hashicorp · horaciomonsalvo · Mar 31, 2023 · Apr 1, 2023 · Apr 1, 2023 · Apr 1, 2023
diff --git a/.changelog/16751.txt b/.changelog/16751.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Added support for meta and defaults on ingress block
+```
diff --git a/api/consul.go b/api/consul.go
@@ -376,12 +376,29 @@ func (p *ConsulGatewayProxy) Copy() *ConsulGatewayProxy {
 	}
 }
 
+type ConsulGatewayTLSSDSConfig struct {
+	ClusterName  string `hcl:"cluster_name,optional" mapstructure:"cluster_name"`
+	CertResource string `hcl:"cert_resource,optional" mapstructure:"cert_resource"`
+}
+
+func (c *ConsulGatewayTLSSDSConfig) Copy() *ConsulGatewayTLSSDSConfig {
+	if c == nil {
+		return nil
+	}
+
+	return &ConsulGatewayTLSSDSConfig{
+		ClusterName:  c.ClusterName,
+		CertResource: c.CertResource,
+	}
+}
+
 // ConsulGatewayTLSConfig is used to configure TLS for a gateway.
 type ConsulGatewayTLSConfig struct {
-	Enabled       bool     `hcl:"enabled,optional"`
-	TLSMinVersion string   `hcl:"tls_min_version,optional" mapstructure:"tls_min_version"`
-	TLSMaxVersion string   `hcl:"tls_max_version,optional" mapstructure:"tls_max_version"`
-	CipherSuites  []string `hcl:"cipher_suites,optional" mapstructure:"cipher_suites"`
+	Enabled       bool                       `hcl:"enabled,optional"`
+	TLSMinVersion string                     `hcl:"tls_min_version,optional" mapstructure:"tls_min_version"`
+	TLSMaxVersion string                     `hcl:"tls_max_version,optional" mapstructure:"tls_max_version"`
+	CipherSuites  []string                   `hcl:"cipher_suites,optional" mapstructure:"cipher_suites"`
+	SDS           *ConsulGatewayTLSSDSConfig `hcl:"sds_config,block" mapstructure:"sds_config"`
 }
 
 func (tc *ConsulGatewayTLSConfig) Canonicalize() {
@@ -396,6 +413,7 @@ func (tc *ConsulGatewayTLSConfig) Copy() *ConsulGatewayTLSConfig {
 		Enabled:       tc.Enabled,
 		TLSMinVersion: tc.TLSMinVersion,
 		TLSMaxVersion: tc.TLSMaxVersion,
+		SDS:           tc.SDS.Copy(),
 	}
 	if len(tc.CipherSuites) != 0 {
 		cipherSuites := make([]string, len(tc.CipherSuites))
@@ -489,6 +507,35 @@ func (l *ConsulIngressListener) Copy() *ConsulIngressListener {
 	}
 }
 
+type ConsulIngressServiceConfig struct {
+	MaxConnections        *uint32 `hcl:"max_connections,optional" mapstructure:"max_connections"`
+	MaxPendingRequests    *uint32 `hcl:"max_pending_requests,optional" mapstructure:"max_pending_requests"`
+	MaxConcurrentRequests *uint32 `hcl:"max_concurrent_requests,optional" mapstructure:"max_concurrent_requests"`
+}
+
+func (c *ConsulIngressServiceConfig) Copy() *ConsulIngressServiceConfig {
+	if c == nil {
+		return nil
+	}
+
+	nc := new(ConsulIngressServiceConfig)
+	*nc = *c
+
+	if c.MaxConnections != nil {
+		nc.MaxConnections = pointerOf(*c.MaxConnections)
+	}
+
+	if c.MaxPendingRequests != nil {
+		nc.MaxPendingRequests = pointerOf(*c.MaxPendingRequests)
+	}
+
+	if c.MaxConcurrentRequests != nil {
+		nc.MaxConcurrentRequests = pointerOf(*c.MaxConcurrentRequests)
+	}
+
+	return nc
+}
+
 // ConsulIngressConfigEntry represents the Consul Configuration Entry type for
 // an Ingress Gateway.
 //
@@ -497,8 +544,10 @@ type ConsulIngressConfigEntry struct {
 	// Namespace is not yet supported.
 	// Namespace string
 
-	TLS       *ConsulGatewayTLSConfig  `hcl:"tls,block"`
-	Listeners []*ConsulIngressListener `hcl:"listener,block"`
+	TLS       *ConsulGatewayTLSConfig     `hcl:"tls,block"`
+	Listeners []*ConsulIngressListener    `hcl:"listener,block"`
+	Meta      map[string]string           `hcl:"meta,block" mapstructure:"meta"`
+	Defaults  *ConsulIngressServiceConfig `hcl:"defaults,block" mapstructure:"defaults"`
 }
 
 func (e *ConsulIngressConfigEntry) Canonicalize() {
@@ -512,6 +561,10 @@ func (e *ConsulIngressConfigEntry) Canonicalize() {
 		e.Listeners = nil
 	}
 
+	if len(e.Meta) == 0 {
+		e.Meta = nil
+	}
+
 	for _, listener := range e.Listeners {
 		listener.Canonicalize()
 	}
@@ -533,6 +586,8 @@ func (e *ConsulIngressConfigEntry) Copy() *ConsulIngressConfigEntry {
 	return &ConsulIngressConfigEntry{
 		TLS:       e.TLS.Copy(),
 		Listeners: listeners,
+		Meta:      maps.Clone(e.Meta),
+		Defaults:  e.Defaults.Copy(),
 	}
 }
 

diff --git a/api/consul_test.go b/api/consul_test.go
@@ -322,6 +322,12 @@ func TestConsulGateway_Copy(t *testing.T) {
 					}},
 				}},
 			},
+			Meta: map[string]string{
+				"testKey": "testValue",
+			},
+			Defaults: &ConsulIngressServiceConfig{
+				MaxConnections: pointerOf(uint32(5120)),
+			},
 		},
 		Terminating: &ConsulTerminatingConfigEntry{
 			Services: []*ConsulLinkedService{{
@@ -349,6 +355,8 @@ func TestConsulIngressConfigEntry_Canonicalize(t *testing.T) {
 		c := &ConsulIngressConfigEntry{
 			TLS:       nil,
 			Listeners: []*ConsulIngressListener{},
+			Meta:      map[string]string{},
+			Defaults:  nil,
 		}
 		c.Canonicalize()
 		must.Nil(t, c.TLS)
@@ -366,6 +374,12 @@ func TestConsulIngressConfigEntry_Canonicalize(t *testing.T) {
 					Hosts: []string{"1.1.1.1"},
 				}},
 			}},
+			Meta: map[string]string{
+				"testKey": "testValue",
+			},
+			Defaults: &ConsulIngressServiceConfig{
+				MaxConnections: pointerOf(uint32(5120)),
+			},
 		}
 		c.Canonicalize()
 		must.Eq(t, &ConsulIngressConfigEntry{
@@ -378,6 +392,12 @@ func TestConsulIngressConfigEntry_Canonicalize(t *testing.T) {
 					Hosts: []string{"1.1.1.1"},
 				}},
 			}},
+			Meta: map[string]string{
+				"testKey": "testValue",
+			},
+			Defaults: &ConsulIngressServiceConfig{
+				MaxConnections: pointerOf(uint32(5120)),
+			},
 		}, c)
 	})
 }

diff --git a/command/agent/job_endpoint.go b/command/agent/job_endpoint.go
@@ -1522,6 +1522,18 @@ func apiConnectGatewayProxyToStructs(in *api.ConsulGatewayProxy) *structs.Consul
 	}
 }
 
+func apiConsulIngressServiceConfigToStructs(in *api.ConsulIngressServiceConfig) *structs.ConsulIngressServiceConfig {
+	if in == nil {
+		return nil
+	}
+
+	return &structs.ConsulIngressServiceConfig{
+		MaxConnections:        in.MaxConnections,
+		MaxPendingRequests:    in.MaxPendingRequests,
+		MaxConcurrentRequests: in.MaxConcurrentRequests,
+	}
+}
+
 func apiConnectIngressGatewayToStructs(in *api.ConsulIngressConfigEntry) *structs.ConsulIngressConfigEntry {
 	if in == nil {
 		return nil
@@ -1530,6 +1542,19 @@ func apiConnectIngressGatewayToStructs(in *api.ConsulIngressConfigEntry) *struct
 	return &structs.ConsulIngressConfigEntry{
 		TLS:       apiConnectGatewayTLSConfig(in.TLS),
 		Listeners: apiConnectIngressListenersToStructs(in.Listeners),
+		Meta:      maps.Clone(in.Meta),
+		Defaults:  apiConsulIngressServiceConfigToStructs(in.Defaults),
+	}
+}
+
+func apiConnectGatewayTLSSDSConfig(in *api.ConsulGatewayTLSSDSConfig) *structs.ConsulGatewayTLSSDSConfig {
+	if in == nil {
+		return nil
+	}
+
+	return &structs.ConsulGatewayTLSSDSConfig{
+		ClusterName:  in.ClusterName,
+		CertResource: in.CertResource,
 	}
 }
 
@@ -1543,6 +1568,7 @@ func apiConnectGatewayTLSConfig(in *api.ConsulGatewayTLSConfig) *structs.ConsulG
 		TLSMinVersion: in.TLSMinVersion,
 		TLSMaxVersion: in.TLSMaxVersion,
 		CipherSuites:  slices.Clone(in.CipherSuites),
+		SDS:           apiConnectGatewayTLSSDSConfig(in.SDS),
 	}
 }
 

diff --git a/command/agent/job_endpoint_test.go b/command/agent/job_endpoint_test.go
@@ -3863,6 +3863,12 @@ func TestConversion_ApiConsulConnectToStructs(t *testing.T) {
 							Hosts: []string{"host1"},
 						}},
 					}},
+					Meta: map[string]string{
+						"testKey": "testValue",
+					},
+					Defaults: &structs.ConsulIngressServiceConfig{
+						MaxConnections: pointer.Of(uint32(5120)),
+					},
 				},
 			},
 		}, ApiConsulConnectToStructs(
@@ -3883,6 +3889,12 @@ func TestConversion_ApiConsulConnectToStructs(t *testing.T) {
 								Hosts: []string{"host1"},
 							}},
 						}},
+						Meta: map[string]string{
+							"testKey": "testValue",
+						},
+						Defaults: &api.ConsulIngressServiceConfig{
+							MaxConnections: pointer.Of(uint32(5120)),
+						},
 					},
 				},
 			},

diff --git a/jobspec/parse_service.go b/jobspec/parse_service.go
@@ -538,12 +538,43 @@ func parseConsulIngressListener(o *ast.ObjectItem) (*api.ConsulIngressListener,
 	return &listener, nil
 }
 
+func parseConsulGatewayTLSSDS(o *ast.ObjectItem) (*api.ConsulGatewayTLSSDSConfig, error) {
+	valid := []string{
+		"cluster_name",
+		"cert_resource",
+	}
+
+	if err := checkHCLKeys(o.Val, valid); err != nil {
+		return nil, multierror.Prefix(err, "sds ->")
+	}
+
+	var sds api.ConsulGatewayTLSSDSConfig
+	var m map[string]interface{}
+	if err := hcl.DecodeObject(&m, o.Val); err != nil {
+		return nil, err
+	}
+
+	dec, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
+		Result: &sds,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	if err := dec.Decode(m); err != nil {
+		return nil, err
+	}
+
+	return &sds, nil
+}
+
 func parseConsulGatewayTLS(o *ast.ObjectItem) (*api.ConsulGatewayTLSConfig, error) {
 	valid := []string{
 		"enabled",
 		"tls_min_version",
 		"tls_max_version",
 		"cipher_suites",
+		"sds_config",
 	}
 
 	if err := checkHCLKeys(o.Val, valid); err != nil {
@@ -556,6 +587,8 @@ func parseConsulGatewayTLS(o *ast.ObjectItem) (*api.ConsulGatewayTLSConfig, erro
 		return nil, err
 	}
 
+	delete(m, "sds_config")
+
 	dec, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
 		Result: &tls,
 	})
@@ -567,13 +600,61 @@ func parseConsulGatewayTLS(o *ast.ObjectItem) (*api.ConsulGatewayTLSConfig, erro
 		return nil, err
 	}
 
+	// Parse SDS
+	var listVal *ast.ObjectList
+	if ot, ok := o.Val.(*ast.ObjectType); ok {
+		listVal = ot.List
+	} else {
+		return nil, fmt.Errorf("tls: should be an object")
+	}
+
+	so := listVal.Filter("sds_config")
+	if len(so.Items) > 0 {
+		tls.SDS, err = parseConsulGatewayTLSSDS(so.Items[0])
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	return &tls, nil
 }
 
+func parseConsulIngressServiceConfig(o *ast.ObjectItem) (*api.ConsulIngressServiceConfig, error) {
+	valid := []string{
+		"max_connections",
+		"max_pending_requests",
+		"max_concurrent_requests",
+	}
+	if err := checkHCLKeys(o.Val, valid); err != nil {
+		return nil, multierror.Prefix(err, "defaults ->")
+	}
+
+	var defaults api.ConsulIngressServiceConfig
+	var m map[string]interface{}
+	if err := hcl.DecodeObject(&m, o.Val); err != nil {
+		return nil, err
+	}
+
+	dec, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
+		Result: &defaults,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	if err := dec.Decode(m); err != nil {
+		return nil, err
+	}
+
+	return &defaults, nil
+}
+
 func parseIngressConfigEntry(o *ast.ObjectItem) (*api.ConsulIngressConfigEntry, error) {
 	valid := []string{
 		"tls",
 		"listener",
+		"meta",
+		"defaults",
 	}
 
 	if err := checkHCLKeys(o.Val, valid); err != nil {
@@ -588,6 +669,19 @@ func parseIngressConfigEntry(o *ast.ObjectItem) (*api.ConsulIngressConfigEntry,
 
 	delete(m, "tls")
 	delete(m, "listener")
+	delete(m, "meta")
+	delete(m, "defaults")
+
+	dec, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
+		Result: &ingress,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	if err := dec.Decode(m); err != nil {
+		return nil, err
+	}
 
 	// Parse tls and listener(s)
 
@@ -620,6 +714,27 @@ func parseIngressConfigEntry(o *ast.ObjectItem) (*api.ConsulIngressConfigEntry,
 		}
 	}
 
+	// Parse meta
+	if metaO := listVal.Filter("meta"); len(metaO.Items) > 0 {
+		for _, o := range metaO.Elem().Items {
+			var m map[string]interface{}
+			if err := hcl.DecodeObject(&m, o.Val); err != nil {
+				return nil, err
+			}
+			if err := mapstructure.WeakDecode(m, &ingress.Meta); err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	// Parse Defaults
+	if defaultsO := listVal.Filter("defaults"); len(defaultsO.Items) > 0 {
+		ingress.Defaults, err = parseConsulIngressServiceConfig(defaultsO.Items[0])
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	return &ingress, nil
 }