merge main

.github/CODEOWNERS

@@ -8,3 +8,34 @@
 # release configuration
 /.release/                              @hashicorp/release-engineering @hashicorp/github-consul-core
 /.github/workflows/build.yml            @hashicorp/release-engineering @hashicorp/github-consul-core
+
+
+# Staff Engineer Review (protocol buffer definitions)
+/proto-public/   @hashicorp/consul-core-staff
+/proto/          @hashicorp/consul-core-staff
+
+# Staff Engineer Review (v1 architecture shared components)
+/agent/cache/                  @hashicorp/consul-core-staff
+/agent/consul/fsm/             @hashicorp/consul-core-staff
+/agent/consul/leader*.go       @hashicorp/consul-core-staff
+/agent/consul/server*.go       @hashicorp/consul-core-staff
+/agent/consul/state/           @hashicorp/consul-core-staff
+/agent/consul/stream/          @hashicorp/consul-core-staff
+/agent/submatview/             @hashicorp/consul-core-staff
+/agent/blockingquery/          @hashicorp/consul-core-staff
+
+# Staff Engineer Review (raft/autopilot)
+/agent/consul/autopilotevents/  @hashicorp/consul-core-staff
+/agent/consul/autopilot*.go     @hashicorp/consul-core-staff
+
+# Staff Engineer Review (v2 architecture shared components)
+/internal/controller/                   @hashicorp/consul-core-staff
+/internal/resource/                     @hashicorp/consul-core-staff
+/internal/storage/                      @hashicorp/consul-core-staff
+/agent/consul/controller/               @hashicorp/consul-core-staff
+/agent/grpc-external/services/resource/ @hashicorp/consul-core-staff
+
+# Staff Engineer Review (v1 security)
+/acl/                   @hashicorp/consul-core-staff
+/agent/xds/rbac*.go     @hashicorp/consul-core-staff
+/agent/xds/jwt*.go      @hashicorp/consul-core-staff

agent/acl_endpoint.go

@@ -6,6 +6,7 @@ package agent
 import (
 	"fmt"
 	"net/http"
+	"net/url"
 	"strings"
 
 	"github.com/hashicorp/consul/acl"
@@ -145,6 +146,12 @@ func (s *HTTPHandlers) ACLPolicyCRUD(resp http.ResponseWriter, req *http.Request
 }
 
 func (s *HTTPHandlers) ACLPolicyRead(resp http.ResponseWriter, req *http.Request, policyID, policyName string) (interface{}, error) {
+	// policy name needs to be unescaped in case there were `/` characters
+	policyName, err := url.QueryUnescape(policyName)
+	if err != nil {
+		return nil, err
+	}
+
 	args := structs.ACLPolicyGetRequest{
 		Datacenter: s.agent.config.Datacenter,
 		PolicyID:   policyID,

agent/proxycfg/testing_api_gateway.go

@@ -8,10 +8,9 @@ import (
 
 	"github.com/mitchellh/go-testing-interface"
 
+	"github.com/hashicorp/consul/agent/configentry"
 	"github.com/hashicorp/consul/agent/connect"
 	"github.com/hashicorp/consul/agent/consul/discoverychain"
-
-	"github.com/hashicorp/consul/agent/configentry"
 	"github.com/hashicorp/consul/agent/structs"
 )
 

agent/proxycfg/testing_mesh_gateway.go

@@ -747,6 +747,73 @@ func TestConfigSnapshotPeeredMeshGateway(t testing.T, variant string, nsFn func(
 				},
 			},
 		)
+	case "mgw-peered-upstream":
+		// This is a modified version of "chain-and-l7-stuff" that adds a peer field to the resolver
+		// and removes some of the extraneous disco-chain testing.
+		entries = []structs.ConfigEntry{
+			&structs.ProxyConfigEntry{
+				Kind: structs.ProxyDefaults,
+				Name: structs.ProxyConfigGlobal,
+				Config: map[string]interface{}{
+					"protocol": "http",
+				},
+			},
+			&structs.ServiceResolverConfigEntry{
+				Kind: structs.ServiceResolver,
+				Name: "db",
+				Redirect: &structs.ServiceResolverRedirect{
+					Service: "alt",
+					Peer:    "peer-b",
+				},
+				ConnectTimeout: 33 * time.Second,
+				RequestTimeout: 33 * time.Second,
+			},
+		}
+		for _, entry := range entries {
+			require.NoError(t, entry.Normalize())
+			require.NoError(t, entry.Validate())
+		}
+
+		set := configentry.NewDiscoveryChainSet()
+		set.AddEntries(entries...)
+
+		var (
+			dbSN  = structs.NewServiceName("db", nil)
+			altSN = structs.NewServiceName("alt", nil)
+
+			dbChain = discoverychain.TestCompileConfigEntries(t, "db", "default", "default", "dc1", connect.TestClusterID+".consul", nil, set)
+		)
+
+		needPeerA = true
+		needLeaf = true
+		discoChains[dbSN] = dbChain
+		endpoints[dbSN] = TestUpstreamNodes(t, "db")
+		endpoints[altSN] = TestUpstreamNodes(t, "alt")
+
+		extraUpdates = append(extraUpdates,
+			UpdateEvent{
+				CorrelationID: datacentersWatchID,
+				Result:        &[]string{"dc1"},
+			},
+			UpdateEvent{
+				CorrelationID: exportedServiceListWatchID,
+				Result: &structs.IndexedExportedServiceList{
+					Services: map[string]structs.ServiceList{
+						"peer-a": []structs.ServiceName{dbSN},
+					},
+				},
+			},
+			UpdateEvent{
+				CorrelationID: serviceListWatchID,
+				Result: &structs.IndexedServiceList{
+					Services: []structs.ServiceName{
+						dbSN,
+						altSN,
+					},
+				},
+			},
+		)
+
 	case "chain-and-l7-stuff":
 		entries = []structs.ConfigEntry{
 			&structs.ProxyConfigEntry{

agent/proxycfg/testing_terminating_gateway.go

@@ -4,6 +4,8 @@
 package proxycfg
 
 import (
+	"time"
+
 	"github.com/mitchellh/go-testing-interface"
 
 	"github.com/hashicorp/consul/agent/structs"
@@ -648,6 +650,7 @@ func testConfigSnapshotTerminatingGatewayLBConfig(t testing.T, variant string) *
 				OnlyPassing: true,
 			},
 		},
+		RequestTimeout: 200 * time.Millisecond,
 		LoadBalancer: &structs.LoadBalancer{
 			Policy: "ring_hash",
 			RingHashConfig: &structs.RingHashConfig{

agent/proxycfg/testing_upstreams.go

@@ -256,6 +256,9 @@ func setupTestVariationConfigEntriesAndSnapshot(
 	case "chain-and-router":
 	case "lb-resolver":
 	case "register-to-terminating-gateway":
+	case "redirect-to-lb-node":
+	case "resolver-with-lb":
+	case "splitter-overweight":
 	default:
 		extraEvents := extraUpdateEvents(t, variation, dbUID)
 		events = append(events, extraEvents...)
@@ -580,6 +583,61 @@ func setupTestVariationDiscoveryChain(
 				},
 			},
 		)
+	case "splitter-overweight":
+		entries = append(entries,
+			&structs.ServiceResolverConfigEntry{
+				Kind:           structs.ServiceResolver,
+				Name:           "db",
+				EnterpriseMeta: entMeta,
+				ConnectTimeout: 33 * time.Second,
+				RequestTimeout: 33 * time.Second,
+			},
+			&structs.ProxyConfigEntry{
+				Kind:           structs.ProxyDefaults,
+				Name:           structs.ProxyConfigGlobal,
+				EnterpriseMeta: entMeta,
+				Config: map[string]interface{}{
+					"protocol": "http",
+				},
+			},
+			&structs.ServiceSplitterConfigEntry{
+				Kind:           structs.ServiceSplitter,
+				Name:           "db",
+				EnterpriseMeta: entMeta,
+				Splits: []structs.ServiceSplit{
+					{
+						Weight:  100.0,
+						Service: "big-side",
+						RequestHeaders: &structs.HTTPHeaderModifiers{
+							Set: map[string]string{"x-split-leg": "big"},
+						},
+						ResponseHeaders: &structs.HTTPHeaderModifiers{
+							Set: map[string]string{"x-split-leg": "big"},
+						},
+					},
+					{
+						Weight:  100.0,
+						Service: "goldilocks-side",
+						RequestHeaders: &structs.HTTPHeaderModifiers{
+							Set: map[string]string{"x-split-leg": "goldilocks"},
+						},
+						ResponseHeaders: &structs.HTTPHeaderModifiers{
+							Set: map[string]string{"x-split-leg": "goldilocks"},
+						},
+					},
+					{
+						Weight:  100.0,
+						Service: "lil-bit-side",
+						RequestHeaders: &structs.HTTPHeaderModifiers{
+							Set: map[string]string{"x-split-leg": "small"},
+						},
+						ResponseHeaders: &structs.HTTPHeaderModifiers{
+							Set: map[string]string{"x-split-leg": "small"},
+						},
+					},
+				},
+			},
+		)
 	case "grpc-router":
 		entries = append(entries,
 			&structs.ServiceResolverConfigEntry{
@@ -917,12 +975,74 @@ func setupTestVariationDiscoveryChain(
 							Field:      "header",
 							FieldValue: "x-user-id",
 						},
+						{
+							Field:      "query_parameter",
+							FieldValue: "my-pretty-param",
+						},
 						{
 							SourceIP: true,
 							Terminal: true,
 						},
 					},
 				},
+			})
+	case "redirect-to-lb-node":
+		entries = append(entries,
+			&structs.ProxyConfigEntry{
+				Kind:           structs.ProxyDefaults,
+				Name:           structs.ProxyConfigGlobal,
+				EnterpriseMeta: entMeta,
+				Config: map[string]interface{}{
+					"protocol": "http",
+				},
+			},
+			&structs.ServiceRouterConfigEntry{
+				Kind:           structs.ServiceRouter,
+				Name:           "db",
+				EnterpriseMeta: entMeta,
+				Routes: []structs.ServiceRoute{
+					{
+						Match: httpMatch(&structs.ServiceRouteHTTPMatch{
+							PathPrefix: "/web",
+						}),
+						Destination: toService("web"),
+					},
+				},
+			},
+			&structs.ServiceResolverConfigEntry{
+				Kind:           structs.ServiceResolver,
+				Name:           "web",
+				EnterpriseMeta: entMeta,
+				LoadBalancer: &structs.LoadBalancer{
+					Policy: "ring_hash",
+					RingHashConfig: &structs.RingHashConfig{
+						MinimumRingSize: 20,
+						MaximumRingSize: 30,
+					},
+				},
+			},
+		)
+	case "resolver-with-lb":
+		entries = append(entries,
+			&structs.ProxyConfigEntry{
+				Kind:           structs.ProxyDefaults,
+				Name:           structs.ProxyConfigGlobal,
+				EnterpriseMeta: entMeta,
+				Config: map[string]interface{}{
+					"protocol": "http",
+				},
+			},
+			&structs.ServiceResolverConfigEntry{
+				Kind:           structs.ServiceResolver,
+				Name:           "db",
+				EnterpriseMeta: entMeta,
+				LoadBalancer: &structs.LoadBalancer{
+					Policy: "ring_hash",
+					RingHashConfig: &structs.RingHashConfig{
+						MinimumRingSize: 20,
+						MaximumRingSize: 30,
+					},
+				},
 			},
 		)
 	default:

agent/xds/clusters.go

@@ -971,8 +971,10 @@ func (s *ResourceGenerator) clustersFromSnapshotAPIGateway(cfgSnap *proxycfg.Con
 			// Grab the discovery chain compiled in handlerAPIGateway.recompileDiscoveryChains
 			chain, ok := cfgSnap.APIGateway.DiscoveryChain[uid]
 			if !ok {
-				// this should not happen
-				return nil, fmt.Errorf("no discovery chain for upstream %q", uid)
+				// this should not happen, but it can't error out because the equivalent
+				// listener generation will continue
+				s.Logger.Warn("could not find discovery chain for gateway upstream", "upstream", uid)
+				continue
 			}
 
 			// Generate the list of upstream clusters for the discovery chain
@@ -2027,6 +2029,7 @@ func (s *ResourceGenerator) getTargetClusterName(upstreamsSnapshot *proxycfg.Con
 	target := chain.Targets[tid]
 	clusterName := target.Name
 	targetUID := proxycfg.NewUpstreamIDFromTargetID(tid)
+
 	if targetUID.Peer != "" {
 		tbs, ok := upstreamsSnapshot.UpstreamPeerTrustBundles.Get(targetUID.Peer)
 		// We can't generate cluster on peers without the trust bundle. The

agent/xds/resources_test.go

@@ -157,8 +157,10 @@ func TestAllResourcesFromSnapshot(t *testing.T) {
 			},
 		},
 		{
-			name:   "transparent-proxy",
-			create: proxycfg.TestConfigSnapshotTransparentProxy,
+			name: "transparent-proxy",
+			create: func(t testinf.T) *proxycfg.ConfigSnapshot {
+				return proxycfg.TestConfigSnapshotTransparentProxy(t)
+			},
 		},
 		{
 			name:   "connect-proxy-with-peered-upstreams",