tproxy: networking hook changes

[tgross]

When transparent_proxy block is present and the network mode is bridge, use a different CNI configuration that includes the consul-cni plugin. Before invoking the CNI plugins, create a Consul SDK iptables.Config struct for the allocation. This includes:

• Use all the transparent_proxy block fields
• The reserved ports are added to the inbound exclusion list so the alloc is reachable from outside the mesh
• The expose blocks and check blocks with expose=true are added to the inbound exclusion list so health checks work.

The iptables.Config is then passed as a CNI argument to the consul-cni plugin.

Ref: #10628
Ref: hashicorp/consul-k8s#3795

---

This PR targets the feature branch. In addition to the new unit tests, I've verified the behavior of this PR with a build of consul-cni from hashicorp/consul-k8s#3795 and the following jobspec which is our usual "countdash" Connect example, but with transparent proxy and health checking added:

countdash with tproxy

job "countdash" {

  group "api" {
    network {
      mode = "bridge"
    }

    service {
      name = "count-api"
      port = "9001"

      check {
        type     = "http"
        path     = "/health"
        expose   = true
        interval = "3s"
        timeout  = "1s"

        check_restart {
          limit = 0
        }
      }

      connect {
        sidecar_service {
          proxy {
            transparent_proxy {}
          }
        }
      }
    }

    task "web" {
      driver = "docker"

      config {
        image          = "hashicorpdev/counter-api:v3"
        auth_soft_fail = true
      }
    }
  }

  group "dashboard" {
    network {
      mode = "bridge"

      port "http" {
        static = 9010
        to     = 9002
      }
    }

    service {
      name = "count-dashboard"
      port = "9002"

      check {
        type     = "http"
        path     = "/health"
        expose   = true
        interval = "3s"
        timeout  = "1s"

        check_restart {
          limit = 0
        }
      }

      connect {
        sidecar_service {
          proxy {
            transparent_proxy {}
          }
        }
      }
    }

    task "dashboard" {
      driver = "docker"

      env {
        COUNTING_SERVICE_URL = "http://count-api.virtual.consul:9001"
      }

      config {
        image          = "hashicorpdev/counter-dashboard:v3"
        auth_soft_fail = true
      }
    }
  }
}

[shoenig]

LGTM!!

[tgross]

Holding off merging this until this conversation is resolved: https://github.com/hashicorp/consul-k8s/pull/3795/files#r1539851537. If it takes a while to get resolved I might merge as-is anyways and then just push any change needed to the arg name to the feature branch as a separate commit. Resolved in 6f63b81

[gulducat]

looks good! just a few tidbits for your consideration

[github-actions]

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.