Update HCP bootstrapping to support existing clusters (#16916)

* Persist HCP management token from server config

We want to move away from injecting an initial management token into
Consul clusters linked to HCP. The reasoning is that by using a separate
class of token we can have more flexibility in terms of allowing HCP's
token to co-exist with the user's management token.

Down the line we can also more easily adjust the permissions attached to
HCP's token to limit it's scope.

With these changes, the cloud management token is like the initial
management token in that iit has the same global management policy and
if it is created it effectively bootstraps the ACL system.

* Update SDK and mock HCP server

The HCP management token will now be sent in a special field rather than
as Consul's "initial management" token configuration.

This commit also updates the mock HCP server to more accurately reflect
the behavior of the CCM backend.

* Refactor HCP bootstrapping logic and add tests

We want to allow users to link Consul clusters that already exist to
HCP. Existing clusters need care when bootstrapped by HCP, since we do
not want to do things like change ACL/TLS settings for a running
cluster.

Additional changes:

* Deconstruct MaybeBootstrap so that it can be tested. The HCP Go SDK
  requires HTTPS to fetch a token from the Auth URL, even if the backend
  server is mocked. By pulling the hcp.Client creation out we can modify
  its TLS configuration in tests while keeping the secure behavior in
  production code.

* Add light validation for data received/loaded.

* Sanitize initial_management token from received config, since HCP will
  only ever use the CloudConfig.MangementToken.

* Add changelog entry

.changelog/16916.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+hcp: Add support for linking existing Consul clusters to HCP management plane.
+```

agent/agent.go

@@ -1517,6 +1517,8 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co
 	cfg.RequestLimitsWriteRate = runtimeCfg.RequestLimitsWriteRate
 	cfg.Locality = runtimeCfg.StructLocality()
 
+	cfg.Cloud.ManagementToken = runtimeCfg.Cloud.ManagementToken
+
 	cfg.Reporting.License.Enabled = runtimeCfg.Reporting.License.Enabled
 
 	enterpriseConsulConfig(cfg, runtimeCfg)

agent/config/builder.go

@@ -2527,18 +2527,23 @@ func validateAutoConfigAuthorizer(rt RuntimeConfig) error {
 	return nil
 }
 
-func (b *builder) cloudConfigVal(v *CloudConfigRaw) (val hcpconfig.CloudConfig) {
+func (b *builder) cloudConfigVal(v *CloudConfigRaw) hcpconfig.CloudConfig {
+	val := hcpconfig.CloudConfig{
+		ResourceID: os.Getenv("HCP_RESOURCE_ID"),
+	}
 	if v == nil {
 		return val
 	}
 
-	val.ResourceID = stringVal(v.ResourceID)
 	val.ClientID = stringVal(v.ClientID)
 	val.ClientSecret = stringVal(v.ClientSecret)
 	val.AuthURL = stringVal(v.AuthURL)
 	val.Hostname = stringVal(v.Hostname)
 	val.ScadaAddress = stringVal(v.ScadaAddress)
 
+	if resourceID := stringVal(v.ResourceID); resourceID != "" {
+		val.ResourceID = resourceID
+	}
 	return val
 }
 

agent/config/runtime.go

@@ -1749,6 +1749,9 @@ func (c *RuntimeConfig) Sanitized() map[string]interface{} {
 
 // IsCloudEnabled returns true if a cloud.resource_id is set and the server mode is enabled
 func (c *RuntimeConfig) IsCloudEnabled() bool {
+	if c == nil {
+		return false
+	}
 	return c.ServerMode && c.Cloud.ResourceID != ""
 }
 

agent/config/runtime_test.go

@@ -2301,6 +2301,74 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 			rt.HTTPUseCache = false
 		},
 	})
+	run(t, testCase{
+		desc: "cloud resource id from env",
+		args: []string{
+			`-server`,
+			`-data-dir=` + dataDir,
+		},
+		setup: func() {
+			os.Setenv("HCP_RESOURCE_ID", "env-id")
+			t.Cleanup(func() {
+				os.Unsetenv("HCP_RESOURCE_ID")
+			})
+		},
+		expected: func(rt *RuntimeConfig) {
+			rt.DataDir = dataDir
+			rt.Cloud = hcpconfig.CloudConfig{
+				// ID is only populated from env if not populated from other sources.
+				ResourceID: "env-id",
+			}
+
+			// server things
+			rt.ServerMode = true
+			rt.TLS.ServerMode = true
+			rt.LeaveOnTerm = false
+			rt.SkipLeaveOnInt = true
+			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
+		},
+	})
+	run(t, testCase{
+		desc: "cloud resource id from file",
+		args: []string{
+			`-server`,
+			`-data-dir=` + dataDir,
+		},
+		setup: func() {
+			os.Setenv("HCP_RESOURCE_ID", "env-id")
+			t.Cleanup(func() {
+				os.Unsetenv("HCP_RESOURCE_ID")
+			})
+		},
+		json: []string{`{
+			  "cloud": {
+              	"resource_id": "file-id" 
+              }
+			}`},
+		hcl: []string{`
+			  cloud = {
+	            resource_id = "file-id" 
+			  }
+			`},
+		expected: func(rt *RuntimeConfig) {
+			rt.DataDir = dataDir
+			rt.Cloud = hcpconfig.CloudConfig{
+				// ID is only populated from env if not populated from other sources.
+				ResourceID: "file-id",
+			}
+
+			// server things
+			rt.ServerMode = true
+			rt.TLS.ServerMode = true
+			rt.LeaveOnTerm = false
+			rt.SkipLeaveOnInt = true
+			rt.RPCConfig.EnableStreaming = true
+			rt.GRPCTLSPort = 8503
+			rt.GRPCTLSAddrs = []net.Addr{defaultGrpcTlsAddr}
+		},
+	})
 	run(t, testCase{
 		desc: "sidecar_service can't have ID",
 		args: []string{

agent/config/testdata/TestRuntimeConfig_Sanitize.golden

@@ -131,8 +131,10 @@
         "ClientID": "id",
         "ClientSecret": "hidden",
         "Hostname": "",
+        "ManagementToken": "hidden",
         "ResourceID": "cluster1",
-        "ScadaAddress": ""
+        "ScadaAddress": "",
+        "TLSConfig": null
     },
     "ConfigEntryBootstrap": [],
     "ConnectCAConfig": {},

agent/consul/acl_server.go

@@ -153,7 +153,7 @@ func (s *Server) ResolveIdentityFromToken(token string) (bool, structs.ACLIdenti
 	}
 	if aclToken == nil && token == acl.AnonymousTokenSecret {
 		// synthesize the anonymous token for early use, bootstrapping has not completed
-		s.InsertAnonymousToken()
+		s.insertAnonymousToken()
 		fallbackId := structs.ACLToken{
 			AccessorID:  acl.AnonymousTokenID,
 			SecretID:    acl.AnonymousTokenSecret,

agent/consul/config.go

@@ -441,6 +441,8 @@ type Config struct {
 
 	Locality *structs.Locality
 
+	Cloud CloudConfig
+
 	Reporting Reporting
 
 	// Embedded Consul Enterprise specific configuration

agent/consul/config_cloud.go

@@ -0,0 +1,5 @@
+package consul
+
+type CloudConfig struct {
+	ManagementToken string
+}

agent/consul/leader.go

@@ -450,72 +450,22 @@ func (s *Server) initializeACLs(ctx context.Context) error {
 
 		// Check for configured initial management token.
 		if initialManagement := s.config.ACLInitialManagementToken; len(initialManagement) > 0 {
-			state := s.fsm.State()
-			if _, err := uuid.ParseUUID(initialManagement); err != nil {
-				s.logger.Warn("Configuring a non-UUID initial management token is deprecated")
-			}
-
-			_, token, err := state.ACLTokenGetBySecret(nil, initialManagement, nil)
+			err := s.initializeManagementToken("Initial Management Token", initialManagement)
 			if err != nil {
-				return fmt.Errorf("failed to get initial management token: %v", err)
+				return fmt.Errorf("failed to initialize initial management token: %w", err)
 			}
-			// Ignoring expiration times to avoid an insertion collision.
-			if token == nil {
-				accessor, err := lib.GenerateUUID(s.checkTokenUUID)
-				if err != nil {
-					return fmt.Errorf("failed to generate the accessor ID for the initial management token: %v", err)
-				}
+		}
 
-				token := structs.ACLToken{
-					AccessorID:  accessor,
-					SecretID:    initialManagement,
-					Description: "Initial Management Token",
-					Policies: []structs.ACLTokenPolicyLink{
-						{
-							ID: structs.ACLPolicyGlobalManagementID,
-						},
-					},
-					CreateTime:     time.Now(),
-					Local:          false,
-					EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(),
-				}
-
-				token.SetHash(true)
-
-				done := false
-				if canBootstrap, _, err := state.CanBootstrapACLToken(); err == nil && canBootstrap {
-					req := structs.ACLTokenBootstrapRequest{
-						Token:      token,
-						ResetIndex: 0,
-					}
-					if _, err := s.raftApply(structs.ACLBootstrapRequestType, &req); err == nil {
-						s.logger.Info("Bootstrapped ACL initial management token from configuration")
-						done = true
-					} else {
-						if err.Error() != structs.ACLBootstrapNotAllowedErr.Error() &&
-							err.Error() != structs.ACLBootstrapInvalidResetIndexErr.Error() {
-							return fmt.Errorf("failed to bootstrap initial management token: %v", err)
-						}
-					}
-				}
-
-				if !done {
-					// either we didn't attempt to or setting the token with a bootstrap request failed.
-					req := structs.ACLTokenBatchSetRequest{
-						Tokens: structs.ACLTokens{&token},
-						CAS:    false,
-					}
-					if _, err := s.raftApply(structs.ACLTokenSetRequestType, &req); err != nil {
-						return fmt.Errorf("failed to create initial management token: %v", err)
-					}
-
-					s.logger.Info("Created ACL initial management token from configuration")
-				}
+		// Check for configured management token from HCP. It MUST NOT override the user-provided initial management token.
+		if hcpManagement := s.config.Cloud.ManagementToken; len(hcpManagement) > 0 {
+			err := s.initializeManagementToken("HCP Management Token", hcpManagement)
+			if err != nil {
+				return fmt.Errorf("failed to initialize HCP management token: %w", err)
 			}
 		}
 
 		// Insert the anonymous token if it does not exist.
-		if err := s.InsertAnonymousToken(); err != nil {
+		if err := s.insertAnonymousToken(); err != nil {
 			return err
 		}
 	} else {
@@ -540,7 +490,74 @@ func (s *Server) initializeACLs(ctx context.Context) error {
 	return nil
 }
 
-func (s *Server) InsertAnonymousToken() error {
+func (s *Server) initializeManagementToken(name, secretID string) error {
+	state := s.fsm.State()
+	if _, err := uuid.ParseUUID(secretID); err != nil {
+		s.logger.Warn("Configuring a non-UUID management token is deprecated")
+	}
+
+	_, token, err := state.ACLTokenGetBySecret(nil, secretID, nil)
+	if err != nil {
+		return fmt.Errorf("failed to get %s: %v", name, err)
+	}
+	// Ignoring expiration times to avoid an insertion collision.
+	if token == nil {
+		accessor, err := lib.GenerateUUID(s.checkTokenUUID)
+		if err != nil {
+			return fmt.Errorf("failed to generate the accessor ID for %s: %v", name, err)
+		}
+
+		token := structs.ACLToken{
+			AccessorID:  accessor,
+			SecretID:    secretID,
+			Description: name,
+			Policies: []structs.ACLTokenPolicyLink{
+				{
+					ID: structs.ACLPolicyGlobalManagementID,
+				},
+			},
+			CreateTime:     time.Now(),
+			Local:          false,
+			EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(),
+		}
+
+		token.SetHash(true)
+
+		done := false
+		if canBootstrap, _, err := state.CanBootstrapACLToken(); err == nil && canBootstrap {
+			req := structs.ACLTokenBootstrapRequest{
+				Token:      token,
+				ResetIndex: 0,
+			}
+			if _, err := s.raftApply(structs.ACLBootstrapRequestType, &req); err == nil {
+				s.logger.Info("Bootstrapped ACL token from configuration", "description", name)
+				done = true
+			} else {
+				if err.Error() != structs.ACLBootstrapNotAllowedErr.Error() &&
+					err.Error() != structs.ACLBootstrapInvalidResetIndexErr.Error() {
+					return fmt.Errorf("failed to bootstrap with %s: %v", name, err)
+				}
+			}
+		}
+
+		if !done {
+			// either we didn't attempt to or setting the token with a bootstrap request failed.
+			req := structs.ACLTokenBatchSetRequest{
+				Tokens: structs.ACLTokens{&token},
+				CAS:    false,
+			}
+			if _, err := s.raftApply(structs.ACLTokenSetRequestType, &req); err != nil {
+				return fmt.Errorf("failed to create %s: %v", name, err)
+			}
+
+			s.logger.Info("Created ACL token from configuration", "description", name)
+		}
+	}
+
+	return nil
+}
+
+func (s *Server) insertAnonymousToken() error {
 	state := s.fsm.State()
 	_, token, err := state.ACLTokenGetBySecret(nil, anonymousToken, nil)
 	if err != nil {

agent/consul/leader_test.go

@@ -1261,48 +1261,78 @@ func TestLeader_ACL_Initialization(t *testing.T) {
 
 	tests := []struct {
 		name              string
-		build             string
 		initialManagement string
-		bootstrap         bool
+		hcpManagement     string
+
+		// canBootstrap tracks whether the ACL system can be bootstrapped
+		// after the leader initializes ACLs. Bootstrapping is the act
+		// of persisting a token with the Global Management policy.
+		canBootstrap bool
 	}{
-		{"old version, no initial management", "0.8.0", "", true},
-		{"old version, initial management", "0.8.0", "root", false},
-		{"new version, no initial management", "0.9.1", "", true},
-		{"new version, initial management", "0.9.1", "root", false},
+		{
+			name:              "bootstrap from initial management",
+			initialManagement: "c9ad785a-420d-470d-9b4d-6d9f084bfa87",
+			hcpManagement:     "",
+			canBootstrap:      false,
+		},
+		{
+			name:              "bootstrap from hcp management",
+			initialManagement: "",
+			hcpManagement:     "924bc0e1-a41b-4f3a-b5e8-0899502fc50e",
+			canBootstrap:      false,
+		},
+		{
+			name:              "bootstrap with both",
+			initialManagement: "c9ad785a-420d-470d-9b4d-6d9f084bfa87",
+			hcpManagement:     "924bc0e1-a41b-4f3a-b5e8-0899502fc50e",
+			canBootstrap:      false,
+		},
+		{
+			name:              "did not bootstrap",
+			initialManagement: "",
+			hcpManagement:     "",
+			canBootstrap:      true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			conf := func(c *Config) {
-				c.Build = tt.build
 				c.Bootstrap = true
 				c.Datacenter = "dc1"
 				c.PrimaryDatacenter = "dc1"
 				c.ACLsEnabled = true
 				c.ACLInitialManagementToken = tt.initialManagement
+				c.Cloud.ManagementToken = tt.hcpManagement
 			}
-			dir1, s1 := testServerWithConfig(t, conf)
-			defer os.RemoveAll(dir1)
-			defer s1.Shutdown()
+			_, s1 := testServerWithConfig(t, conf)
 			testrpc.WaitForTestAgent(t, s1.RPC, "dc1")
 
+			_, policy, err := s1.fsm.State().ACLPolicyGetByID(nil, structs.ACLPolicyGlobalManagementID, nil)
+			require.NoError(t, err)
+			require.NotNil(t, policy)
+
 			if tt.initialManagement != "" {
 				_, initialManagement, err := s1.fsm.State().ACLTokenGetBySecret(nil, tt.initialManagement, nil)
 				require.NoError(t, err)
 				require.NotNil(t, initialManagement)
+				require.Equal(t, tt.initialManagement, initialManagement.SecretID)
 			}
 
+			if tt.hcpManagement != "" {
+				_, hcpManagement, err := s1.fsm.State().ACLTokenGetBySecret(nil, tt.hcpManagement, nil)
+				require.NoError(t, err)
+				require.NotNil(t, hcpManagement)
+				require.Equal(t, tt.hcpManagement, hcpManagement.SecretID)
+			}
+
+			canBootstrap, _, err := s1.fsm.State().CanBootstrapACLToken()
+			require.NoError(t, err)
+			require.Equal(t, tt.canBootstrap, canBootstrap)
+
 			_, anon, err := s1.fsm.State().ACLTokenGetBySecret(nil, anonymousToken, nil)
 			require.NoError(t, err)
 			require.NotNil(t, anon)
 
-			canBootstrap, _, err := s1.fsm.State().CanBootstrapACLToken()
-			require.NoError(t, err)
-			require.Equal(t, tt.bootstrap, canBootstrap)
-
-			_, policy, err := s1.fsm.State().ACLPolicyGetByID(nil, structs.ACLPolicyGlobalManagementID, nil)
-			require.NoError(t, err)
-			require.NotNil(t, policy)
-
 			serverToken, err := s1.GetSystemMetadata(structs.ServerManagementTokenAccessorID)
 			require.NoError(t, err)
 			require.NotEmpty(t, serverToken)

agent/hcp/bootstrap/bootstrap.go

@@ -10,7 +10,10 @@ package bootstrap
 import (
 	"bufio"
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"os"
@@ -19,17 +22,22 @@ import (
 	"time"
 
 	"github.com/hashicorp/consul/agent/config"
+	"github.com/hashicorp/consul/agent/connect"
 	"github.com/hashicorp/consul/agent/hcp"
 	"github.com/hashicorp/consul/lib"
 	"github.com/hashicorp/consul/lib/retry"
+	"github.com/hashicorp/go-uuid"
 )
 
 const (
-	caFileName     = "server-tls-cas.pem"
-	certFileName   = "server-tls-cert.pem"
-	keyFileName    = "server-tls-key.pem"
-	configFileName = "server-config.json"
-	subDir         = "hcp-config"
+	subDir = "hcp-config"
+
+	caFileName      = "server-tls-cas.pem"
+	certFileName    = "server-tls-cert.pem"
+	configFileName  = "server-config.json"
+	keyFileName     = "server-tls-key.pem"
+	tokenFileName   = "hcp-management-token"
+	successFileName = "successful-bootstrap"
 )
 
 type ConfigLoader func(source config.Source) (config.LoadResult, error)
@@ -46,44 +54,80 @@ type UI interface {
 	Error(string)
 }
 
-// MaybeBootstrap will use the passed ConfigLoader to read the existing
-// configuration, and if required attempt to bootstrap from HCP. It will retry
-// until successful or a terminal error condition is found (e.g. permission
-// denied). It must be passed a (CLI) UI implementation so it can deliver progress
+// RawBootstrapConfig contains the Consul config as a raw JSON string and the management token
+// which either was retrieved from persisted files or from the bootstrap endpoint
+type RawBootstrapConfig struct {
+	ConfigJSON      string
+	ManagementToken string
+}
+
+// LoadConfig will attempt to load previously-fetched config from disk and fall back to
+// fetch from HCP servers if the local data is incomplete.
+// It must be passed a (CLI) UI implementation so it can deliver progress
 // updates to the user, for example if it is waiting to retry for a long period.
-func MaybeBootstrap(ctx context.Context, loader ConfigLoader, ui UI) (bool, ConfigLoader, error) {
-	loader = wrapConfigLoader(loader)
-	res, err := loader(nil)
-	if err != nil {
-		return false, nil, err
-	}
-
-	// Check to see if this is a server and HCP is configured
-
-	if !res.RuntimeConfig.IsCloudEnabled() {
-		// Not a server, let agent continue unmodified
-		return false, loader, nil
-	}
-
-	ui.Output("Bootstrapping configuration from HCP")
+func LoadConfig(ctx context.Context, client hcp.Client, dataDir string, loader ConfigLoader, ui UI) (ConfigLoader, error) {
+	ui.Output("Loading configuration from HCP")
 
 	// See if we have existing config on disk
-	cfgJSON, ok := loadPersistedBootstrapConfig(res.RuntimeConfig, ui)
+	//
+	// OPTIMIZE: We could probably be more intelligent about config loading.
+	// The currently implemented approach is:
+	// 1. Attempt to load data from disk
+	// 2. If that fails or the data is incomplete, block indefinitely fetching remote config.
+	//
+	// What if instead we had the following flow:
+	// 1. Attempt to fetch config from HCP.
+	// 2. If that fails, fall back to data on disk from last fetch.
+	// 3. If that fails, go into blocking loop to fetch remote config.
+	//
+	// This should allow us to more gracefully transition cases like when
+	// an existing cluster is linked, but then wants to receive TLS materials
+	// at a later time. Currently, if we observe the existing-cluster marker we
+	// don't attempt to fetch any additional configuration from HCP.
 
+	cfg, ok := loadPersistedBootstrapConfig(dataDir, ui)
 	if !ok {
-		// Fetch from HCP
-		ui.Info("Fetching configuration from HCP")
-		cfgJSON, err = doHCPBootstrap(ctx, res.RuntimeConfig, ui)
+		ui.Info("Fetching configuration from HCP servers")
+
+		var err error
+		cfg, err = fetchBootstrapConfig(ctx, client, dataDir, ui)
 		if err != nil {
-			return false, nil, fmt.Errorf("failed to bootstrap from HCP: %w", err)
+			return nil, fmt.Errorf("failed to bootstrap from HCP: %w", err)
 		}
 		ui.Info("Configuration fetched from HCP and saved on local disk")
+
 	} else {
-		ui.Info("Loaded configuration from local disk")
+		ui.Info("Loaded HCP configuration from local disk")
+
 	}
 
 	// Create a new loader func to return
-	newLoader := func(source config.Source) (config.LoadResult, error) {
+	newLoader := bootstrapConfigLoader(loader, cfg)
+	return newLoader, nil
+}
+
+// bootstrapConfigLoader is a ConfigLoader for passing bootstrap JSON config received from HCP
+// to the config.builder. ConfigLoaders are functions used to build an agent's RuntimeConfig
+// from various sources like files and flags. This config is contained in the config.LoadResult.
+//
+// The flow to include bootstrap config from HCP as a loader's data source is as follows:
+//
+//  1. A base ConfigLoader function (baseLoader) is created on agent start, and it sets the input
+//     source argument as the DefaultConfig.
+//
+//  2. When a server agent can be configured by HCP that baseLoader is wrapped in this bootstrapConfigLoader.
+//
+//  3. The bootstrapConfigLoader calls that base loader with the bootstrap JSON config as the
+//     default source. This data will be merged with other valid sources in the config.builder.
+//
+//  4. The result of the call to baseLoader() below contains the resulting RuntimeConfig, and we do some
+//     additional modifications to attach data that doesn't get populated during the build in the config pkg.
+//
+// Note that since the ConfigJSON is stored as the baseLoader's DefaultConfig, its data is the first
+// to be merged by the config.builder and could be overwritten by user-provided values in config files or
+// CLI flags. However, values set to RuntimeConfig after the baseLoader call are final.
+func bootstrapConfigLoader(baseLoader ConfigLoader, cfg *RawBootstrapConfig) ConfigLoader {
+	return func(source config.Source) (config.LoadResult, error) {
 		// Don't allow any further attempts to provide a DefaultSource. This should
 		// only ever be needed later in client agent AutoConfig code but that should
 		// be mutually exclusive from this bootstrapping mechanism since this is
@@ -94,34 +138,50 @@ func MaybeBootstrap(ctx context.Context, loader ConfigLoader, ui UI) (bool, Conf
 			return config.LoadResult{},
 				fmt.Errorf("non-nil config source provided to a loader after HCP bootstrap already provided a DefaultSource")
 		}
+
 		// Otherwise, just call to the loader we were passed with our own additional
 		// JSON as the source.
-		s := config.FileSource{
+		//
+		// OPTIMIZE: We could check/log whether any fields set by the remote config were overwritten by a user-provided flag.
+		res, err := baseLoader(config.FileSource{
 			Name:   "HCP Bootstrap",
 			Format: "json",
-			Data:   cfgJSON,
-		}
-		return loader(s)
-	}
-
-	return true, newLoader, nil
-}
-
-func wrapConfigLoader(loader ConfigLoader) ConfigLoader {
-	return func(source config.Source) (config.LoadResult, error) {
-		res, err := loader(source)
+			Data:   cfg.ConfigJSON,
+		})
 		if err != nil {
-			return res, err
+			return res, fmt.Errorf("failed to load HCP Bootstrap config: %w", err)
 		}
 
-		if res.RuntimeConfig.Cloud.ResourceID == "" {
-			res.RuntimeConfig.Cloud.ResourceID = os.Getenv("HCP_RESOURCE_ID")
-		}
+		finalizeRuntimeConfig(res.RuntimeConfig, cfg)
 		return res, nil
 	}
 }
 
-func doHCPBootstrap(ctx context.Context, rc *config.RuntimeConfig, ui UI) (string, error) {
+const (
+	accessControlHeaderName  = "Access-Control-Expose-Headers"
+	accessControlHeaderValue = "x-consul-default-acl-policy"
+)
+
+// finalizeRuntimeConfig will set additional HCP-specific values that are not
+// handled by the config.builder.
+func finalizeRuntimeConfig(rc *config.RuntimeConfig, cfg *RawBootstrapConfig) {
+	rc.Cloud.ManagementToken = cfg.ManagementToken
+
+	// HTTP response headers are modified for the HCP UI to work.
+	if rc.HTTPResponseHeaders == nil {
+		rc.HTTPResponseHeaders = make(map[string]string)
+	}
+	prevValue, ok := rc.HTTPResponseHeaders[accessControlHeaderName]
+	if !ok {
+		rc.HTTPResponseHeaders[accessControlHeaderName] = accessControlHeaderValue
+	} else {
+		rc.HTTPResponseHeaders[accessControlHeaderName] = prevValue + "," + accessControlHeaderValue
+	}
+}
+
+// fetchBootstrapConfig will fetch boostrap configuration from remote servers and persist it to disk.
+// It will retry until successful or a terminal error condition is found (e.g. permission denied).
+func fetchBootstrapConfig(ctx context.Context, client hcp.Client, dataDir string, ui UI) (*RawBootstrapConfig, error) {
 	w := retry.Waiter{
 		MinWait: 1 * time.Second,
 		MaxWait: 5 * time.Minute,
@@ -129,12 +189,6 @@ func doHCPBootstrap(ctx context.Context, rc *config.RuntimeConfig, ui UI) (strin
 	}
 
 	var bsCfg *hcp.BootstrapConfig
-
-	client, err := hcp.NewClient(rc.Cloud)
-	if err != nil {
-		return "", err
-	}
-
 	for {
 		// Note we don't want to shadow `ctx` here since we need that for the Wait
 		// below.
@@ -143,10 +197,10 @@ func doHCPBootstrap(ctx context.Context, rc *config.RuntimeConfig, ui UI) (strin
 
 		resp, err := client.FetchBootstrap(reqCtx)
 		if err != nil {
-			ui.Error(fmt.Sprintf("failed to fetch bootstrap config from HCP, will retry in %s: %s",
+			ui.Error(fmt.Sprintf("Error: failed to fetch bootstrap config from HCP, will retry in %s: %s",
 				w.NextWait().Round(time.Second), err))
 			if err := w.Wait(ctx); err != nil {
-				return "", err
+				return nil, err
 			}
 			// Finished waiting, restart loop
 			continue
@@ -155,9 +209,24 @@ func doHCPBootstrap(ctx context.Context, rc *config.RuntimeConfig, ui UI) (strin
 		break
 	}
 
-	dataDir := rc.DataDir
-	shouldPersist := true
-	if dataDir == "" {
+	devMode := dataDir == ""
+
+	cfgJSON, err := persistAndProcessConfig(dataDir, devMode, bsCfg)
+	if err != nil {
+		return nil, fmt.Errorf("failed to persist config for existing cluster: %w", err)
+	}
+
+	return &RawBootstrapConfig{
+		ConfigJSON:      cfgJSON,
+		ManagementToken: bsCfg.ManagementToken,
+	}, nil
+}
+
+// persistAndProcessConfig is called when we receive data from CCM.
+// We validate and persist everything that was received, then also update
+// the JSON config as needed.
+func persistAndProcessConfig(dataDir string, devMode bool, bsCfg *hcp.BootstrapConfig) (string, error) {
+	if devMode {
 		// Agent in dev mode, we still need somewhere to persist the certs
 		// temporarily though to be able to start up at all since we don't support
 		// inline certs right now. Use temp dir
@@ -166,43 +235,94 @@ func doHCPBootstrap(ctx context.Context, rc *config.RuntimeConfig, ui UI) (strin
 			return "", fmt.Errorf("failed to create temp dir for certificates: %w", err)
 		}
 		dataDir = tmp
-		shouldPersist = false
 	}
 
-	// Persist the TLS cert files from the response since we need to refer to them
-	// as disk files either way.
-	if err := persistTLSCerts(dataDir, bsCfg); err != nil {
-		return "", fmt.Errorf("failed to persist TLS certificates to dir %q: %w", dataDir, err)
-	}
-	// Update the config JSON to include those TLS cert files
-	cfgJSON, err := injectTLSCerts(dataDir, bsCfg.ConsulConfig)
-	if err != nil {
-		return "", fmt.Errorf("failed to inject TLS Certs into bootstrap config: %w", err)
+	// Create subdir if it's not already there.
+	dir := filepath.Join(dataDir, subDir)
+	if err := lib.EnsurePath(dir, true); err != nil {
+		return "", fmt.Errorf("failed to ensure directory %q: %w", dir, err)
 	}
 
-	// Persist the final config we need to add for restarts. Assuming this wasn't
-	// a tmp dir to start with.
-	if shouldPersist {
-		if err := persistBootstrapConfig(dataDir, cfgJSON); err != nil {
-			return "", fmt.Errorf("failed to persist bootstrap config to dir %q: %w", dataDir, err)
+	// Parse just to a map for now as we only have to inject to a specific place
+	// and parsing whole Config struct is complicated...
+	var cfg map[string]any
+
+	if err := json.Unmarshal([]byte(bsCfg.ConsulConfig), &cfg); err != nil {
+		return "", fmt.Errorf("failed to unmarshal bootstrap config: %w", err)
+	}
+
+	// Avoid ever setting an initial_management token from HCP now that we can
+	// separately bootstrap an HCP management token with a distinct accessor ID.
+	//
+	// CCM will continue to return an initial_management token because previous versions of Consul
+	// cannot bootstrap an HCP management token distinct from the initial management token.
+	// This block can be deleted once CCM supports tailoring bootstrap config responses
+	// based on the version of Consul that requested it.
+	acls, aclsOK := cfg["acl"].(map[string]any)
+	if aclsOK {
+		tokens, tokensOK := acls["tokens"].(map[string]interface{})
+		if tokensOK {
+			delete(tokens, "initial_management")
 		}
 	}
 
+	var cfgJSON string
+	if bsCfg.TLSCert != "" {
+		if err := validateTLSCerts(bsCfg.TLSCert, bsCfg.TLSCertKey, bsCfg.TLSCAs); err != nil {
+			return "", fmt.Errorf("invalid certificates: %w", err)
+		}
+
+		// Persist the TLS cert files from the response since we need to refer to them
+		// as disk files either way.
+		if err := persistTLSCerts(dir, bsCfg.TLSCert, bsCfg.TLSCertKey, bsCfg.TLSCAs); err != nil {
+			return "", fmt.Errorf("failed to persist TLS certificates to dir %q: %w", dataDir, err)
+		}
+
+		// Store paths to the persisted TLS cert files.
+		cfg["ca_file"] = filepath.Join(dir, caFileName)
+		cfg["cert_file"] = filepath.Join(dir, certFileName)
+		cfg["key_file"] = filepath.Join(dir, keyFileName)
+
+		// Convert the bootstrap config map back into a string
+		cfgJSONBytes, err := json.Marshal(cfg)
+		if err != nil {
+			return "", err
+		}
+		cfgJSON = string(cfgJSONBytes)
+	}
+
+	if !devMode {
+		// Persist the final config we need to add so that it is available locally after a restart.
+		// Assuming the configured data dir wasn't a tmp dir to start with.
+		if err := persistBootstrapConfig(dir, cfgJSON); err != nil {
+			return "", fmt.Errorf("failed to persist bootstrap config: %w", err)
+		}
+
+		if err := validateManagementToken(bsCfg.ManagementToken); err != nil {
+			return "", fmt.Errorf("invalid management token: %w", err)
+		}
+		if err := persistManagementToken(dir, bsCfg.ManagementToken); err != nil {
+			return "", fmt.Errorf("failed to persist HCP management token: %w", err)
+		}
+
+		if err := persistSucessMarker(dir); err != nil {
+			return "", fmt.Errorf("failed to persist success marker: %w", err)
+		}
+	}
 	return cfgJSON, nil
 }
 
-func persistTLSCerts(dataDir string, bsCfg *hcp.BootstrapConfig) error {
-	dir := filepath.Join(dataDir, subDir)
+func persistSucessMarker(dir string) error {
+	name := filepath.Join(dir, successFileName)
+	return os.WriteFile(name, []byte(""), 0600)
 
-	if bsCfg.TLSCert == "" || bsCfg.TLSCertKey == "" {
+}
+
+func persistTLSCerts(dir string, serverCert, serverKey string, caCerts []string) error {
+	if serverCert == "" || serverKey == "" {
 		return fmt.Errorf("unexpected bootstrap response from HCP: missing TLS information")
 	}
 
-	// Create a subdir if it's not already there
-	if err := lib.EnsurePath(dir, true); err != nil {
-		return err
-	}
-
 	// Write out CA cert(s). We write them all to one file because Go's x509
 	// machinery will read as many certs as it finds from each PEM file provided
 	// and add them separaetly to the CertPool for validation
@@ -211,7 +331,7 @@ func persistTLSCerts(dataDir string, bsCfg *hcp.BootstrapConfig) error {
 		return err
 	}
 	bf := bufio.NewWriter(f)
-	for _, caPEM := range bsCfg.TLSCAs {
+	for _, caPEM := range caCerts {
 		bf.WriteString(caPEM + "\n")
 	}
 	if err := bf.Flush(); err != nil {
@@ -221,87 +341,243 @@ func persistTLSCerts(dataDir string, bsCfg *hcp.BootstrapConfig) error {
 		return err
 	}
 
-	if err := os.WriteFile(filepath.Join(dir, certFileName), []byte(bsCfg.TLSCert), 0600); err != nil {
+	if err := os.WriteFile(filepath.Join(dir, certFileName), []byte(serverCert), 0600); err != nil {
 		return err
 	}
 
-	if err := os.WriteFile(filepath.Join(dir, keyFileName), []byte(bsCfg.TLSCertKey), 0600); err != nil {
+	if err := os.WriteFile(filepath.Join(dir, keyFileName), []byte(serverKey), 0600); err != nil {
 		return err
 	}
 
 	return nil
 }
 
-func injectTLSCerts(dataDir string, bootstrapJSON string) (string, error) {
-	// Parse just to a map for now as we only have to inject to a specific place
-	// and parsing whole Config struct is complicated...
-	var cfg map[string]interface{}
-
-	if err := json.Unmarshal([]byte(bootstrapJSON), &cfg); err != nil {
-		return "", err
+// Basic validation to ensure a UUID was loaded.
+func validateManagementToken(token string) error {
+	if token == "" {
+		return errors.New("missing HCP management token")
 	}
 
-	// Inject TLS cert files
-	cfg["ca_file"] = filepath.Join(dataDir, subDir, caFileName)
-	cfg["cert_file"] = filepath.Join(dataDir, subDir, certFileName)
-	cfg["key_file"] = filepath.Join(dataDir, subDir, keyFileName)
-
-	jsonBs, err := json.Marshal(cfg)
-	if err != nil {
-		return "", err
+	if _, err := uuid.ParseUUID(token); err != nil {
+		return errors.New("management token is not a valid UUID")
 	}
-
-	return string(jsonBs), nil
+	return nil
 }
 
-func persistBootstrapConfig(dataDir, cfgJSON string) error {
+func persistManagementToken(dir, token string) error {
+	name := filepath.Join(dir, tokenFileName)
+	return os.WriteFile(name, []byte(token), 0600)
+}
+
+func persistBootstrapConfig(dir, cfgJSON string) error {
 	// Persist the important bits we got from bootstrapping. The TLS certs are
 	// already persisted, just need to persist the config we are going to add.
-	name := filepath.Join(dataDir, subDir, configFileName)
+	name := filepath.Join(dir, configFileName)
 	return os.WriteFile(name, []byte(cfgJSON), 0600)
 }
 
-func loadPersistedBootstrapConfig(rc *config.RuntimeConfig, ui UI) (string, bool) {
-	// Check if the files all exist
-	files := []string{
-		filepath.Join(rc.DataDir, subDir, configFileName),
-		filepath.Join(rc.DataDir, subDir, caFileName),
-		filepath.Join(rc.DataDir, subDir, certFileName),
-		filepath.Join(rc.DataDir, subDir, keyFileName),
-	}
-	hasSome := false
-	for _, name := range files {
-		if _, err := os.Stat(name); errors.Is(err, os.ErrNotExist) {
-			// At least one required file doesn't exist, failed loading. This is not
-			// an error though
-			if hasSome {
-				ui.Warn("ignoring incomplete local bootstrap config files")
-			}
-			return "", false
-		}
-		hasSome = true
+func loadPersistedBootstrapConfig(dataDir string, ui UI) (*RawBootstrapConfig, bool) {
+	if dataDir == "" {
+		// There's no files to load when in dev mode.
+		return nil, false
 	}
 
-	name := filepath.Join(rc.DataDir, subDir, configFileName)
-	jsonBs, err := os.ReadFile(name)
+	dir := filepath.Join(dataDir, subDir)
+
+	_, err := os.Stat(filepath.Join(dir, successFileName))
+	if os.IsNotExist(err) {
+		// Haven't bootstrapped from HCP.
+		return nil, false
+	}
 	if err != nil {
-		ui.Warn(fmt.Sprintf("failed to read local bootstrap config file, ignoring local files: %s", err))
-		return "", false
+		ui.Warn("failed to check for config on disk, re-fetching from HCP: " + err.Error())
+		return nil, false
 	}
 
-	// Check this looks non-empty at least
-	jsonStr := strings.TrimSpace(string(jsonBs))
-	// 50 is arbitrary but config containing the right secrets would always be
-	// bigger than this in JSON format so it is a reasonable test that this wasn't
-	// empty or just an empty JSON object or something.
-	if len(jsonStr) < 50 {
-		ui.Warn("ignoring incomplete local bootstrap config files")
-		return "", false
+	if err := checkCerts(dir); err != nil {
+		ui.Warn("failed to validate certs on disk, re-fetching from HCP: " + err.Error())
+		return nil, false
 	}
 
-	// TODO we could parse the certificates and check they are still valid here
-	// and force a reload if not. We could also attempt to parse config and check
-	// it's all valid just in case the local config was really old and has
-	// deprecated fields or something?
-	return jsonStr, true
+	configJSON, err := loadBootstrapConfigJSON(dataDir)
+	if err != nil {
+		ui.Warn("failed to load bootstrap config from disk, re-fetching from HCP: " + err.Error())
+		return nil, false
+	}
+
+	mgmtToken, err := loadManagementToken(dir)
+	if err != nil {
+		ui.Warn("failed to load HCP management token from disk, re-fetching from HCP: " + err.Error())
+		return nil, false
+	}
+
+	return &RawBootstrapConfig{
+		ConfigJSON:      configJSON,
+		ManagementToken: mgmtToken,
+	}, true
+}
+
+func loadBootstrapConfigJSON(dataDir string) (string, error) {
+	filename := filepath.Join(dataDir, subDir, configFileName)
+
+	_, err := os.Stat(filename)
+	if os.IsNotExist(err) {
+		return "", nil
+	}
+	if err != nil {
+		return "", fmt.Errorf("failed to check for bootstrap config: %w", err)
+	}
+
+	// Attempt to load persisted config to check for errors and basic validity.
+	// Errors here will raise issues like referencing unsupported config fields.
+	_, err = config.Load(config.LoadOpts{
+		ConfigFiles: []string{filename},
+		HCL: []string{
+			"server = true",
+			`bind_addr = "127.0.0.1"`,
+			fmt.Sprintf("data_dir = %q", dataDir),
+		},
+		ConfigFormat: "json",
+	})
+	if err != nil {
+		return "", fmt.Errorf("failed to parse local bootstrap config: %w", err)
+	}
+
+	jsonBs, err := os.ReadFile(filename)
+	if err != nil {
+		return "", fmt.Errorf(fmt.Sprintf("failed to read local bootstrap config file: %s", err))
+	}
+	return strings.TrimSpace(string(jsonBs)), nil
+}
+
+func loadManagementToken(dir string) (string, error) {
+	name := filepath.Join(dir, tokenFileName)
+	bytes, err := os.ReadFile(name)
+	if os.IsNotExist(err) {
+		return "", errors.New("configuration files on disk are incomplete, missing: " + name)
+	}
+	if err != nil {
+		return "", fmt.Errorf("failed to read: %w", err)
+	}
+
+	token := string(bytes)
+	if err := validateManagementToken(token); err != nil {
+		return "", fmt.Errorf("invalid management token: %w", err)
+	}
+
+	return token, nil
+}
+
+func checkCerts(dir string) error {
+	files := []string{
+		filepath.Join(dir, caFileName),
+		filepath.Join(dir, certFileName),
+		filepath.Join(dir, keyFileName),
+	}
+
+	missing := make([]string, 0)
+	for _, file := range files {
+		_, err := os.Stat(file)
+		if os.IsNotExist(err) {
+			missing = append(missing, file)
+			continue
+		}
+		if err != nil {
+			return err
+		}
+	}
+
+	// If all the TLS files are missing, assume this is intentional.
+	// Existing clusters do not receive any TLS certs.
+	if len(missing) == len(files) {
+		return nil
+	}
+
+	// If only some of the files are missing, something went wrong.
+	if len(missing) > 0 {
+		return fmt.Errorf("configuration files on disk are incomplete, missing: %v", missing)
+	}
+
+	cert, key, caCerts, err := loadCerts(dir)
+	if err != nil {
+		return fmt.Errorf("failed to load certs from disk: %w", err)
+	}
+
+	if err = validateTLSCerts(cert, key, caCerts); err != nil {
+		return fmt.Errorf("invalid certs on disk: %w", err)
+	}
+	return nil
+}
+
+func loadCerts(dir string) (cert, key string, caCerts []string, err error) {
+	certPEMBlock, err := os.ReadFile(filepath.Join(dir, certFileName))
+	if err != nil {
+		return "", "", nil, err
+	}
+	keyPEMBlock, err := os.ReadFile(filepath.Join(dir, keyFileName))
+	if err != nil {
+		return "", "", nil, err
+	}
+
+	caPEMs, err := os.ReadFile(filepath.Join(dir, caFileName))
+	if err != nil {
+		return "", "", nil, err
+	}
+	caCerts, err = splitCACerts(caPEMs)
+	if err != nil {
+		return "", "", nil, fmt.Errorf("failed to parse CA certs: %w", err)
+	}
+
+	return string(certPEMBlock), string(keyPEMBlock), caCerts, nil
+}
+
+// splitCACerts takes a list of concatenated PEM blocks and splits
+// them back up into strings. This is used because CACerts are written
+// into a single file, but validated individually.
+func splitCACerts(caPEMs []byte) ([]string, error) {
+	var out []string
+
+	for {
+		nextBlock, remaining := pem.Decode(caPEMs)
+		if nextBlock == nil {
+			break
+		}
+		if nextBlock.Type != "CERTIFICATE" {
+			return nil, fmt.Errorf("PEM-block should be CERTIFICATE type")
+		}
+
+		// Collect up to the start of the remaining bytes.
+		// We don't grab nextBlock.Bytes because it's not PEM encoded.
+		out = append(out, string(caPEMs[:len(caPEMs)-len(remaining)]))
+		caPEMs = remaining
+	}
+
+	if len(out) == 0 {
+		return nil, errors.New("invalid CA certificate")
+	}
+	return out, nil
+}
+
+// validateTLSCerts checks that the CA cert, server cert, and key on disk are structurally valid.
+//
+// OPTIMIZE: This could be improved by returning an error if certs are expired or close to expiration.
+// However, that requires issuing new certs on bootstrap requests, since returning an error
+// would trigger a re-fetch from HCP.
+func validateTLSCerts(cert, key string, caCerts []string) error {
+	leaf, err := tls.X509KeyPair([]byte(cert), []byte(key))
+	if err != nil {
+		return errors.New("invalid server certificate or key")
+	}
+	_, err = x509.ParseCertificate(leaf.Certificate[0])
+	if err != nil {
+		return errors.New("invalid server certificate")
+	}
+
+	for _, caCert := range caCerts {
+		_, err = connect.ParseCert(caCert)
+		if err != nil {
+			return errors.New("invalid CA certificate")
+		}
+	}
+	return nil
 }

agent/hcp/bootstrap/bootstrap_test.go

@@ -0,0 +1,467 @@
+package bootstrap
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/hashicorp/consul/agent/config"
+	"github.com/hashicorp/consul/agent/hcp"
+	"github.com/hashicorp/consul/lib"
+	"github.com/hashicorp/consul/tlsutil"
+	"github.com/hashicorp/go-uuid"
+	"github.com/mitchellh/cli"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBootstrapConfigLoader(t *testing.T) {
+	baseLoader := func(source config.Source) (config.LoadResult, error) {
+		return config.Load(config.LoadOpts{
+			DefaultConfig: source,
+			HCL: []string{
+				`server = true`,
+				`bind_addr = "127.0.0.1"`,
+				`data_dir = "/tmp/consul-data"`,
+			},
+		})
+	}
+
+	bootstrapLoader := func(source config.Source) (config.LoadResult, error) {
+		return bootstrapConfigLoader(baseLoader, &RawBootstrapConfig{
+			ConfigJSON:      `{"bootstrap_expect": 8}`,
+			ManagementToken: "test-token",
+		})(source)
+	}
+
+	result, err := bootstrapLoader(nil)
+	require.NoError(t, err)
+
+	// bootstrap_expect and management token are injected from bootstrap config received from HCP.
+	require.Equal(t, 8, result.RuntimeConfig.BootstrapExpect)
+	require.Equal(t, "test-token", result.RuntimeConfig.Cloud.ManagementToken)
+
+	// Response header is always injected from a constant.
+	require.Equal(t, "x-consul-default-acl-policy", result.RuntimeConfig.HTTPResponseHeaders[accessControlHeaderName])
+}
+
+func Test_finalizeRuntimeConfig(t *testing.T) {
+	type testCase struct {
+		rc       *config.RuntimeConfig
+		cfg      *RawBootstrapConfig
+		verifyFn func(t *testing.T, rc *config.RuntimeConfig)
+	}
+	run := func(t *testing.T, tc testCase) {
+		finalizeRuntimeConfig(tc.rc, tc.cfg)
+		tc.verifyFn(t, tc.rc)
+	}
+
+	tt := map[string]testCase{
+		"set header if not present": {
+			rc: &config.RuntimeConfig{},
+			cfg: &RawBootstrapConfig{
+				ManagementToken: "test-token",
+			},
+			verifyFn: func(t *testing.T, rc *config.RuntimeConfig) {
+				require.Equal(t, "test-token", rc.Cloud.ManagementToken)
+				require.Equal(t, "x-consul-default-acl-policy", rc.HTTPResponseHeaders[accessControlHeaderName])
+			},
+		},
+		"append to header if present": {
+			rc: &config.RuntimeConfig{
+				HTTPResponseHeaders: map[string]string{
+					accessControlHeaderName: "Content-Encoding",
+				},
+			},
+			cfg: &RawBootstrapConfig{
+				ManagementToken: "test-token",
+			},
+			verifyFn: func(t *testing.T, rc *config.RuntimeConfig) {
+				require.Equal(t, "test-token", rc.Cloud.ManagementToken)
+				require.Equal(t, "Content-Encoding,x-consul-default-acl-policy", rc.HTTPResponseHeaders[accessControlHeaderName])
+			},
+		},
+	}
+
+	for name, tc := range tt {
+		t.Run(name, func(t *testing.T) {
+			run(t, tc)
+		})
+	}
+}
+
+func boolPtr(value bool) *bool {
+	return &value
+}
+
+func TestLoadConfig_Persistence(t *testing.T) {
+	type testCase struct {
+		// resourceID is the HCP resource ID. If set, a server is considered to be cloud-enabled.
+		resourceID string
+
+		// devMode indicates whether the loader should not have a data directory.
+		devMode bool
+
+		// verifyFn issues case-specific assertions.
+		verifyFn func(t *testing.T, rc *config.RuntimeConfig)
+	}
+
+	run := func(t *testing.T, tc testCase) {
+		dir, err := os.MkdirTemp(os.TempDir(), "bootstrap-test-")
+		require.NoError(t, err)
+		t.Cleanup(func() { os.RemoveAll(dir) })
+
+		s := hcp.NewMockHCPServer()
+		s.AddEndpoint(TestEndpoint())
+
+		// Use an HTTPS server since that's what the HCP SDK expects for auth.
+		srv := httptest.NewTLSServer(s)
+		defer srv.Close()
+
+		caCert, err := x509.ParseCertificate(srv.TLS.Certificates[0].Certificate[0])
+		require.NoError(t, err)
+
+		pool := x509.NewCertPool()
+		pool.AddCert(caCert)
+		clientTLS := &tls.Config{RootCAs: pool}
+
+		baseOpts := config.LoadOpts{
+			HCL: []string{
+				`server = true`,
+				`bind_addr = "127.0.0.1"`,
+				fmt.Sprintf(`http_config = { response_headers = { %s = "Content-Encoding" } }`, accessControlHeaderName),
+				fmt.Sprintf(`cloud { client_id="test" client_secret="test" hostname=%q auth_url=%q resource_id=%q }`,
+					srv.Listener.Addr().String(), srv.URL, tc.resourceID),
+			},
+		}
+		if tc.devMode {
+			baseOpts.DevMode = boolPtr(true)
+		} else {
+			baseOpts.HCL = append(baseOpts.HCL, fmt.Sprintf(`data_dir = %q`, dir))
+		}
+
+		baseLoader := func(source config.Source) (config.LoadResult, error) {
+			baseOpts.DefaultConfig = source
+			return config.Load(baseOpts)
+		}
+
+		ui := cli.NewMockUi()
+
+		// Load initial config to check whether bootstrapping from HCP is enabled.
+		initial, err := baseLoader(nil)
+		require.NoError(t, err)
+
+		// Override the client TLS config so that the test server can be trusted.
+		initial.RuntimeConfig.Cloud.WithTLSConfig(clientTLS)
+		client, err := hcp.NewClient(initial.RuntimeConfig.Cloud)
+		require.NoError(t, err)
+
+		loader, err := LoadConfig(context.Background(), client, initial.RuntimeConfig.DataDir, baseLoader, ui)
+		require.NoError(t, err)
+
+		// Load the agent config with the potentially wrapped loader.
+		fromRemote, err := loader(nil)
+		require.NoError(t, err)
+
+		// HCP-enabled cases should fetch from HCP on the first run of LoadConfig.
+		require.Contains(t, ui.OutputWriter.String(), "Fetching configuration from HCP")
+
+		// Run case-specific verification.
+		tc.verifyFn(t, fromRemote.RuntimeConfig)
+
+		require.Empty(t, fromRemote.RuntimeConfig.ACLInitialManagementToken,
+			"initial_management token should have been sanitized")
+
+		if tc.devMode {
+			// Re-running the bootstrap func below isn't relevant to dev mode
+			// since they don't have a data directory to load data from.
+			return
+		}
+
+		// Run LoadConfig again to exercise the logic of loading config from disk.
+		loader, err = LoadConfig(context.Background(), client, initial.RuntimeConfig.DataDir, baseLoader, ui)
+		require.NoError(t, err)
+
+		fromDisk, err := loader(nil)
+		require.NoError(t, err)
+
+		// HCP-enabled cases should fetch from disk on the second run.
+		require.Contains(t, ui.OutputWriter.String(), "Loaded HCP configuration from local disk")
+
+		// Config loaded from disk should be the same as the one that was initially fetched from the HCP servers.
+		require.Equal(t, fromRemote.RuntimeConfig, fromDisk.RuntimeConfig)
+	}
+
+	tt := map[string]testCase{
+		"dev mode": {
+			devMode: true,
+
+			resourceID: "organization/0b9de9a3-8403-4ca6-aba8-fca752f42100/" +
+				"project/0b9de9a3-8403-4ca6-aba8-fca752f42100/" +
+				"consul.cluster/new-cluster-id",
+
+			verifyFn: func(t *testing.T, rc *config.RuntimeConfig) {
+				require.Empty(t, rc.DataDir)
+
+				// Dev mode should have persisted certs since they can't be inlined.
+				require.NotEmpty(t, rc.TLS.HTTPS.CertFile)
+				require.NotEmpty(t, rc.TLS.HTTPS.KeyFile)
+				require.NotEmpty(t, rc.TLS.HTTPS.CAFile)
+
+				// Find the temporary directory they got stored in.
+				dir := filepath.Dir(rc.TLS.HTTPS.CertFile)
+
+				// Ensure we only stored the TLS materials.
+				entries, err := os.ReadDir(dir)
+				require.NoError(t, err)
+				require.Len(t, entries, 3)
+
+				haveFiles := make([]string, 3)
+				for i, entry := range entries {
+					haveFiles[i] = entry.Name()
+				}
+
+				wantFiles := []string{caFileName, certFileName, keyFileName}
+				require.ElementsMatch(t, wantFiles, haveFiles)
+			},
+		},
+		"new cluster": {
+			resourceID: "organization/0b9de9a3-8403-4ca6-aba8-fca752f42100/" +
+				"project/0b9de9a3-8403-4ca6-aba8-fca752f42100/" +
+				"consul.cluster/new-cluster-id",
+
+			// New clusters should have received and persisted the whole suite of config.
+			verifyFn: func(t *testing.T, rc *config.RuntimeConfig) {
+				dir := filepath.Join(rc.DataDir, subDir)
+
+				entries, err := os.ReadDir(dir)
+				require.NoError(t, err)
+				require.Len(t, entries, 6)
+
+				files := []string{
+					filepath.Join(dir, configFileName),
+					filepath.Join(dir, caFileName),
+					filepath.Join(dir, certFileName),
+					filepath.Join(dir, keyFileName),
+					filepath.Join(dir, tokenFileName),
+					filepath.Join(dir, successFileName),
+				}
+				for _, name := range files {
+					_, err := os.Stat(name)
+					require.NoError(t, err)
+				}
+
+				require.Equal(t, filepath.Join(dir, certFileName), rc.TLS.HTTPS.CertFile)
+				require.Equal(t, filepath.Join(dir, keyFileName), rc.TLS.HTTPS.KeyFile)
+				require.Equal(t, filepath.Join(dir, caFileName), rc.TLS.HTTPS.CAFile)
+
+				cert, key, caCerts, err := loadCerts(dir)
+				require.NoError(t, err)
+
+				require.NoError(t, validateTLSCerts(cert, key, caCerts))
+			},
+		},
+		"existing cluster": {
+			resourceID: "organization/0b9de9a3-8403-4ca6-aba8-fca752f42100/" +
+				"project/0b9de9a3-8403-4ca6-aba8-fca752f42100/" +
+				"consul.cluster/" + TestExistingClusterID,
+
+			// Existing clusters should have only received and persisted the management token.
+			verifyFn: func(t *testing.T, rc *config.RuntimeConfig) {
+				dir := filepath.Join(rc.DataDir, subDir)
+
+				entries, err := os.ReadDir(dir)
+				require.NoError(t, err)
+				require.Len(t, entries, 3)
+
+				files := []string{
+					filepath.Join(dir, tokenFileName),
+					filepath.Join(dir, successFileName),
+					filepath.Join(dir, configFileName),
+				}
+				for _, name := range files {
+					_, err := os.Stat(name)
+					require.NoError(t, err)
+				}
+			},
+		},
+	}
+
+	for name, tc := range tt {
+		t.Run(name, func(t *testing.T) {
+			run(t, tc)
+		})
+	}
+}
+
+func Test_loadPersistedBootstrapConfig(t *testing.T) {
+	type expect struct {
+		loaded  bool
+		warning string
+	}
+	type testCase struct {
+		existingCluster bool
+		mutateFn        func(t *testing.T, dir string)
+		expect          expect
+	}
+
+	run := func(t *testing.T, tc testCase) {
+		dataDir, err := os.MkdirTemp(os.TempDir(), "load-bootstrap-test-")
+		require.NoError(t, err)
+		t.Cleanup(func() { os.RemoveAll(dataDir) })
+
+		dir := filepath.Join(dataDir, subDir)
+
+		// Do some common setup as if we received config from HCP and persisted it to disk.
+		require.NoError(t, lib.EnsurePath(dir, true))
+		require.NoError(t, persistSucessMarker(dir))
+
+		if !tc.existingCluster {
+			caCert, caKey, err := tlsutil.GenerateCA(tlsutil.CAOpts{})
+			require.NoError(t, err)
+
+			serverCert, serverKey, err := testLeaf(caCert, caKey)
+			require.NoError(t, err)
+			require.NoError(t, persistTLSCerts(dir, serverCert, serverKey, []string{caCert}))
+
+			cfgJSON := `{"bootstrap_expect": 8}`
+			require.NoError(t, persistBootstrapConfig(dir, cfgJSON))
+		}
+
+		token, err := uuid.GenerateUUID()
+		require.NoError(t, err)
+		require.NoError(t, persistManagementToken(dir, token))
+
+		// Optionally mutate the persisted data to trigger errors while loading.
+		if tc.mutateFn != nil {
+			tc.mutateFn(t, dir)
+		}
+
+		ui := cli.NewMockUi()
+		cfg, loaded := loadPersistedBootstrapConfig(dataDir, ui)
+		require.Equal(t, tc.expect.loaded, loaded, ui.ErrorWriter.String())
+		if loaded {
+			require.Equal(t, token, cfg.ManagementToken)
+			require.Empty(t, ui.ErrorWriter.String())
+
+		} else {
+			require.Nil(t, cfg)
+			require.Contains(t, ui.ErrorWriter.String(), tc.expect.warning)
+		}
+	}
+
+	tt := map[string]testCase{
+		"existing cluster with valid files": {
+			existingCluster: true,
+			// Don't mutate, files from setup are valid.
+			mutateFn: nil,
+			expect: expect{
+				loaded:  true,
+				warning: "",
+			},
+		},
+		"existing cluster missing token": {
+			existingCluster: true,
+			mutateFn: func(t *testing.T, dir string) {
+				// Remove the token file while leaving the existing cluster marker.
+				require.NoError(t, os.Remove(filepath.Join(dir, tokenFileName)))
+			},
+			expect: expect{
+				loaded:  false,
+				warning: "configuration files on disk are incomplete",
+			},
+		},
+		"existing cluster no files": {
+			existingCluster: true,
+			mutateFn: func(t *testing.T, dir string) {
+				// Remove all files
+				require.NoError(t, os.RemoveAll(dir))
+			},
+			expect: expect{
+				loaded: false,
+				// No warnings since we assume we need to fetch config from HCP for the first time.
+				warning: "",
+			},
+		},
+		"new cluster with valid files": {
+			// Don't mutate, files from setup are valid.
+			mutateFn: nil,
+			expect: expect{
+				loaded:  true,
+				warning: "",
+			},
+		},
+		"new cluster some files": {
+			mutateFn: func(t *testing.T, dir string) {
+				// Remove one of the required files
+				require.NoError(t, os.Remove(filepath.Join(dir, certFileName)))
+			},
+			expect: expect{
+				loaded:  false,
+				warning: "configuration files on disk are incomplete",
+			},
+		},
+		"new cluster no files": {
+			mutateFn: func(t *testing.T, dir string) {
+				// Remove all files
+				require.NoError(t, os.RemoveAll(dir))
+			},
+			expect: expect{
+				loaded: false,
+				// No warnings since we assume we need to fetch config from HCP for the first time.
+				warning: "",
+			},
+		},
+		"new cluster invalid cert": {
+			mutateFn: func(t *testing.T, dir string) {
+				name := filepath.Join(dir, certFileName)
+				require.NoError(t, os.WriteFile(name, []byte("not-a-cert"), 0600))
+			},
+			expect: expect{
+				loaded:  false,
+				warning: "invalid server certificate",
+			},
+		},
+		"new cluster invalid CA": {
+			mutateFn: func(t *testing.T, dir string) {
+				name := filepath.Join(dir, caFileName)
+				require.NoError(t, os.WriteFile(name, []byte("not-a-ca-cert"), 0600))
+			},
+			expect: expect{
+				loaded:  false,
+				warning: "invalid CA certificate",
+			},
+		},
+		"new cluster invalid config flag": {
+			mutateFn: func(t *testing.T, dir string) {
+				name := filepath.Join(dir, configFileName)
+				require.NoError(t, os.WriteFile(name, []byte(`{"not_a_consul_agent_config_field" = "zap"}`), 0600))
+			},
+			expect: expect{
+				loaded:  false,
+				warning: "failed to parse local bootstrap config",
+			},
+		},
+		"existing cluster invalid token": {
+			existingCluster: true,
+			mutateFn: func(t *testing.T, dir string) {
+				name := filepath.Join(dir, tokenFileName)
+				require.NoError(t, os.WriteFile(name, []byte("not-a-uuid"), 0600))
+			},
+			expect: expect{
+				loaded:  false,
+				warning: "is not a valid UUID",
+			},
+		},
+	}
+
+	for name, tc := range tt {
+		t.Run(name, func(t *testing.T) {
+			run(t, tc)
+		})
+	}
+}

agent/hcp/bootstrap/testing.go

@@ -13,12 +13,11 @@ import (
 	"net/http"
 	"strings"
 
-	gnmmod "github.com/hashicorp/hcp-sdk-go/clients/cloud-global-network-manager-service/preview/2022-02-15/models"
-	"github.com/hashicorp/hcp-sdk-go/resource"
-
 	"github.com/hashicorp/consul/agent/hcp"
 	"github.com/hashicorp/consul/tlsutil"
 	"github.com/hashicorp/go-uuid"
+	gnmmod "github.com/hashicorp/hcp-sdk-go/clients/cloud-global-network-manager-service/preview/2022-02-15/models"
+	"github.com/hashicorp/hcp-sdk-go/resource"
 )
 
 // TestEndpoint returns an hcp.TestEndpoint to be used in an hcp.MockHCPServer.
@@ -49,39 +48,58 @@ func handleBootstrap(data map[string]gnmmod.HashicorpCloudGlobalNetworkManager20
 	return resp, nil
 }
 
-func generateClusterData(cluster resource.Resource) (gnmmod.HashicorpCloudGlobalNetworkManager20220215AgentBootstrapResponse, error) {
-	resp := gnmmod.HashicorpCloudGlobalNetworkManager20220215AgentBootstrapResponse{
-		Cluster: &gnmmod.HashicorpCloudGlobalNetworkManager20220215Cluster{},
-		Bootstrap: &gnmmod.HashicorpCloudGlobalNetworkManager20220215ClusterBootstrap{
-			ServerTLS: &gnmmod.HashicorpCloudGlobalNetworkManager20220215ServerTLS{},
-		},
-	}
+const TestExistingClusterID = "133114e7-9745-41ce-b1c9-9644a20d2952"
 
-	CACert, CAKey, err := tlsutil.GenerateCA(tlsutil.CAOpts{})
+func testLeaf(caCert, caKey string) (serverCert, serverKey string, err error) {
+	signer, err := tlsutil.ParseSigner(caKey)
 	if err != nil {
-		return resp, err
+		return "", "", err
 	}
 
-	resp.Bootstrap.ServerTLS.CertificateAuthorities = append(resp.Bootstrap.ServerTLS.CertificateAuthorities, CACert)
-	signer, err := tlsutil.ParseSigner(CAKey)
-	if err != nil {
-		return resp, err
-	}
-
-	cert, priv, err := tlsutil.GenerateCert(tlsutil.CertOpts{
+	serverCert, serverKey, err = tlsutil.GenerateCert(tlsutil.CertOpts{
 		Signer:      signer,
-		CA:          CACert,
+		CA:          caCert,
 		Name:        "server.dc1.consul",
 		Days:        30,
 		DNSNames:    []string{"server.dc1.consul", "localhost"},
 		IPAddresses: append([]net.IP{}, net.ParseIP("127.0.0.1")),
 		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
 	})
+	if err != nil {
+		return "", "", err
+	}
+	return serverCert, serverKey, nil
+}
+
+func generateClusterData(cluster resource.Resource) (gnmmod.HashicorpCloudGlobalNetworkManager20220215AgentBootstrapResponse, error) {
+	resp := gnmmod.HashicorpCloudGlobalNetworkManager20220215AgentBootstrapResponse{
+		Cluster: &gnmmod.HashicorpCloudGlobalNetworkManager20220215Cluster{},
+		Bootstrap: &gnmmod.HashicorpCloudGlobalNetworkManager20220215ClusterBootstrap{
+			ServerTLS: &gnmmod.HashicorpCloudGlobalNetworkManager20220215ServerTLS{},
+		},
+	}
+	if cluster.ID == TestExistingClusterID {
+		token, err := uuid.GenerateUUID()
+		if err != nil {
+			return resp, err
+		}
+		resp.Bootstrap.ConsulConfig = "{}"
+		resp.Bootstrap.ManagementToken = token
+		return resp, nil
+	}
+
+	caCert, caKey, err := tlsutil.GenerateCA(tlsutil.CAOpts{})
 	if err != nil {
 		return resp, err
 	}
-	resp.Bootstrap.ServerTLS.Cert = cert
-	resp.Bootstrap.ServerTLS.PrivateKey = priv
+	serverCert, serverKey, err := testLeaf(caCert, caKey)
+	if err != nil {
+		return resp, err
+	}
+
+	resp.Bootstrap.ServerTLS.CertificateAuthorities = append(resp.Bootstrap.ServerTLS.CertificateAuthorities, caCert)
+	resp.Bootstrap.ServerTLS.Cert = serverCert
+	resp.Bootstrap.ServerTLS.PrivateKey = serverKey
 
 	// Generate Config. We don't use the read config.Config struct because it
 	// doesn't have `omitempty` which makes the output gross. We only want a tiny
@@ -116,8 +134,9 @@ func generateClusterData(cluster resource.Resource) (gnmmod.HashicorpCloudGlobal
 
 		// Enable HTTPS port, disable HTTP
 		"ports": map[string]interface{}{
-			"https": 8501,
-			"http":  -1,
+			"https":    8501,
+			"http":     -1,
+			"grpc_tls": 8503,
 		},
 
 		// RAFT Peers
@@ -128,16 +147,18 @@ func generateClusterData(cluster resource.Resource) (gnmmod.HashicorpCloudGlobal
 	}
 
 	// ACLs
-	management, err := uuid.GenerateUUID()
+	token, err := uuid.GenerateUUID()
 	if err != nil {
 		return resp, err
 	}
+	resp.Bootstrap.ManagementToken = token
+
 	cfg["acl"] = map[string]interface{}{
 		"tokens": map[string]interface{}{
-			"initial_management": management,
-			// Also setup the server's own agent token to be the same so it has
+			// Also setup the server's own agent token to be the management token so it has
 			// permission to register itself.
-			"agent": management,
+			"agent":              token,
+			"initial_management": token,
 		},
 		"default_policy":           "deny",
 		"enabled":                  true,

agent/hcp/client.go

@@ -37,6 +37,7 @@ type BootstrapConfig struct {
 	TLSCertKey      string
 	TLSCAs          []string
 	ConsulConfig    string
+	ManagementToken string
 }
 
 type hcpClient struct {
@@ -106,6 +107,7 @@ func bootstrapConfigFromHCP(res *gnmmod.HashicorpCloudGlobalNetworkManager202202
 		TLSCertKey:      serverTLS.PrivateKey,
 		TLSCAs:          serverTLS.CertificateAuthorities,
 		ConsulConfig:    res.Bootstrap.ConsulConfig,
+		ManagementToken: res.Bootstrap.ManagementToken,
 	}
 }
 
@@ -115,7 +117,7 @@ func (c *hcpClient) PushServerStatus(ctx context.Context, s *ServerStatus) error
 		WithLocationOrganizationID(c.resource.Organization).
 		WithLocationProjectID(c.resource.Project)
 
-	params.SetBody(&gnmmod.HashicorpCloudGlobalNetworkManager20220215AgentPushServerStateRequest{
+	params.SetBody(hcpgnm.AgentPushServerStateBody{
 		ServerState: serverStatusToHCP(s),
 	})
 

agent/hcp/config/config.go

@@ -17,20 +17,34 @@ type CloudConfig struct {
 	Hostname     string
 	AuthURL      string
 	ScadaAddress string
+
+	// Management token used by HCP management plane.
+	// Cannot be set via config files.
+	ManagementToken string
+
+	// TlsConfig for testing.
+	TLSConfig *tls.Config
+}
+
+func (c *CloudConfig) WithTLSConfig(cfg *tls.Config) {
+	c.TLSConfig = cfg
 }
 
 func (c *CloudConfig) HCPConfig(opts ...hcpcfg.HCPConfigOption) (hcpcfg.HCPConfig, error) {
+	if c.TLSConfig == nil {
+		c.TLSConfig = &tls.Config{}
+	}
 	if c.ClientID != "" && c.ClientSecret != "" {
 		opts = append(opts, hcpcfg.WithClientCredentials(c.ClientID, c.ClientSecret))
 	}
 	if c.AuthURL != "" {
-		opts = append(opts, hcpcfg.WithAuth(c.AuthURL, &tls.Config{}))
+		opts = append(opts, hcpcfg.WithAuth(c.AuthURL, c.TLSConfig))
 	}
 	if c.Hostname != "" {
-		opts = append(opts, hcpcfg.WithAPI(c.Hostname, &tls.Config{}))
+		opts = append(opts, hcpcfg.WithAPI(c.Hostname, c.TLSConfig))
 	}
 	if c.ScadaAddress != "" {
-		opts = append(opts, hcpcfg.WithSCADA(c.ScadaAddress, &tls.Config{}))
+		opts = append(opts, hcpcfg.WithSCADA(c.ScadaAddress, c.TLSConfig))
 	}
 	opts = append(opts, hcpcfg.FromEnv())
 	return hcpcfg.NewHCPConfig(opts...)

agent/hcp/scada/mock_Provider.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.15.0. DO NOT EDIT.
+// Code generated by mockery v2.20.0. DO NOT EDIT.
 
 package scada
 
@@ -7,6 +7,8 @@ import (
 
 	mock "github.com/stretchr/testify/mock"
 
+	provider "github.com/hashicorp/hcp-scada-provider"
+
 	time "time"
 )
 
@@ -23,6 +25,98 @@ func (_m *MockProvider) EXPECT() *MockProvider_Expecter {
 	return &MockProvider_Expecter{mock: &_m.Mock}
 }
 
+// AddMeta provides a mock function with given fields: _a0
+func (_m *MockProvider) AddMeta(_a0 ...provider.Meta) {
+	_va := make([]interface{}, len(_a0))
+	for _i := range _a0 {
+		_va[_i] = _a0[_i]
+	}
+	var _ca []interface{}
+	_ca = append(_ca, _va...)
+	_m.Called(_ca...)
+}
+
+// MockProvider_AddMeta_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AddMeta'
+type MockProvider_AddMeta_Call struct {
+	*mock.Call
+}
+
+// AddMeta is a helper method to define mock.On call
+//   - _a0 ...provider.Meta
+func (_e *MockProvider_Expecter) AddMeta(_a0 ...interface{}) *MockProvider_AddMeta_Call {
+	return &MockProvider_AddMeta_Call{Call: _e.mock.On("AddMeta",
+		append([]interface{}{}, _a0...)...)}
+}
+
+func (_c *MockProvider_AddMeta_Call) Run(run func(_a0 ...provider.Meta)) *MockProvider_AddMeta_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		variadicArgs := make([]provider.Meta, len(args)-0)
+		for i, a := range args[0:] {
+			if a != nil {
+				variadicArgs[i] = a.(provider.Meta)
+			}
+		}
+		run(variadicArgs...)
+	})
+	return _c
+}
+
+func (_c *MockProvider_AddMeta_Call) Return() *MockProvider_AddMeta_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockProvider_AddMeta_Call) RunAndReturn(run func(...provider.Meta)) *MockProvider_AddMeta_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// DeleteMeta provides a mock function with given fields: _a0
+func (_m *MockProvider) DeleteMeta(_a0 ...string) {
+	_va := make([]interface{}, len(_a0))
+	for _i := range _a0 {
+		_va[_i] = _a0[_i]
+	}
+	var _ca []interface{}
+	_ca = append(_ca, _va...)
+	_m.Called(_ca...)
+}
+
+// MockProvider_DeleteMeta_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DeleteMeta'
+type MockProvider_DeleteMeta_Call struct {
+	*mock.Call
+}
+
+// DeleteMeta is a helper method to define mock.On call
+//   - _a0 ...string
+func (_e *MockProvider_Expecter) DeleteMeta(_a0 ...interface{}) *MockProvider_DeleteMeta_Call {
+	return &MockProvider_DeleteMeta_Call{Call: _e.mock.On("DeleteMeta",
+		append([]interface{}{}, _a0...)...)}
+}
+
+func (_c *MockProvider_DeleteMeta_Call) Run(run func(_a0 ...string)) *MockProvider_DeleteMeta_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		variadicArgs := make([]string, len(args)-0)
+		for i, a := range args[0:] {
+			if a != nil {
+				variadicArgs[i] = a.(string)
+			}
+		}
+		run(variadicArgs...)
+	})
+	return _c
+}
+
+func (_c *MockProvider_DeleteMeta_Call) Return() *MockProvider_DeleteMeta_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockProvider_DeleteMeta_Call) RunAndReturn(run func(...string)) *MockProvider_DeleteMeta_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
 // GetMeta provides a mock function with given fields:
 func (_m *MockProvider) GetMeta() map[string]string {
 	ret := _m.Called()
@@ -61,18 +155,26 @@ func (_c *MockProvider_GetMeta_Call) Return(_a0 map[string]string) *MockProvider
 	return _c
 }
 
+func (_c *MockProvider_GetMeta_Call) RunAndReturn(run func() map[string]string) *MockProvider_GetMeta_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
 // LastError provides a mock function with given fields:
 func (_m *MockProvider) LastError() (time.Time, error) {
 	ret := _m.Called()
 
 	var r0 time.Time
+	var r1 error
+	if rf, ok := ret.Get(0).(func() (time.Time, error)); ok {
+		return rf()
+	}
 	if rf, ok := ret.Get(0).(func() time.Time); ok {
 		r0 = rf()
 	} else {
 		r0 = ret.Get(0).(time.Time)
 	}
 
-	var r1 error
 	if rf, ok := ret.Get(1).(func() error); ok {
 		r1 = rf()
 	} else {
@@ -104,11 +206,20 @@ func (_c *MockProvider_LastError_Call) Return(_a0 time.Time, _a1 error) *MockPro
 	return _c
 }
 
+func (_c *MockProvider_LastError_Call) RunAndReturn(run func() (time.Time, error)) *MockProvider_LastError_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
 // Listen provides a mock function with given fields: capability
 func (_m *MockProvider) Listen(capability string) (net.Listener, error) {
 	ret := _m.Called(capability)
 
 	var r0 net.Listener
+	var r1 error
+	if rf, ok := ret.Get(0).(func(string) (net.Listener, error)); ok {
+		return rf(capability)
+	}
 	if rf, ok := ret.Get(0).(func(string) net.Listener); ok {
 		r0 = rf(capability)
 	} else {
@@ -117,7 +228,6 @@ func (_m *MockProvider) Listen(capability string) (net.Listener, error) {
 		}
 	}
 
-	var r1 error
 	if rf, ok := ret.Get(1).(func(string) error); ok {
 		r1 = rf(capability)
 	} else {
@@ -150,6 +260,11 @@ func (_c *MockProvider_Listen_Call) Return(_a0 net.Listener, _a1 error) *MockPro
 	return _c
 }
 
+func (_c *MockProvider_Listen_Call) RunAndReturn(run func(string) (net.Listener, error)) *MockProvider_Listen_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
 // SessionStatus provides a mock function with given fields:
 func (_m *MockProvider) SessionStatus() string {
 	ret := _m.Called()
@@ -186,6 +301,11 @@ func (_c *MockProvider_SessionStatus_Call) Return(_a0 string) *MockProvider_Sess
 	return _c
 }
 
+func (_c *MockProvider_SessionStatus_Call) RunAndReturn(run func() string) *MockProvider_SessionStatus_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
 // Start provides a mock function with given fields:
 func (_m *MockProvider) Start() error {
 	ret := _m.Called()
@@ -222,6 +342,11 @@ func (_c *MockProvider_Start_Call) Return(_a0 error) *MockProvider_Start_Call {
 	return _c
 }
 
+func (_c *MockProvider_Start_Call) RunAndReturn(run func() error) *MockProvider_Start_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
 // Stop provides a mock function with given fields:
 func (_m *MockProvider) Stop() error {
 	ret := _m.Called()
@@ -258,6 +383,11 @@ func (_c *MockProvider_Stop_Call) Return(_a0 error) *MockProvider_Stop_Call {
 	return _c
 }
 
+func (_c *MockProvider_Stop_Call) RunAndReturn(run func() error) *MockProvider_Stop_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
 // UpdateMeta provides a mock function with given fields: _a0
 func (_m *MockProvider) UpdateMeta(_a0 map[string]string) {
 	_m.Called(_a0)
@@ -286,6 +416,11 @@ func (_c *MockProvider_UpdateMeta_Call) Return() *MockProvider_UpdateMeta_Call {
 	return _c
 }
 
+func (_c *MockProvider_UpdateMeta_Call) RunAndReturn(run func(map[string]string)) *MockProvider_UpdateMeta_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
 type mockConstructorTestingTNewMockProvider interface {
 	mock.TestingT
 	Cleanup(func())

agent/hcp/testing.go

@@ -13,6 +13,7 @@ import (
 	"sync"
 	"time"
 
+	hcpgnm "github.com/hashicorp/hcp-sdk-go/clients/cloud-global-network-manager-service/preview/2022-02-15/client/global_network_manager_service"
 	gnmmod "github.com/hashicorp/hcp-sdk-go/clients/cloud-global-network-manager-service/preview/2022-02-15/models"
 	"github.com/hashicorp/hcp-sdk-go/resource"
 )
@@ -63,7 +64,7 @@ func (s *MockHCPServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
-	if r.URL.Path == "/oauth/token" {
+	if r.URL.Path == "/oauth2/token" {
 		mockTokenResponse(w)
 		return
 	}
@@ -136,30 +137,31 @@ func enforceMethod(w http.ResponseWriter, r *http.Request, methods []string) boo
 }
 
 func mockTokenResponse(w http.ResponseWriter) {
+	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
-	w.Write([]byte(`{access_token: "token", token_type: "Bearer"}`))
+
+	w.Write([]byte(`{"access_token": "token", "token_type": "Bearer"}`))
 }
 
 func (s *MockHCPServer) handleStatus(r *http.Request, cluster resource.Resource) (interface{}, error) {
-	var req gnmmod.HashicorpCloudGlobalNetworkManager20220215AgentPushServerStateRequest
+	var req hcpgnm.AgentPushServerStateBody
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		return nil, err
 	}
-	status := req.ServerState
 	log.Printf("STATUS UPDATE: server=%s version=%s leader=%v hasLeader=%v healthy=%v tlsCertExpiryDays=%1.0f",
-		status.Name,
-		status.Version,
-		status.Raft.IsLeader,
-		status.Raft.KnownLeader,
-		status.Autopilot.Healthy,
-		time.Until(time.Time(status.TLS.CertExpiry)).Hours()/24,
+		req.ServerState.Name,
+		req.ServerState.Version,
+		req.ServerState.Raft.IsLeader,
+		req.ServerState.Raft.KnownLeader,
+		req.ServerState.Autopilot.Healthy,
+		time.Until(time.Time(req.ServerState.TLS.CertExpiry)).Hours()/24,
 	)
-	s.servers[status.Name] = &gnmmod.HashicorpCloudGlobalNetworkManager20220215Server{
-		GossipPort: status.GossipPort,
-		ID:         status.ID,
-		LanAddress: status.LanAddress,
-		Name:       status.Name,
-		RPCPort:    status.RPCPort,
+	s.servers[req.ServerState.Name] = &gnmmod.HashicorpCloudGlobalNetworkManager20220215Server{
+		GossipPort: req.ServerState.GossipPort,
+		ID:         req.ServerState.ID,
+		LanAddress: req.ServerState.LanAddress,
+		Name:       req.ServerState.Name,
+		RPCPort:    req.ServerState.RPCPort,
 	}
 	return "{}", nil
 }

command/agent/agent.go

@@ -15,6 +15,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/hashicorp/consul/agent/hcp"
 	"github.com/hashicorp/go-checkpoint"
 	"github.com/hashicorp/go-hclog"
 	mcli "github.com/mitchellh/cli"
@@ -159,14 +160,28 @@ func (c *cmd) run(args []string) int {
 	go handleStartupSignals(ctx, cancel, signalCh, suLogger)
 
 	// See if we need to bootstrap config from HCP before we go any further with
-	// agent startup. We override loader with the one returned as it may be
-	// modified to include HCP-provided config.
-	var err error
-	_, loader, err = hcpbootstrap.MaybeBootstrap(ctx, loader, ui)
+	// agent startup. First do a preliminary load of agent configuration using the given loader.
+	// This is just to peek whether bootstrapping from HCP is enabled. The result is discarded
+	// on the call to agent.NewBaseDeps so that the wrapped loader takes effect.
+	res, err := loader(nil)
 	if err != nil {
 		ui.Error(err.Error())
 		return 1
 	}
+	if res.RuntimeConfig.IsCloudEnabled() {
+		client, err := hcp.NewClient(res.RuntimeConfig.Cloud)
+		if err != nil {
+			ui.Error("error building HCP HTTP client: " + err.Error())
+			return 1
+		}
+
+		// We override loader with the one returned as it was modified to include HCP-provided config.
+		loader, err = hcpbootstrap.LoadConfig(ctx, client, res.RuntimeConfig.DataDir, loader, ui)
+		if err != nil {
+			ui.Error(err.Error())
+			return 1
+		}
+	}
 
 	bd, err := agent.NewBaseDeps(loader, logGate, nil)
 	if err != nil {

go.mod

@@ -28,10 +28,10 @@ require (
 	github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1
 	github.com/fatih/color v1.13.0
 	github.com/fsnotify/fsnotify v1.5.1
-	github.com/go-openapi/runtime v0.24.1
+	github.com/go-openapi/runtime v0.25.0
 	github.com/go-openapi/strfmt v0.21.3
 	github.com/golang/protobuf v1.5.2
-	github.com/google/go-cmp v0.5.8
+	github.com/google/go-cmp v0.5.9
 	github.com/google/gofuzz v1.2.0
 	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1
 	github.com/google/tcpproxy v0.0.0-20180808230851-dfa16c61dad2
@@ -60,8 +60,8 @@ require (
 	github.com/hashicorp/go-version v1.2.1
 	github.com/hashicorp/golang-lru v0.5.4
 	github.com/hashicorp/hcl v1.0.0
-	github.com/hashicorp/hcp-scada-provider v0.2.0
-	github.com/hashicorp/hcp-sdk-go v0.23.1-0.20220921131124-49168300a7dc
+	github.com/hashicorp/hcp-scada-provider v0.2.3
+	github.com/hashicorp/hcp-sdk-go v0.40.1-0.20230404193545-846aea419cd1
 	github.com/hashicorp/hil v0.0.0-20200423225030-a18a1cd20038
 	github.com/hashicorp/memberlist v0.5.0
 	github.com/hashicorp/raft v1.5.0
@@ -97,10 +97,10 @@ require (
 	go.etcd.io/bbolt v1.3.6
 	go.uber.org/goleak v1.1.10
 	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d
-	golang.org/x/net v0.7.0
-	golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1
-	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
-	golang.org/x/sys v0.5.0
+	golang.org/x/net v0.8.0
+	golang.org/x/oauth2 v0.6.0
+	golang.org/x/sync v0.1.0
+	golang.org/x/sys v0.6.0
 	golang.org/x/time v0.3.0
 	google.golang.org/genproto v0.0.0-20220921223823-23cae91e6737
 	google.golang.org/grpc v1.49.0
@@ -127,8 +127,6 @@ require (
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/DataDog/datadog-go v3.2.0+incompatible // indirect
 	github.com/Microsoft/go-winio v0.4.3 // indirect
-	github.com/PuerkitoBio/purell v1.1.1 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
 	github.com/benbjohnson/immutable v0.4.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -149,15 +147,17 @@ require (
 	github.com/dimchansky/utfbom v1.1.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v0.1.0 // indirect
 	github.com/form3tech-oss/jwt-go v3.2.2+incompatible // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
-	github.com/go-openapi/analysis v0.21.2 // indirect
-	github.com/go-openapi/errors v0.20.2 // indirect
+	github.com/go-openapi/analysis v0.21.4 // indirect
+	github.com/go-openapi/errors v0.20.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.19.6 // indirect
-	github.com/go-openapi/loads v0.21.1 // indirect
-	github.com/go-openapi/spec v0.20.4 // indirect
-	github.com/go-openapi/swag v0.21.1 // indirect
-	github.com/go-openapi/validate v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/go-openapi/loads v0.21.2 // indirect
+	github.com/go-openapi/spec v0.20.8 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-openapi/validate v0.22.1 // indirect
 	github.com/go-ozzo/ozzo-validation v3.6.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
@@ -223,15 +223,17 @@ require (
 	github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926 // indirect
 	github.com/vmware/govmomi v0.18.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.2 // indirect
-	go.mongodb.org/mongo-driver v1.10.0 // indirect
+	go.mongodb.org/mongo-driver v1.11.0 // indirect
 	go.opencensus.io v0.23.0 // indirect
+	go.opentelemetry.io/otel v1.11.1 // indirect
+	go.opentelemetry.io/otel/trace v1.11.1 // indirect
 	go.opentelemetry.io/proto/otlp v0.7.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
 	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
-	golang.org/x/term v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
-	golang.org/x/tools v0.2.0 // indirect
+	golang.org/x/term v0.6.0 // indirect
+	golang.org/x/text v0.8.0 // indirect
+	golang.org/x/tools v0.6.0 // indirect
 	google.golang.org/api v0.57.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect

go.sum

@@ -114,10 +114,8 @@ github.com/NYTimes/gziphandler v1.0.1/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87/go.mod h1:iGLljf5n9GjT6kc0HBvyI1nOKnGQbNB66VzSNbK5iks=
 github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
 github.com/Shopify/sarama v1.21.0/go.mod h1:yuqtN/pe8cXRWG5zPaO7hCfNJp5MwmkoJEoLjkm5tCQ=
@@ -247,7 +245,6 @@ github.com/dnsimple/dnsimple-go v0.30.0/go.mod h1:O5TJ0/U6r7AfT8niYNlmohpLbCSG+c
 github.com/dnstap/golang-dnstap v0.0.0-20170829151710-2cf77a2b5e11/go.mod h1:s1PfVYYVmTMgCSPtho4LKBDecEHJWtiVDPNv78Z985U=
 github.com/docker/go-connections v0.3.0 h1:3lOnM9cSzgGwx8VfK/NGOW5fLQ0GjIlCkaktF+n1M6o=
 github.com/docker/go-connections v0.3.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
-github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
@@ -311,45 +308,55 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
+github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
-github.com/go-openapi/analysis v0.21.2 h1:hXFrOYFHUAMQdu6zwAiKKJHJQ8kqZs1ux/ru1P1wLJU=
 github.com/go-openapi/analysis v0.21.2/go.mod h1:HZwRk4RRisyG8vx2Oe6aqeSQcoxRp47Xkp3+K6q+LdY=
+github.com/go-openapi/analysis v0.21.4 h1:ZDFLvSNxpDaomuCueM0BlSXxpANBlFYiBvr+GXrvIHc=
+github.com/go-openapi/analysis v0.21.4/go.mod h1:4zQ35W4neeZTqh3ol0rv/O8JBbka9QyAgQRPp9y3pfo=
 github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
 github.com/go-openapi/errors v0.19.9/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
-github.com/go-openapi/errors v0.20.2 h1:dxy7PGTqEh94zj2E3h1cUmQQWiM1+aeCROfAr02EmK8=
 github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
+github.com/go-openapi/errors v0.20.3 h1:rz6kiC84sqNQoqrtulzaL/VERgkoCyB6WdEkc2ujzUc=
+github.com/go-openapi/errors v0.20.3/go.mod h1:Z3FlZ4I8jEGxjUK+bugx3on2mIAk4txuAOhlsB1FSgk=
 github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
 github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY=
 github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
-github.com/go-openapi/jsonreference v0.19.6 h1:UBIxjkht+AWIgYzCDSv2GN+E/togfwXUJFRTWhl2Jjs=
 github.com/go-openapi/jsonreference v0.19.6/go.mod h1:diGHMEHg2IqXZGKxqyvWdfWU/aim5Dprw5bqpKkTvns=
-github.com/go-openapi/loads v0.21.1 h1:Wb3nVZpdEzDTcly8S4HMkey6fjARRzb7iEaySimlDW0=
+github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA=
+github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo=
 github.com/go-openapi/loads v0.21.1/go.mod h1:/DtAMXXneXFjbQMGEtbamCZb+4x7eGwkvZCvBmwUG+g=
-github.com/go-openapi/runtime v0.24.1 h1:Sml5cgQKGYQHF+M7yYSHaH1eOjvTykrddTE/KtQVjqo=
-github.com/go-openapi/runtime v0.24.1/go.mod h1:AKurw9fNre+h3ELZfk6ILsfvPN+bvvlaU/M9q/r9hpk=
+github.com/go-openapi/loads v0.21.2 h1:r2a/xFIYeZ4Qd2TnGpWDIQNcP80dIaZgf704za8enro=
+github.com/go-openapi/loads v0.21.2/go.mod h1:Jq58Os6SSGz0rzh62ptiu8Z31I+OTHqmULx5e/gJbNw=
+github.com/go-openapi/runtime v0.25.0 h1:7yQTCdRbWhX8vnIjdzU8S00tBYf7Sg71EBeorlPHvhc=
+github.com/go-openapi/runtime v0.25.0/go.mod h1:Ux6fikcHXyyob6LNWxtE96hWwjBPYF0DXgVFuMTneOs=
 github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
-github.com/go-openapi/spec v0.20.4 h1:O8hJrt0UMnhHcluhIdUgCLRWyM2x7QkBXRvOs7m+O1M=
 github.com/go-openapi/spec v0.20.4/go.mod h1:faYFR1CvsJZ0mNsmsphTMSoRrNV3TEDoAM7FOEWeq8I=
+github.com/go-openapi/spec v0.20.6/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
+github.com/go-openapi/spec v0.20.8 h1:ubHmXNY3FCIOinT8RNrrPfGc9t7I1qhPtdOGoG2AxRU=
+github.com/go-openapi/spec v0.20.8/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
 github.com/go-openapi/strfmt v0.21.0/go.mod h1:ZRQ409bWMj+SOgXofQAGTIo2Ebu72Gs+WaRADcS5iNg=
 github.com/go-openapi/strfmt v0.21.1/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k=
-github.com/go-openapi/strfmt v0.21.2/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k=
 github.com/go-openapi/strfmt v0.21.3 h1:xwhj5X6CjXEZZHMWy1zKJxvW9AfHC9pkyUjLvHtKG7o=
 github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg=
 github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
-github.com/go-openapi/swag v0.21.1 h1:wm0rhTb5z7qpJRHBdPOMuY4QjVUMbF6/kwoYeRAOrKU=
 github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
-github.com/go-openapi/validate v0.21.0 h1:+Wqk39yKOhfpLqNLEC0/eViCkzM5FVXVqrvt526+wcI=
-github.com/go-openapi/validate v0.21.0/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg=
+github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-openapi/validate v0.22.1 h1:G+c2ub6q47kfX1sOBLwIQwzBVt8qmOAARyo/9Fqs9NU=
+github.com/go-openapi/validate v0.22.1/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg=
 github.com/go-ozzo/ozzo-validation v3.6.0+incompatible h1:msy24VGS42fKO9K1vLz82/GeYW1cILu7Nuuj1N3BBkE=
 github.com/go-ozzo/ozzo-validation v3.6.0+incompatible/go.mod h1:gsEKFIVnabGBt6mXmxK0MoFy+cZoTJY6mu5Ll3LVLBU=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/go-stack/stack v1.8.1/go.mod h1:dcoOX6HbPZSZptuspn9bctJ+N/CnF5gGygcUP3XYfe4=
 github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
 github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
@@ -443,8 +450,9 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-querystring v0.0.0-20170111101155-53e6ce116135/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
@@ -594,10 +602,10 @@ github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+l
 github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hashicorp/hcp-scada-provider v0.2.0 h1:iD3Y+c7LTdjeaWKHq/ym6ahEdSL1R+9GHvKWBb4t+aM=
-github.com/hashicorp/hcp-scada-provider v0.2.0/go.mod h1:Q0WpS2RyhBKOPD4X/8oW7AJe7jA2HXB09EwDzwRTao0=
-github.com/hashicorp/hcp-sdk-go v0.23.1-0.20220921131124-49168300a7dc h1:on26TCKYnX7JzZCtwkR/LWHSqMu40PoZ6h/0e6Pq8ug=
-github.com/hashicorp/hcp-sdk-go v0.23.1-0.20220921131124-49168300a7dc/go.mod h1:/9UoDY2FYYA8lFaKBb2HmM/jKYZGANmf65q9QRc/cVw=
+github.com/hashicorp/hcp-scada-provider v0.2.3 h1:AarYR+/Pcv+cMvPdAlb92uOBmZfEH6ny4+DT+4NY2VQ=
+github.com/hashicorp/hcp-scada-provider v0.2.3/go.mod h1:ZFTgGwkzNv99PLQjTsulzaCplCzOTBh0IUQsPKzrQFo=
+github.com/hashicorp/hcp-sdk-go v0.40.1-0.20230404193545-846aea419cd1 h1:C1des4/oIeUqQJVUWypnZth19Kg+k01q+V59OVNMB+Q=
+github.com/hashicorp/hcp-sdk-go v0.40.1-0.20230404193545-846aea419cd1/go.mod h1:hZqky4HEzsKwvLOt4QJlZUrjeQmb4UCZUhDP2HyQFfc=
 github.com/hashicorp/hil v0.0.0-20200423225030-a18a1cd20038 h1:n9J0rwVWXDpNd5iZnwY7w4WZyq53/rROeI7OVvLW8Ok=
 github.com/hashicorp/hil v0.0.0-20200423225030-a18a1cd20038/go.mod h1:n2TSygSNwsLJ76m8qFXTSc7beTb+auJxYdqrnoqwZWE=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
@@ -786,7 +794,6 @@ github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:F
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/pointerstructure v1.2.1 h1:ZhBBeX8tSlRpu/FFhXH4RC4OJzFlqsQhoHZAz4x7TIw=
@@ -812,7 +819,6 @@ github.com/naoina/toml v0.1.1/go.mod h1:NBIhNtsFMo3G2szEBne+bO4gS192HuIYRqfvOWb4
 github.com/nbio/st v0.0.0-20140626010706-e9e8d9816f32/go.mod h1:9wM+0iRr9ahx58uYLpLIr5fm8diHn0JbqRycJi6w0Ms=
 github.com/nicolai86/scaleway-sdk v1.10.2-0.20180628010248-798f60e20bb2 h1:BQ1HW7hr4IVovMwWg0E0PYcyW8CzqDcVmaew9cujU4s=
 github.com/nicolai86/scaleway-sdk v1.10.2-0.20180628010248-798f60e20bb2/go.mod h1:TLb2Sg7HQcgGdloNxkrmtgDNR9uVYF3lfdFIN4Ro6Sk=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nrdcg/auroradns v1.0.0/go.mod h1:6JPXKzIRzZzMqtTDgueIhTi6rFf1QvYE/HzqidhOhjw=
 github.com/nrdcg/goinwx v0.6.1/go.mod h1:XPiut7enlbEdntAqalBIqcYcTEVhpv/dKWgDCX2SwKQ=
@@ -838,7 +844,6 @@ github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1Cpa
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
-github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b h1:FfH+VrHHk6Lxt9HdVS0PXzSXFyS2NbZKXv33FYPol0A=
 github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b/go.mod h1:AC62GU6hc0BrNm+9RK9VSiwa/EUe1bkIeFORAMcHvJU=
 github.com/openzipkin-contrib/zipkin-go-opentracing v0.3.5/go.mod h1:uVHyebswE1cCXr2A73cRM2frx5ld1RJUCJkFNZ90ZiI=
@@ -1055,9 +1060,9 @@ go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
 go.etcd.io/etcd v0.5.0-alpha.5.0.20190917205325-a14579fbfb1a/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
 go.mongodb.org/mongo-driver v1.7.3/go.mod h1:NqaYOwnXWr5Pm7AOpO5QFxKJ503nbMse/R79oO62zWg=
 go.mongodb.org/mongo-driver v1.7.5/go.mod h1:VXEWRZ6URJIkUq2SCAyapmhH0ZLRBP+FT4xhp5Zvxng=
-go.mongodb.org/mongo-driver v1.8.3/go.mod h1:0sQWfOeY63QTntERDJJ/0SuKK0T1uVSgKCuAROlKEPY=
-go.mongodb.org/mongo-driver v1.10.0 h1:UtV6N5k14upNp4LTduX0QCufG124fSu25Wz9tu94GLg=
 go.mongodb.org/mongo-driver v1.10.0/go.mod h1:wsihk0Kdgv8Kqu1Anit4sfK+22vSFbUrAVEYRhCXrA8=
+go.mongodb.org/mongo-driver v1.11.0 h1:FZKhBSTydeuffHj9CBjXlR8vQLee1cQyTWYPA6/tqiE=
+go.mongodb.org/mongo-driver v1.11.0/go.mod h1:s7p5vEtfbeR1gYi6pnj3c3/urpbLv2T5Sfd6Rp2HBB8=
 go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
 go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
@@ -1068,6 +1073,11 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
+go.opentelemetry.io/otel v1.11.1 h1:4WLLAmcfkmDk2ukNXJyq3/kiz/3UzCaYq6PskJsaou4=
+go.opentelemetry.io/otel v1.11.1/go.mod h1:1nNhXBbWSD0nsL38H6btgnFN2k4i0sNLHNNMZMSbUGE=
+go.opentelemetry.io/otel/sdk v1.11.1 h1:F7KmQgoHljhUuJyA+9BiU+EkJfyX5nVVF4wyzWZpKxs=
+go.opentelemetry.io/otel/trace v1.11.1 h1:ofxdnzsNrGBYXbP7t7zpUK281+go5rF7dvdIZXF8gdQ=
+go.opentelemetry.io/otel/trace v1.11.1/go.mod h1:f/Q9G7vzk5u91PhbmKbg1Qn0rzH1LJ4vbPHFGkTPtOk=
 go.opentelemetry.io/proto/otlp v0.7.0 h1:rwOQPCuKAKmwGKq2aVNnYIibI6wnV7EvzgfTCzcdGg8=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
@@ -1101,7 +1111,6 @@ golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d h1:sK3txAijHtOK88l68nt020reeT1ZdKLIYetKl95FzVY=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
@@ -1143,6 +1152,7 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
 golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180611182652-db08ff08e862/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1202,8 +1212,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1221,8 +1231,8 @@ golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 h1:lxqLZaMad/dJHMFZH0NiNpiEZI/nhgWhe4wgzpE+MuA=
-golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
+golang.org/x/oauth2 v0.6.0 h1:Lh8GPgSKBfWSwFvtuWOfeI3aAAnbXTSutYxJiOJFgIw=
+golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1235,8 +1245,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180622082034-63fc586f45fe/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1330,13 +1340,12 @@ golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1348,8 +1357,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/time v0.0.0-20161028155119-f51c12702a4d/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1426,8 +1435,8 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE=
-golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA=
+golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1585,8 +1594,8 @@ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLks
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=