[release/1.1.x] config entry: add validate_clusters to mesh config entry

[ndhanushkodi]

Changes proposed in this PR

• add validate_clusters to mesh config entry
• k8s dependencies: controller-gen 0.14, k8s.io 0.28.13, controller-runtime 0.16
  • Our k8s compat matrix with Consul https://developer.hashicorp.com/consul/docs/k8s/compatibility says 1.23-1.28, and 1.23-1.25 still supports PSPs. So we need a version of k8s.io that also supports that. 0.29.x does not, but 0.28.x does
• go modules for 1.15.x line:
  api/v1.21.3
  envoyextensions/v0.2.2
  troubleshoot/v0.2.1

How I've tested this PR

How I expect reviewers to test this PR

Checklist

• Tests added
• CHANGELOG entry added

[zalimeni]

It looks like this is back to below labels in https://github.com/hashicorp/consul-k8s/blob/release/1.5.x/charts/consul/templates/crd-exportedservices-v1.yaml

Is it possible this is wrong? I don't see it in the spec schema for 1.28.14:

    "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionSpec": {
      "description": "CustomResourceDefinitionSpec describes how a user wants their resource to appear",
      "properties": {
        "conversion": {
          "$ref": "#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceConversion",
          "description": "conversion defines conversion settings for the CRD."
        },
        "group": {
          "description": "group is the API group of the defined custom resource. The custom resources are served under `/apis/<group>/...`. Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).",
          "type": "string"
        },
        "names": {
          "$ref": "#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionNames",
          "description": "names specify the resource and kind names for the custom resource."
        },
        "preserveUnknownFields": {
          "description": "preserveUnknownFields indicates that object fields which are not specified in the OpenAPI schema should be preserved when persisting to storage. apiVersion, kind, metadata and known fields inside metadata are always preserved. This field is deprecated in favor of setting `x-preserve-unknown-fields` to true in `spec.versions[*].schema.openAPIV3Schema`. See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#field-pruning for details.",
          "type": "boolean"
        },
        "scope": {
          "description": "scope indicates whether the defined custom resource is cluster- or namespace-scoped. Allowed values are `Cluster` and `Namespaced`.",
          "type": "string"
        },
        "versions": {
          "description": "versions is the list of all API versions of the defined custom resource. Version names are used to compute the order in which served versions are listed in API discovery. If the version string is \"kube-like\", it will sort above non \"kube-like\" version strings, which are ordered lexicographically. \"Kube-like\" versions start with a \"v\", then are followed by a number (the major version), then optionally the string \"alpha\" or \"beta\" and another number (the minor version). These are sorted first by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing major version, then minor version. An example sorted list of versions: v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.",
          "items": {
            "$ref": "#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionVersion"
          },
          "type": "array"
        }
      },
      "required": [
        "group",
        "names",
        "scope",
        "versions"
      ],
      "type": "object"
    },

[zalimeni]

Same question for the other templates below

[ndhanushkodi]

I fixed it! I tried syncing the makefile, and the copy-crds-to-chart hack script from 1.3.x to here, and then realized that the hack script does a very hacky thing and uses line numbers to insert labels into the CRD. I had to tweak the line number a bit (I think the license header or something like that was causing the issue)

[zalimeni]

Aha!! Nice find, glad we have an answer!

[zalimeni]

And we can probably come up with a nearly-equivalent func that avoids line number hacking. Will take a look tomorrow.

[zalimeni]

Tried improving on the blind line match that led to the bug: https://github.com/hashicorp/consul-k8s/pull/4268/files happy to punt to after these PRs close if you'd rather

[ndhanushkodi]

Thank you!! That's great!! I skimmed and it looks great but will take a deeper look right after the k8s release!

[zalimeni]

Couple of questions about schema and deps updates, but otherwise looking good!

[zalimeni]

Tried improving on the blind line match that led to the bug: https://github.com/hashicorp/consul-k8s/pull/4268/files happy to punt to after these PRs close if you'd rather

[zalimeni]

Couple of non-blocking comments, but LGTM! Thank you for working through this and all the hairy history 🙏🏻