/update/delete Service on MeshGateway reconcile * add comment to code

* update crds, add to deployment object * update configmap * update unit test * fix indentation

Update test to assert the fixed behavior of PR #7773 in Consul Enterprise.

* Create workload in Consul for gateway pods Gateway pods are not mesh-injected because it doesn't make sense for an Envoy proxy workload to have a sidecar; however, they still need workloads created in Consul for them. * Log when pod controller creates workload in Consul * Disable t-proxy probe overwrite for mesh gateway pods * Update test assertions * Add test case for gateway pod reconciliation

* Set dns policy for mesh v2 deployment * regenerate files after rebase * Update dnspolicy field on gatewayclassconfigs to be of the corev1 type and to use kubebuilder validations * Clean up from dns policy change

…d resources (#3397) * Implement computing of annotations + labels for all created resources * Add test coverage * Add pkg-level variables for label key and default labels * Improve docstrings * Remove TODO for work that has been completed * Add un-inherited annotation to gateway set for unit test * Add more robust tests for annotations + labels * Exercise unhandled type * gofmt * Improve UX based on code review feedback

…in the metadata of a CRD, rather than the whole object (#3362) Finalizer patcher Co-authored-by: Derek Menteer <derek.menteer@hashicorp.com>

* use set labels for setting labels on deployments * incorporate changes for setting labels

Also fix a minor bug with prerelease version in non-prerelease changelog entries.

* Fix mesh gw creation for v2 * Update tests * Use constant for volume name * Update name from PR review * fixing mesh init tests * Remove need for writing proxyid file by passing in proxy id to dataplane container * Pass in proxy-id as env variable

Add affinity for meshgw deployment

* Update Dockerfile

…3369)

* delete gateway in cleanup-gateway-resouces * fix nitpick * fix nit in other file

* Add wanAddress configuration to the configmap * Set the annotations on the mesh gateway CRD * Patch through the annotations from the Mesh Gateway * Fix Job -> ConfigMap * Use JSON to compare annotations * Add annotations to deployment test * Fix checking annotations in helm tests

* Add tls support for mesh gateways * Added tests * fixing tests that broke from rebase * extract function to build tls args for dataplane container * move tls env vars to constants

…3439)

* Fix bug where http route was not deleted from consul when namespaces are enabled * Added changelog

security: update x/crypto to 0.17.0

* Make initConfig an associated function to the builder * Pass in init container resources if they are set * Use values from the builder now that initContainer is associated with it * Update control-plane/gateways/deployment_init_container.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Use config on builder --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

Add acceptance test cleanup

…er (#3322) perf: Fetch services once rather than per-node on deregister Rather than fetching all nodes in a cluster then listing services per-node, fetch all service instances directly by name. This should generally reduce the cost of deregistration in endpoints controller reconciles (in terms of network calls) from N calls (N=node count) to 3-6 calls regardless of K8s cluster size. This does trade the cost of node list and per-node instance fetching for a bulk fetch of service instances. However, a bulk fetch was the previous behavior prior to the introduction of Consul node mirroring in `consul-k8s`, and in the majority of real-world use cases, should be cheaper than listing all nodes and fetching services individually per node in the vast majority of cases. This change is motivated by customers with larger K8s clusters (node counts) seeing performance issues with reconciles.

* Add ExportedServices.multicluster.hashicorp.com CRD * Add controller for ExportedServices CRD * Generate CRD manifests, RBAC policies * Fix casing of multicluster group name * Modify hack script to append -v1 suffix for conflicting CRD names * Add ExportedService to connect-inject-clusterrole.yaml * Update go mod replace to reflect dependency merge * Add bats test for ClusterRole addition

…r service (#3434) * add listeners field * add listeners to configmap * update default logic, update tests * clarify comment * import grouping * regen crds with correct kubebuilder tags * revert accidental change * import blocking * fixed an issue with configmap that I found while testing * regen with port min/max

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>

This PR adds in two new `consul.hashicorp.com/sidecar-proxy-startup-failure-seconds` and `consul.hashicorp.com/sidecar-proxy-liveness-failure-seconds` annotations that are disabled by default. When set to a value greater than zero, these configurations will enable their corresponding startup / liveness probes for the Envoy proxy. This helps to prevent scenarios where the Envoy proxy would hang and never recover.

Use namespace query only if enterprise is enabled Requests to the community edition of Consul will fail if namespace is set in the query parameters.

) * regen crd with protocol added * add to configmap and pull from services * update test

…#3000) When leave_on_terminate=false (default), rolling the statefulset is disruptive because the new servers come up with the same node IDs but different IP addresses. They can't join the server cluster until the old server's node ID is marked as failed by serf. During this time, they continually start leader elections because they don't know there's a leader. When they eventually join the cluster, their election term is higher, and so they trigger a leadership swap. The leadership swap happens at the same time as the next node to be rolled is being stopped, and so the cluster can end up without a leader. With leave_on_terminate=true, the stopping server cleanly leaves the cluster, so the new server can join smoothly, even though it has the same node ID as the old server. This increases the speed of the rollout and in my testing eliminates the period without a leader. The downside of this change is that when a server leaves gracefully, it also reduces the number of raft peers. The number of peers is used to calculate the quorum size, so this can unexpectedly change the fault tolerance of the cluster. When running with an odd number of servers, 1 server leaving the cluster does not affect quorum size. E.g. 5 servers => quorum 3, 4 servers => quorum still 3. During a rollout, Kubernetes only stops 1 server at a time, so the quorum won't change. During a voluntary disruption event, e.g. a node being drained, Kubernetes uses the pod disruption budget to determine how many pods in a statefulset can be made unavailable at a time. That's why this change hardcodes this number to 1 now. Also set autopilot min_quorum to min quorum and disable autopilot upgrade migration since that's for blue/green deploys.

* Add api-gateway to allow list for gateway-kind annotation * Update godoc for AnnotationGatewayKind to list correct allowable values * Exclude api-gateway kind when checking if endpoints controller should act on gateway * Add gateway-kind and gateway-consul-service-name annotations to API gateway pods * Add appropriate component label to api-gateway pods * Update consul-k8s CLI to rely on standard component label for api-gateway This makes api-gateway behave the same as ingress, mesh and terminating gateways; however, it won't pick up pods created by the legacy consul-api-gateway controller. * add backwards compatabiilty, additional tests * add changelog * Update .changelog/3437.txt Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update cli/cmd/proxy/list/command.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update cli/cmd/proxy/list/command_test.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update cli/cmd/proxy/list/command_test.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update cli/cmd/proxy/list/command.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * cleanup * Update cli/cmd/proxy/list/command.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

- This change was made across all the submodules to ensure consistency. This version contains a fix to an issue that was causing panics with certain newer versions of Kubernetes.

* rename ReconcileEntry to be ReconcileResource * Move controllers for resources to resources package rather than config-entries package * update package name * Move controllers to own pacakge with pacakges for configentries and resources * Fix import path in ent test

…3478) Ugrade go to 1.21.6 and use single source of .go-version

* Add BATs for Gateway Log Level Configuration * Pass logLevel into init-container and dataplane-container * Add BATs for extraLabels * Test that extraLabels get set on the deployment * BATs for annotations * Use config for log level over gcc if available * Make consulDataplaneContainer an assoc func to builder * Use logLevelForDataplaneContainer func * Test annotations getting set * Add comments for Builder obj * Rename config.go to gateway_config.go * Add comments to gateway_config * Move commands closer to their configuration * Extract some constants * `%s/expected/debug/g`

…3465) * NET-7179: Update MeshGateway to use new proto with workload selector * fix import * Update control-plane/api/mesh/v2beta1/mesh_gateway_types.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * remove worload override * fix imports --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>

Use golang -alpine image when building go-discover

* Bump consul api version. * Add CaseInsensitive field to service router match. * Add changelog.

Tighten up privileges for consul-dataplane and connect-init containers when CNI is enabled.

) Add imports

…s instead of -service-* (#3526) * Support -server-watch-disabled, use -proxy-* args instead of -service-* * Remove now-unused constant * Update test assertions * gofmt

* generate crds * fix issue with test on module update * generate crds

…#3528) - [This change in consul](hashicorp/consul#20371) involves now interpreting whether xRoute/FailoverPolicy/DestinationPolicy resource service references use either the service port (virtualPort in consul) or service target port (targetPort in consul). To make this decision unambiguously: > This change updates our interpretation of these reference fields/keys (parent, backend, destination), s.t.: > > * A numeric value will be exclusively interpreted to indicate a ServicePort.virtual_port > * A non-numeric value will be exclusively interpreted to indicate a ServicePort.target_port (this supports VMs/Nomad and other cases where network virtual ports are not used, and port names are expected to be in reference to workload ports, not service ports) - If a K8s service targetport is allowed to be the stringified version of a number, it will be ambiguous in consul what to interpret the string "portID" as. - This change makes it such that the string port can never be a number, and will always also have alpha characters by prefixing "cslport-" to the workload port if the workload port name is unspecified.

* Fix meshgw tests * change protocol on mesh gw tests to tcp from mesh

* stub api-gateway-controller * Add setup to v2 controller

…#3530) * add status structs * update status

* updated script to point at RC version correctly

* bump versions to next version * updated script to handle new Consul-k8s images

Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>

…h Gateway

…ng-tomcat

Commits on Jan 19, 2024

CRT build failing for Go (#3490 )

curtbushko authored Jan 19, 2024

Configuration menu

View commit details

Copy full SHA for 20a2397

Browse repository at this point

Copy the full SHA

20a2397 View commit details

Browse the repository at this point in the history

Commits on Feb 6, 2024

backport of commit 2264c14

missylbytes committed Feb 6, 2024

Configuration menu

View commit details

Copy full SHA for 378632f

Browse repository at this point

Copy the full SHA

378632f View commit details

Browse the repository at this point in the history

Backport of Add NET_BIND_SERVICE to the security context in the deployment of Mesh Gateway (NET-6463) into release/1.0.x #3567

Backport of Add NET_BIND_SERVICE to the security context in the deployment of Mesh Gateway (NET-6463) into release/1.0.x #3567

Commits on Aug 24, 2023

Commits on Aug 25, 2023

Commits on Aug 28, 2023

Commits on Aug 29, 2023

Commits on Aug 30, 2023

Commits on Aug 31, 2023

Commits on Sep 1, 2023

Commits on Sep 5, 2023

Commits on Sep 6, 2023

Commits on Sep 7, 2023

Commits on Sep 8, 2023

Commits on Sep 11, 2023

Commits on Sep 12, 2023

Commits on Sep 13, 2023

Commits on Sep 14, 2023

Commits on Sep 15, 2023

Commits on Sep 18, 2023

Commits on Sep 19, 2023

Commits on Sep 20, 2023

Commits on Sep 21, 2023

Commits on Sep 22, 2023

Commits on Sep 23, 2023

Commits on Sep 25, 2023

Commits on Sep 26, 2023

Commits on Sep 27, 2023

Commits on Sep 29, 2023

Commits on Oct 2, 2023

Commits on Oct 3, 2023

Commits on Oct 4, 2023

Commits on Oct 5, 2023

Commits on Oct 6, 2023

Commits on Oct 9, 2023

Commits on Oct 10, 2023

Commits on Oct 11, 2023

Commits on Oct 12, 2023

Commits on Oct 13, 2023

Commits on Oct 16, 2023

Commits on Oct 17, 2023

Commits on Oct 18, 2023

Commits on Oct 19, 2023

Commits on Oct 23, 2023

Commits on Oct 24, 2023

Commits on Oct 30, 2023

Commits on Oct 31, 2023

Commits on Nov 1, 2023

Commits on Nov 2, 2023

Commits on Nov 7, 2023

Commits on Nov 8, 2023

Commits on Nov 9, 2023

Commits on Nov 10, 2023

Commits on Nov 13, 2023

Commits on Nov 14, 2023

Commits on Nov 15, 2023

Commits on Nov 17, 2023

Commits on Nov 20, 2023

Commits on Nov 21, 2023

Commits on Nov 23, 2023

Commits on Nov 27, 2023

Commits on Nov 28, 2023

Commits on Nov 29, 2023

Commits on Nov 30, 2023

Commits on Dec 1, 2023

Commits on Dec 4, 2023

Commits on Dec 5, 2023

Commits on Dec 6, 2023

Commits on Dec 7, 2023

Commits on Dec 8, 2023

Commits on Dec 11, 2023

Commits on Dec 12, 2023

Commits on Dec 13, 2023

Commits on Dec 14, 2023

Commits on Dec 15, 2023

Commits on Dec 16, 2023

Commits on Dec 18, 2023

Commits on Dec 19, 2023

Commits on Dec 20, 2023

Commits on Dec 21, 2023

Commits on Jan 3, 2024