Merge pull request #79 from hashicorp/ci/release-fix-depends

release/0.1.x: push updates from main

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,88 @@
+---
+name: Bug Report
+about: You're experiencing an issue with the Consul API Gateway that is different than the documented behavior.
+labels: bug
+
+---
+
+<!--- Please keep this note for the community --->
+
+### Community Note
+
+* Please vote on this issue by adding a 👍 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
+* Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
+* If you are interested in working on this issue or have submitted a pull request, please leave a comment.
+
+<!--- Thank you for keeping this note for the community --->
+
+---
+
+<!--- When filing a bug, please include the following headings if possible. Any example text in this template can be deleted. --->
+
+### Overview of the Issue
+
+<!--- Please describe the issue you are having and how you encountered the problem. --->
+
+### Reproduction Steps
+
+<!--- 
+
+In order to effectively and quickly resolve the issue, please provide exact steps that allow us the reproduce the problem. If no steps are provided, then it will likely take longer to get the issue resolved. An example that you can follow is provided below. 
+
+Steps to reproduce this issue, eg:
+
+1. When creating a gateway with the following configuration:
+```
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: Gateway
+...
+```
+1. View error
+
+  --->
+
+### Logs
+
+<!---
+
+Provide log files from the gateway controller component by providing output from `kubectl logs` from the pod and container that is surfacing the issue. 
+
+<details>
+  <summary>Logs</summary>
+
+```
+output from 'kubectl logs':
+```
+
+</details>
+
+--->
+
+### Expected behavior
+
+<!--- What was the expected result after following the reproduction steps? --->
+
+### Environment details
+
+<!---
+
+If not already included, please provide the following:
+- `consul-api-gateway` version:
+- configuration used to deploy the gateway controller:
+
+Additionally, please provide details regarding the Kubernetes Infrastructure, as shown below:
+- Kubernetes version: v1.22.x
+- Consul Server version: v1.11.x
+- Consul-K8s version
+- Cloud Provider (If self-hosted, the Kubernetes provider utilized): EKS, AKS, GKE, OpenShift (and version), Rancher (and version), TKGI (and version)
+- Networking CNI plugin in use: Calico, Cilium, NSX-T 
+
+Any other information you can provide about the environment/deployment.
+--->
+
+
+### Additional Context
+
+<!---
+Additional context on the problem. Docs, links to blogs, or other material that lead you to discover this issue or were helpful in troubleshooting the issue. 
+--->

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Consul Discuss Forum
+    url: https://discuss.hashicorp.com/c/consul
+    about: Please check out our discussion forum. Ask a question or see if yours has already been answered there.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,34 @@
+---
+name: Feature Request
+about: If you have something you think the Consul API Gateway could improve or add support for.
+labels: enhancement
+
+---
+
+<!--- Please keep this note for the community --->
+
+### Community Note
+
+* Please vote on this issue by adding a 👍 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
+* Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
+* If you are interested in working on this issue or have submitted a pull request, please leave a comment.
+
+<!--- Thank you for keeping this note for the community --->
+
+---
+
+#### Is your feature request related to a problem? Please describe.
+
+<!--- A clear and concise description of the problem you are facing. Describe what workarounds, if any, that you have tried prior to creating this feature request. --->
+
+#### Feature Description
+
+<!--- A description what this feature is and how it addresses the problem you are having. Describe potential UX for the feature if possible. --->
+
+#### Use Case(s)
+
+<!--- Use cases where this feature is applicable for Consul API Gateway tes (i.e. type of application, type of Consul use case i.e. Service Mesh, Service Discovery). --->
+
+#### Contributions
+
+<!--- Are you able to contribute the changes to make this feature work? --->

.github/pull_request_template.md

@@ -0,0 +1,14 @@
+Changes proposed in this PR:
+-
+-
+
+How I've tested this PR:
+
+How I expect reviewers to test this PR:
+
+
+Checklist:
+- [ ] Tests added
+- [ ] CHANGELOG entry added 
+  > HashiCorp engineers only, community PRs should not add a changelog entry.
+  > Entries should use present tense (e.g. Add support for...)

.github/workflows/build.yml

@@ -98,4 +98,4 @@ jobs:
           target: default
           arch: ${{matrix.arch}}
           tags: |
-            docker.io/hashicorp/${{env.repo}}:${{env.version}}
+            docker.io/hashicorp/${{env.repo}}:${{env.version}}

.github/workflows/ci.yml

@@ -1,8 +1,8 @@
 name: ci
 on:
-  push: 
+  push:
     branches: ["main"]
-  pull_request: 
+  pull_request:
     branches: ["main", "release/**"]
 env:
   GO_VERSION: '1.16'
@@ -31,7 +31,7 @@ jobs:
     name: unit test (consul-version=${{ matrix.consul-version }})
     strategy:
       matrix:
-        consul-version: [1.11.0-beta2, 1.11.0+ent-beta2]
+        consul-version: [1.11.2, 1.11.2+ent]
     runs-on: ubuntu-latest
     env:
       TEST_RESULTS_DIR: /tmp/test-results/consul@${{ matrix.consul-version }}

.release/ci.hcl

@@ -40,8 +40,36 @@ event "upload-dev" {
   }
 }
 
-event "sign" {
+event "security-scan-binaries" {
   depends = ["upload-dev"]
+  action "security-scan-binaries" {
+    organization = "hashicorp"
+    repository = "crt-workflows-common"
+    workflow = "security-scan-binaries"
+    config = "security-scan.hcl"
+  }
+
+  notification {
+    on = "fail"
+  }
+}
+
+event "security-scan-containers" {
+  depends = ["security-scan-binaries"]
+  action "security-scan-containers" {
+    organization = "hashicorp"
+    repository = "crt-workflows-common"
+    workflow = "security-scan-containers"
+    config = "security-scan.hcl"
+  }
+
+  notification {
+    on = "fail"
+  }
+}
+
+event "sign" {
+  depends = ["security-scan-containers"]
   action "sign" {
     organization = "hashicorp"
     repository = "crt-workflows-common"
@@ -64,4 +92,4 @@ event "verify" {
   notification {
     on = "always"
   }
-}
+}

.release/security-scan.hcl

@@ -0,0 +1,13 @@
+container {
+	dependencies = true
+	alpine_secdb = true
+	secrets      = true
+}
+
+binary {
+	secrets      = true
+	go_modules   = true
+	osv          = true
+	oss_index    = true
+	nvd          = true
+}

README.md

@@ -2,24 +2,27 @@
 
 # Overview
 
-The Consul API Gateway implements a North/South managed gateway that integrates natively with the Consul Service Mesh. Currently this
-is implemented as a Kubernetes Gateway Controller, but is meant to eventually work across multiple scheduler and runtime ecosystems.
+The Consul API Gateway is a dedicated ingress solution for intelligently routing traffic to applications
+running on a Consul Service Mesh. Currently it only runs on Kubernetes and is implemented as a
+Kubernetes Gateway Controller but, in future releases, it will work across multiple scheduler and
+runtime ecosystems.
 
 # Usage
 
-The Consul API Gateway project Kubernetes integration leverages connect-injected services managed by the
-[Consul K8s](https://github.com/hashicorp/consul-k8s) project. To use this project, make sure you have a running Kubernetes cluster and
-Consul 1.11 or greater installed [via Helm](https://github.com/hashicorp/consul-k8s#usage) with Connect injection support enabled.
+## Prerequisites  
 
-Our default `kustomization` manifests also assume that the Consul helm chart has TLS enabled. To install a compatible Consul instance via
-Helm, you can run the following commands:
+The Consul API Gateway must be installed on a Kubernetes cluster with the [Consul K8s](https://github.com/hashicorp/consul-k8s) service
+mesh deployed on it. The installed version of Consul must be `v1.11-beta2` or greater.
+
+The Consul Helm chart must be used, with specific settings, to install Consul on the Kubernetes
+cluster. This can be done with the following commands:
 
 ```bash
 helm repo add hashicorp https://helm.releases.hashicorp.com
-cat <<EOF | helm install consul hashicorp/consul --version 0.35.0 -f -
+cat <<EOF | helm install consul hashicorp/consul --version 0.39.0 -f -
 global:
   name: consul
-  image: "hashicorp/consul:1.11.0-beta2"
+  image: "hashicorp/consul:1.11.2"
   tls:
     enabled: true
 connectInject:
@@ -29,20 +32,38 @@ controller:
 EOF
 ```
 
-To install the gateway controller and a base Kubernetes `GatewayClass` that leverages the API Gateway, run the following commands:
+## Install the Tech Preview
+
+To install the Consul API Gateway controller and a base Kubernetes `GatewayClass` that leverages the
+API Gateway, run the following commands:
 
 ```bash
-kubectl apply -k "github.com/hashicorp/consul-api/gateway/config/crd?ref=v0.1.0-techpreview"
-kubectl apply -k "github.com/hashicorp/consul-api/gateway/config?ref=v0.1.0-techpreview"
+kubectl apply -k "github.com/hashicorp/consul-api-gateway/config/crd?ref=v0.1.0-beta"
+kubectl apply -k "github.com/hashicorp/consul-api-gateway/config?ref=v0.1.0-beta"
 ```
 
-You should now be able to deploy a Gateway by referencing the gateway class `default-consul-gateway-class` in a Kubernetes `Gateway`
-manifest.
+You should now be able to deploy a Gateway by referencing the gateway class `default-consul-gateway-class` in
+a Kubernetes `Gateway` manifest.
+
+## Configuring and Deploying API Gateways
+
+Consul API Gateways are configured and deployed via the [Kubernetes Gateway API](https://github.com/kubernetes-sigs/gateway-api) standard.
+The [Kubernetes Gateway API webite](https://gateway-api.sigs.k8s.io/) explains the design of the standard, examples of how to
+use it and the complete specification of the API. 
+
+The Consul API Gateway Tech Preview supports current version (`v1alpha2`) of the Gateway API.
+
+**Supported Features:** Please see [Supported Features](./dev/docs/supported-features.md) for a list of K8s Gateway API features
+supported by the current release of Consul API Gateway.
+
+# Tutorial
+
+For an example of how to deploy a Consul API Gateway and use it alongside [CertManager](https://github.com/jetstack/cert-manager) and
+[External DNS](https://github.com/kubernetes-sigs/external-dns), see the [Example Setup](./dev/docs/example-setup.md).
+
 
-For more detailed instructions and an example of how to use this alongside
-[CertManager](https://github.com/jetstack/cert-manager) and [External DNS](https://github.com/kubernetes-sigs/external-dns) see the
-[development documentation](./dev/docs/example-setup.md).
+# Contributing
 
-# Tutorials
+Thank you for your interest in contributing! Please refer to [CONTRIBUTING.md](https://github.com/hashicorp/consul-api-gateway/blob/main/.github/CONTRIBUTING.md#contributing) for guidance.
 
 For development, please see our [Quick Start](./dev/docs/getting-started.md) guide. Other documentation can be found inside our [in-repo developer documentation](./dev/docs).

config/crd/bases/api-gateway.consul.hashicorp.com_gatewayclassconfigs.yaml

@@ -52,6 +52,10 @@ spec:
                         description: The Kubernetes service account to authenticate
                           as.
                         type: string
+                      managed:
+                        description: Whether deployments should be run with "managed"
+                          service accounts created by the gateway controller.
+                        type: boolean
                       method:
                         description: The Consul auth method used for initial authentication
                           by consul-api-gateway.

config/deployment/deployment.yaml

@@ -20,7 +20,7 @@ spec:
     spec:
       serviceAccountName: consul-api-gateway-controller
       containers:
-      - image: hashicorp/consul-api-gateway:0.1.0-techpreview
+      - image: hashicorp/consul-api-gateway:0.1.0-beta
         command: ["consul-api-gateway", "server", "-consul-address", "$(HOST_IP):8501", "-ca-file", "/ca/tls.crt", "-sds-server-host", "$(IP)", "-k8s-namespace", "$(CONSUL_K8S_NAMESPACE)", "-log-level", "$(LOG_LEVEL)"]
         name: consul-api-gateway-controller
         ports:

config/rbac/role.yaml

@@ -81,6 +81,15 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -168,3 +177,29 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - tcproutes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - tcproutes/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - tcproutes/status
+  verbs:
+  - get
+  - patch
+  - update