transparent proxy: add jobspec support

[tgross]

Add a transparent proxy block to the existing Connect sidecar service proxy block. This changeset is plumbing required to support transparent proxy configuration on the client, and is first of a series of PRs that will target the f-tproxy branch which we intend to ship in Nomad 1.8.

Ref: #10628
Ref: NMD-191 (internal link)

[angrycub]

Had some questions and it looks like the Equals func could have a bug.

[angrycub]

Since the error output is the same, could we simplify this to:

Suggested change

	e, ok := err.(*strconv.NumError)
	if !ok {
	return fmt.Errorf("invalid user ID %q: %w", uidRaw, err)
	}
	return fmt.Errorf("invalid user ID %q: %w", uidRaw, e.Err)
	return fmt.Errorf("invalid user ID %q: %w", uidRaw, e.Err)

[tgross]

strconv doesn't guarantee that we always get a strconv.NumError (although the current implementation always does), so we can't guarantee there's a Err field.

But also, it turns out the error output isn't the same, and the Err field removes repetition and Golang jargon the user doesn't care about. For example, on a range error for an input of max uint32:

• using e.Error() would be invalid user UID "4294967295": strconv.ParseUint parsing "4294967295": value is out of range
• using e.Err would be the much nicer invalid user UID "4294967295": value is out of range

[angrycub]

In the implementation, we check in validate if the provided UIDs are uints. Is the choice of string here to futureproof the value? Same question for ExcludeUIDs.

[tgross]

The Consul SDK we're writing to in the network configuration takes strings (likely for futureproofing, as you've noted), so we're using the same types here.

[angrycub]

Could/should this be expressed as

hashTags(h, helper.ConvertSlice(tp.ExcludeOutboundPorts, func(a uint16) string { return fmt.Sprint(a) } )

to match the consulTProxyDiff func?

[tgross]

The hash and the diff have two different consumers. The diff function is for showing the user plan diffs. Whereas the hash is for creating a stable service hash for purposes of creating a deterministic service ID we write to Consul. I'm not sure it makes sense to do extra allocations for this.

That being said given your question about the Equal method, maybe these all need to be sorted first.

[tgross]

Hm, having thought about it a bit more... all of the hash functions over slices take the user's order, even if the order isn't meaningful to Consul. The tags is a good example of that. Maybe better to keep similar to the other hash behavior.

[angrycub]

🚀

[github-actions]

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.