From 4df6da1da2f9f720f65b5fe9f80c7c7219238269 Mon Sep 17 00:00:00 2001
From: John Murret <john.murret@hashicorp.com>
Date: Wed, 3 Apr 2024 23:49:16 +0000
Subject: [PATCH 1/4] backport of commit
 0314f38235265b8659d0d3229df30d662000e9ca

---
 .../controllers/configentries/configentry_controller.go      | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/control-plane/controllers/configentries/configentry_controller.go b/control-plane/controllers/configentries/configentry_controller.go
index 9e9459308f..e739387a30 100644
--- a/control-plane/controllers/configentries/configentry_controller.go
+++ b/control-plane/controllers/configentries/configentry_controller.go
@@ -225,6 +225,7 @@ func (r *ConfigEntryController) ReconcileEntry(ctx context.Context, crdCtrl Cont
 
 	requiresMigration := false
 	sourceDatacenter := entry.GetMeta()[common.DatacenterKey]
+	matchesConsul := configEntry.MatchesConsul(entry)
 
 	// Check if the config entry is managed by our datacenter.
 	// Do not process resource if the entry was not created within our datacenter
@@ -236,7 +237,7 @@ func (r *ConfigEntryController) ReconcileEntry(ctx context.Context, crdCtrl Cont
 		// This functionality exists to help folks who are upgrading from older helm
 		// chart versions where they had previously created config entries themselves but
 		// now want to manage them through custom resources.
-		if configEntry.GetObjectMeta().Annotations[common.MigrateEntryKey] != common.MigrateEntryTrue {
+		if !matchesConsul && configEntry.GetObjectMeta().Annotations[common.MigrateEntryKey] != common.MigrateEntryTrue {
 			return r.syncFailed(ctx, logger, crdCtrl, configEntry, ExternallyManagedConfigError,
 				sourceDatacenterMismatchErr(sourceDatacenter))
 		}
@@ -244,7 +245,7 @@ func (r *ConfigEntryController) ReconcileEntry(ctx context.Context, crdCtrl Cont
 		requiresMigration = true
 	}
 
-	if !configEntry.MatchesConsul(entry) {
+	if !matchesConsul {
 		if requiresMigration {
 			// If we're migrating this config entry but the custom resource
 			// doesn't match what's in Consul currently we error out so that

From 0c2db4e49d311bee762a05aa6364e14091534d28 Mon Sep 17 00:00:00 2001
From: John Murret <john.murret@hashicorp.com>
Date: Thu, 4 Apr 2024 02:30:28 +0000
Subject: [PATCH 2/4] backport of commit
 00776690d4bad8c9120c4809d1ad07ca1d58c8cc

---
 .changelog/3873.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .changelog/3873.txt

diff --git a/.changelog/3873.txt b/.changelog/3873.txt
new file mode 100644
index 0000000000..e4c36d5e58
--- /dev/null
+++ b/.changelog/3873.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+ConfigEntries controller: Only error for config entries from different datacenters when the config entries are different
+```
\ No newline at end of file

From 3fb6379643c347718b4b71e940a33281340a029b Mon Sep 17 00:00:00 2001
From: John Murret <john.murret@hashicorp.com>
Date: Thu, 4 Apr 2024 03:33:21 +0000
Subject: [PATCH 3/4] backport of commit
 4f1b56d05031d36ee0371e841ced9bbbfdd6e72d

---
 .../configentries/configentry_controller.go   | 37 ++++++-------
 .../configentry_controller_test.go            | 55 +++++++++++++++----
 2 files changed, 63 insertions(+), 29 deletions(-)

diff --git a/control-plane/controllers/configentries/configentry_controller.go b/control-plane/controllers/configentries/configentry_controller.go
index e739387a30..c5ee063ace 100644
--- a/control-plane/controllers/configentries/configentry_controller.go
+++ b/control-plane/controllers/configentries/configentry_controller.go
@@ -225,27 +225,26 @@ func (r *ConfigEntryController) ReconcileEntry(ctx context.Context, crdCtrl Cont
 
 	requiresMigration := false
 	sourceDatacenter := entry.GetMeta()[common.DatacenterKey]
-	matchesConsul := configEntry.MatchesConsul(entry)
-
-	// Check if the config entry is managed by our datacenter.
-	// Do not process resource if the entry was not created within our datacenter
-	// as it was created in a different cluster which will be managing that config entry.
-	if sourceDatacenter != r.DatacenterName {
-
-		// Note that there is a special case where we will migrate a config entry
-		// that wasn't created by the controller if it has the migrate-entry annotation set to true.
-		// This functionality exists to help folks who are upgrading from older helm
-		// chart versions where they had previously created config entries themselves but
-		// now want to manage them through custom resources.
-		if !matchesConsul && configEntry.GetObjectMeta().Annotations[common.MigrateEntryKey] != common.MigrateEntryTrue {
-			return r.syncFailed(ctx, logger, crdCtrl, configEntry, ExternallyManagedConfigError,
-				sourceDatacenterMismatchErr(sourceDatacenter))
-		}
 
-		requiresMigration = true
-	}
+	if !configEntry.MatchesConsul(entry) {
+		// Check if the config entry is managed by our datacenter.
+		// Do not process resource if the entry was not created within our datacenter
+		// as it was created in a different cluster which will be managing that config entry.
+		if sourceDatacenter != r.DatacenterName {
+
+			// Note that there is a special case where we will migrate a config entry
+			// that wasn't created by the controller if it has the migrate-entry annotation set to true.
+			// This functionality exists to help folks who are upgrading from older helm
+			// chart versions where they had previously created config entries themselves but
+			// now want to manage them through custom resources.
+			if configEntry.GetObjectMeta().Annotations[common.MigrateEntryKey] != common.MigrateEntryTrue {
+				return r.syncFailed(ctx, logger, crdCtrl, configEntry, ExternallyManagedConfigError,
+					sourceDatacenterMismatchErr(sourceDatacenter))
+			}
+
+			requiresMigration = true
+		}
 
-	if !matchesConsul {
 		if requiresMigration {
 			// If we're migrating this config entry but the custom resource
 			// doesn't match what's in Consul currently we error out so that
diff --git a/control-plane/controllers/configentries/configentry_controller_test.go b/control-plane/controllers/configentries/configentry_controller_test.go
index faa153c323..bdfb1efa9e 100644
--- a/control-plane/controllers/configentries/configentry_controller_test.go
+++ b/control-plane/controllers/configentries/configentry_controller_test.go
@@ -5,6 +5,7 @@ package configentries
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"testing"
 	"time"
@@ -1683,16 +1684,37 @@ func TestConfigEntryControllers_doesNotCreateUnownedConfigEntry(t *testing.T) {
 	kubeNS := "default"
 
 	cases := []struct {
-		datacenterAnnotation string
-		expErr               string
+		name                    string
+		datacenterAnnotation    string
+		expErr                  error
+		expReason               string
+		makeDifferentFromConsul bool
 	}{
 		{
-			datacenterAnnotation: "",
-			expErr:               "config entry already exists in Consul",
+			name:                    "when dc annotation is blank and the config entry does not match consul, then error is thrown, entry is not synced and reason is it is externally managed.",
+			datacenterAnnotation:    "",
+			makeDifferentFromConsul: true,
+			expErr:                  errors.New("config entry already exists in Consul"),
+			expReason:               "ExternallyManagedConfigError",
 		},
 		{
-			datacenterAnnotation: "other-datacenter",
-			expErr:               "config entry managed in different datacenter: \"other-datacenter\"",
+			name:                    "when dc annotation is not blank and the config entry matches consul, then error is not thrown and it is marked as synced",
+			datacenterAnnotation:    "",
+			makeDifferentFromConsul: false,
+			expErr:                  nil,
+		},
+		{
+			name:                    "when dc annotation is not blank and the config entry does not match consul, then error is thrown, entry is not synced and reason is it is externally managed.",
+			datacenterAnnotation:    "other-datacenter",
+			makeDifferentFromConsul: true,
+			expErr:                  errors.New("config entry managed in different datacenter: \"other-datacenter\""),
+			expReason:               "ExternallyManagedConfigError",
+		},
+		{
+			name:                    "when dc annotation is not blank and the config entry matches consul, then error is not thrown and it is marked as synced",
+			datacenterAnnotation:    "other-datacenter",
+			makeDifferentFromConsul: false,
+			expErr:                  nil,
 		},
 	}
 
@@ -1714,6 +1736,11 @@ func TestConfigEntryControllers_doesNotCreateUnownedConfigEntry(t *testing.T) {
 			s.AddKnownTypes(v1alpha1.GroupVersion, svcDefaults)
 			fakeClient := fake.NewClientBuilder().WithScheme(s).WithRuntimeObjects(svcDefaults).Build()
 
+			// Change the config entry so protocol is https instead of http if test case says to
+			if c.makeDifferentFromConsul {
+				svcDefaults.Spec.Protocol = "https"
+			}
+
 			testClient := test.TestServerWithMockConnMgrWatcher(t, nil)
 			testClient.TestServer.WaitForServiceIntentions(t)
 			consulClient := testClient.APIClient
@@ -1749,7 +1776,7 @@ func TestConfigEntryControllers_doesNotCreateUnownedConfigEntry(t *testing.T) {
 				resp, err := reconciler.Reconcile(ctx, ctrl.Request{
 					NamespacedName: namespacedName,
 				})
-				req.EqualError(err, c.expErr)
+				req.Equal(err, c.expErr)
 				req.False(resp.Requeue)
 
 				// Now check that the object in Consul is as expected.
@@ -1761,9 +1788,17 @@ func TestConfigEntryControllers_doesNotCreateUnownedConfigEntry(t *testing.T) {
 				err = fakeClient.Get(ctx, namespacedName, svcDefaults)
 				req.NoError(err)
 				status, reason, errMsg := svcDefaults.SyncedCondition()
-				req.Equal(corev1.ConditionFalse, status)
-				req.Equal("ExternallyManagedConfigError", reason)
-				req.Equal(errMsg, c.expErr)
+				expectedStatus := corev1.ConditionFalse
+				if !c.makeDifferentFromConsul {
+					expectedStatus = corev1.ConditionTrue
+				}
+				req.Equal(expectedStatus, status)
+				if !c.makeDifferentFromConsul {
+					req.Equal(c.expReason, reason)
+				}
+				if c.expErr != nil {
+					req.Equal(errMsg, c.expErr.Error())
+				}
 			}
 		})
 	}

From 117b11514850e15edeeaa899a7ddacd41d5276ea Mon Sep 17 00:00:00 2001
From: John Murret <john.murret@hashicorp.com>
Date: Fri, 19 Apr 2024 20:30:28 +0000
Subject: [PATCH 4/4] backport of commit
 d25f320b24b3f5e2fce572c330a3d797bafa7b71

---
 .../configentries/configentry_controller.go   | 62 +++++++++----------
 1 file changed, 28 insertions(+), 34 deletions(-)

diff --git a/control-plane/controllers/configentries/configentry_controller.go b/control-plane/controllers/configentries/configentry_controller.go
index c5ee063ace..dc68aea619 100644
--- a/control-plane/controllers/configentries/configentry_controller.go
+++ b/control-plane/controllers/configentries/configentry_controller.go
@@ -183,7 +183,7 @@ func (r *ConfigEntryController) ReconcileEntry(ctx context.Context, crdCtrl Cont
 	}
 
 	// Check to see if consul has config entry with the same name
-	entry, _, err := consulClient.ConfigEntries().Get(configEntry.ConsulKind(), configEntry.ConsulName(), &capi.QueryOptions{
+	entryFromConsul, _, err := consulClient.ConfigEntries().Get(configEntry.ConsulKind(), configEntry.ConsulName(), &capi.QueryOptions{
 		Namespace: r.consulNamespace(consulEntry, configEntry.ConsulMirroringNS(), configEntry.ConsulGlobalResource()),
 	})
 	// If a config entry with this name does not exist
@@ -223,37 +223,31 @@ func (r *ConfigEntryController) ReconcileEntry(ctx context.Context, crdCtrl Cont
 		return r.syncFailed(ctx, logger, crdCtrl, configEntry, ConsulAgentError, err)
 	}
 
-	requiresMigration := false
-	sourceDatacenter := entry.GetMeta()[common.DatacenterKey]
-
-	if !configEntry.MatchesConsul(entry) {
-		// Check if the config entry is managed by our datacenter.
-		// Do not process resource if the entry was not created within our datacenter
-		// as it was created in a different cluster which will be managing that config entry.
-		if sourceDatacenter != r.DatacenterName {
-
-			// Note that there is a special case where we will migrate a config entry
-			// that wasn't created by the controller if it has the migrate-entry annotation set to true.
-			// This functionality exists to help folks who are upgrading from older helm
-			// chart versions where they had previously created config entries themselves but
-			// now want to manage them through custom resources.
-			if configEntry.GetObjectMeta().Annotations[common.MigrateEntryKey] != common.MigrateEntryTrue {
-				return r.syncFailed(ctx, logger, crdCtrl, configEntry, ExternallyManagedConfigError,
-					sourceDatacenterMismatchErr(sourceDatacenter))
-			}
-
-			requiresMigration = true
-		}
-
-		if requiresMigration {
-			// If we're migrating this config entry but the custom resource
-			// doesn't match what's in Consul currently we error out so that
-			// it doesn't overwrite something accidentally.
-			return r.syncFailed(ctx, logger, crdCtrl, configEntry, MigrationFailedError,
-				r.nonMatchingMigrationError(configEntry, entry))
-		}
-
-		logger.Info("config entry does not match consul", "modify-index", entry.GetModifyIndex())
+	sourceDatacenter := entryFromConsul.GetMeta()[common.DatacenterKey]
+	managedByThisDC := sourceDatacenter == r.DatacenterName
+	// Check if the config entry is managed by our datacenter.
+	// Do not process resource if the entry was not created within our datacenter
+	// as it was created in a different cluster which will be managing that config entry.
+	matchesConsul := configEntry.MatchesConsul(entryFromConsul)
+	// Note that there is a special case where we will migrate a config entry
+	// that wasn't created by the controller if it has the migrate-entry annotation set to true.
+	// This functionality exists to help folks who are upgrading from older helm
+	// chart versions where they had previously created config entries themselves but
+	// now want to manage them through custom resources.
+	hasMigrationKey := configEntry.GetObjectMeta().Annotations[common.MigrateEntryKey] == common.MigrateEntryTrue
+
+	switch {
+	case !matchesConsul && !managedByThisDC && !hasMigrationKey:
+		return r.syncFailed(ctx, logger, crdCtrl, configEntry, ExternallyManagedConfigError,
+			sourceDatacenterMismatchErr(sourceDatacenter))
+	case !matchesConsul && hasMigrationKey:
+		// If we're migrating this config entry but the custom resource
+		// doesn't match what's in Consul currently we error out so that
+		// it doesn't overwrite something accidentally.
+		return r.syncFailed(ctx, logger, crdCtrl, configEntry, MigrationFailedError,
+			r.nonMatchingMigrationError(configEntry, entryFromConsul))
+	case !matchesConsul:
+		logger.Info("config entry does not match consul", "modify-index", entryFromConsul.GetModifyIndex())
 		_, writeMeta, err := consulClient.ConfigEntries().Set(consulEntry, &capi.WriteOptions{
 			Namespace: r.consulNamespace(consulEntry, configEntry.ConsulMirroringNS(), configEntry.ConsulGlobalResource()),
 		})
@@ -263,7 +257,7 @@ func (r *ConfigEntryController) ReconcileEntry(ctx context.Context, crdCtrl Cont
 		}
 		logger.Info("config entry updated", "request-time", writeMeta.RequestTime)
 		return r.syncSuccessful(ctx, crdCtrl, configEntry)
-	} else if requiresMigration && entry.GetMeta()[common.DatacenterKey] != r.DatacenterName {
+	case hasMigrationKey && !managedByThisDC:
 		// If we get here then we're doing a migration and the entry in Consul
 		// matches the entry in Kubernetes. We just need to update the metadata
 		// of the entry in Consul to say that it's now managed by Kubernetes.
@@ -277,7 +271,7 @@ func (r *ConfigEntryController) ReconcileEntry(ctx context.Context, crdCtrl Cont
 		}
 		logger.Info("config entry migrated", "request-time", writeMeta.RequestTime)
 		return r.syncSuccessful(ctx, crdCtrl, configEntry)
-	} else if configEntry.SyncedConditionStatus() != corev1.ConditionTrue {
+	case configEntry.SyncedConditionStatus() != corev1.ConditionTrue:
 		return r.syncSuccessful(ctx, crdCtrl, configEntry)
 	}