diff --git a/.changelog/18573.txt b/.changelog/18573.txt
new file mode 100644
index 000000000000..ce03f1c55baf
--- /dev/null
+++ b/.changelog/18573.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+xds: Use downstream protocol when connecting to local app
+```
diff --git a/.changelog/18797.txt b/.changelog/18797.txt
new file mode 100644
index 000000000000..ba40092542a3
--- /dev/null
+++ b/.changelog/18797.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+command: Adds -since flag in consul debug command which internally calls hcdiag for debug information in the past.
+```
diff --git a/.github/workflows/reusable-lint.yml b/.github/workflows/reusable-lint.yml
index 903855d99c85..902ff1867144 100644
--- a/.github/workflows/reusable-lint.yml
+++ b/.github/workflows/reusable-lint.yml
@@ -34,6 +34,7 @@ jobs:
         - "envoyextensions"
         - "troubleshoot"
         - "test/integration/consul-container"
+        - "test-integ"
         - "testing/deployer"
       fail-fast: true
     name: lint ${{ matrix.directory }}
diff --git a/agent/agent.go b/agent/agent.go
index 87a1da86cea4..8354320ad670 100644
--- a/agent/agent.go
+++ b/agent/agent.go
@@ -657,13 +657,8 @@ func (a *Agent) Start(ctx context.Context) error {
 	// Create proxy config manager now because it is a dependency of creating the proxyWatcher
 	// which will be passed to consul.NewServer so that it is then passed to the
 	// controller registration for the XDS controller in v2 mode, and the xds server in v1 and v2 mode.
-	var intentionDefaultAllow bool
-	switch a.config.ACLResolverSettings.ACLDefaultPolicy {
-	case "allow":
-		intentionDefaultAllow = true
-	case "deny":
-		intentionDefaultAllow = false
-	default:
+	intentionDefaultAllow, err := a.config.ACLResolverSettings.IsDefaultAllow()
+	if err != nil {
 		return fmt.Errorf("unexpected ACL default policy value of %q", a.config.ACLResolverSettings.ACLDefaultPolicy)
 	}
 
diff --git a/agent/config/builder.go b/agent/config/builder.go
index e67409635184..667d822480ac 100644
--- a/agent/config/builder.go
+++ b/agent/config/builder.go
@@ -1134,6 +1134,15 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 		return RuntimeConfig{}, fmt.Errorf("cache.entry_fetch_rate must be strictly positive, was: %v", rt.Cache.EntryFetchRate)
 	}
 
+	// TODO(CC-6389): Remove once resource-apis is no longer considered experimental and is supported by HCP
+	if stringslice.Contains(rt.Experiments, consul.CatalogResourceExperimentName) && rt.IsCloudEnabled() {
+		// Allow override of this check for development/testing purposes. Should not be used in production
+		override, err := strconv.ParseBool(os.Getenv("CONSUL_OVERRIDE_HCP_RESOURCE_APIS_CHECK"))
+		if err != nil || !override {
+			return RuntimeConfig{}, fmt.Errorf("`experiments` cannot include 'resource-apis' when HCP `cloud` configuration is set")
+		}
+	}
+
 	if rt.UIConfig.MetricsProvider == "prometheus" {
 		// Handle defaulting for the built-in version of prometheus.
 		if len(rt.UIConfig.MetricsProxy.PathAllowlist) == 0 {
@@ -2550,7 +2559,7 @@ func (b *builder) cloudConfigVal(v Config) hcpconfig.CloudConfig {
 	val := hcpconfig.CloudConfig{
 		ResourceID: os.Getenv("HCP_RESOURCE_ID"),
 	}
-	// Node id might get overriden in setup.go:142
+	// Node id might get overridden in setup.go:142
 	nodeID := stringVal(v.NodeID)
 	val.NodeID = types.NodeID(nodeID)
 	val.NodeName = b.nodeName(v.NodeName)
diff --git a/agent/config/builder_test.go b/agent/config/builder_test.go
index 2cc3e3148c37..6f8fdc9598a0 100644
--- a/agent/config/builder_test.go
+++ b/agent/config/builder_test.go
@@ -575,3 +575,72 @@ func TestBuidler_hostMetricsWithCloud(t *testing.T) {
 	require.NotNil(t, cfg)
 	require.True(t, cfg.Telemetry.EnableHostMetrics)
 }
+
+func TestBuilder_WarnCloudConfigWithResourceApis(t *testing.T) {
+	tests := []struct {
+		name      string
+		hcl       string
+		expectErr bool
+		override  bool
+	}{
+		{
+			name: "base_case",
+			hcl:  ``,
+		},
+		{
+			name: "resource-apis_no_cloud",
+			hcl:  `experiments = ["resource-apis"]`,
+		},
+		{
+			name: "cloud-config_no_experiments",
+			hcl:  `cloud{ resource_id = "abc" client_id = "abc" client_secret = "abc"}`,
+		},
+		{
+			name: "cloud-config_resource-apis_experiment",
+			hcl: `
+			experiments = ["resource-apis"]
+			cloud{ resource_id = "abc" client_id = "abc" client_secret = "abc"}`,
+			expectErr: true,
+		},
+		{
+			name: "cloud-config_other_experiment",
+			hcl: `
+			experiments = ["test"]
+			cloud{ resource_id = "abc" client_id = "abc" client_secret = "abc"}`,
+		},
+		{
+			name: "cloud-config_resource-apis_experiment_override",
+			hcl: `
+			experiments = ["resource-apis"]
+			cloud{ resource_id = "abc" client_id = "abc" client_secret = "abc"}`,
+			override: true,
+		},
+	}
+	for _, tc := range tests {
+		// using dev mode skips the need for a data dir
+		devMode := true
+		builderOpts := LoadOpts{
+			DevMode: &devMode,
+			Overrides: []Source{
+				FileSource{
+					Name:   "overrides",
+					Format: "hcl",
+					Data:   tc.hcl,
+				},
+			},
+		}
+		if tc.override {
+			os.Setenv("CONSUL_OVERRIDE_HCP_RESOURCE_APIS_CHECK", "1")
+		}
+		_, err := Load(builderOpts)
+		if tc.override {
+			os.Unsetenv("CONSUL_OVERRIDE_HCP_RESOURCE_APIS_CHECK")
+		}
+		if tc.expectErr {
+			require.Error(t, err)
+			require.Contains(t, err.Error(), "cannot include 'resource-apis' when HCP")
+		} else {
+			require.NoError(t, err)
+		}
+	}
+}
diff --git a/agent/consul/acl.go b/agent/consul/acl.go
index a73372a040ad..ddba359d949f 100644
--- a/agent/consul/acl.go
+++ b/agent/consul/acl.go
@@ -221,6 +221,17 @@ type ACLResolverSettings struct {
 	ACLDefaultPolicy string
 }
 
+func (s ACLResolverSettings) IsDefaultAllow() (bool, error) {
+	switch s.ACLDefaultPolicy {
+	case "allow":
+		return true, nil
+	case "deny":
+		return false, nil
+	default:
+		return false, fmt.Errorf("unexpected ACL default policy value of %q", s.ACLDefaultPolicy)
+	}
+}
+
 // ACLResolver is the type to handle all your token and policy resolution needs.
 //
 // Supports:
diff --git a/agent/consul/server.go b/agent/consul/server.go
index d2fd0472b90b..39d5b0a543a7 100644
--- a/agent/consul/server.go
+++ b/agent/consul/server.go
@@ -844,7 +844,9 @@ func NewServer(config *Config, flat Deps, externalGRPCServer *grpc.Server,
 		s.insecureResourceServiceClient,
 		logger.Named(logging.ControllerRuntime),
 	)
-	s.registerControllers(flat, proxyUpdater)
+	if err := s.registerControllers(flat, proxyUpdater); err != nil {
+		return nil, err
+	}
 	go s.controllerManager.Run(&lib.StopChannelContext{StopCh: shutdownCh})
 
 	go s.trackLeaderChanges()
@@ -895,9 +897,15 @@ func NewServer(config *Config, flat Deps, externalGRPCServer *grpc.Server,
 	return s, nil
 }
 
-func (s *Server) registerControllers(deps Deps, proxyUpdater ProxyUpdater) {
+func (s *Server) registerControllers(deps Deps, proxyUpdater ProxyUpdater) error {
 	if stringslice.Contains(deps.Experiments, CatalogResourceExperimentName) {
 		catalog.RegisterControllers(s.controllerManager, catalog.DefaultControllerDependencies())
+
+		defaultAllow, err := s.config.ACLResolverSettings.IsDefaultAllow()
+		if err != nil {
+			return err
+		}
+
 		mesh.RegisterControllers(s.controllerManager, mesh.ControllerDependencies{
 			TrustBundleFetcher: func() (*pbproxystate.TrustBundle, error) {
 				var bundle pbproxystate.TrustBundle
@@ -923,6 +931,7 @@ func (s *Server) registerControllers(deps Deps, proxyUpdater ProxyUpdater) {
 
 			LeafCertManager: deps.LeafCertManager,
 			LocalDatacenter: s.config.Datacenter,
+			DefaultAllow:    defaultAllow,
 			ProxyUpdater:    proxyUpdater,
 		})
 	}
@@ -932,6 +941,8 @@ func (s *Server) registerControllers(deps Deps, proxyUpdater ProxyUpdater) {
 	if s.config.DevMode {
 		demo.RegisterControllers(s.controllerManager)
 	}
+
+	return nil
 }
 
 func newGRPCHandlerFromConfig(deps Deps, config *Config, s *Server) connHandler {
diff --git a/agent/grpc-external/services/dataplane/get_envoy_bootstrap_params.go b/agent/grpc-external/services/dataplane/get_envoy_bootstrap_params.go
index 037331569a9d..d69d7b190522 100644
--- a/agent/grpc-external/services/dataplane/get_envoy_bootstrap_params.go
+++ b/agent/grpc-external/services/dataplane/get_envoy_bootstrap_params.go
@@ -59,7 +59,6 @@ func (s *Server) GetEnvoyBootstrapParams(ctx context.Context, req *pbdataplane.G
 			Tenancy: &pbresource.Tenancy{
 				Namespace: req.Namespace,
 				Partition: req.Partition,
-				PeerName:  "local",
 			},
 			Type: catalog.WorkloadType,
 		}
@@ -69,6 +68,7 @@ func (s *Server) GetEnvoyBootstrapParams(ctx context.Context, req *pbdataplane.G
 		if err != nil {
 			// This error should already include the gRPC status code and so we don't need to wrap it
 			// in status.Error.
+			logger.Error("Error looking up workload", "error", err)
 			return nil, err
 		}
 		var workload pbcatalog.Workload
@@ -93,6 +93,7 @@ func (s *Server) GetEnvoyBootstrapParams(ctx context.Context, req *pbdataplane.G
 			Type:    mesh.ProxyConfigurationType,
 		})
 		if err != nil {
+			logger.Error("Error looking up proxyConfiguration", "error", err)
 			return nil, err
 		}
 
diff --git a/agent/xds/clusters.go b/agent/xds/clusters.go
index 908aa746bc9c..3f0ba0d7f31b 100644
--- a/agent/xds/clusters.go
+++ b/agent/xds/clusters.go
@@ -1096,8 +1096,14 @@ func (s *ResourceGenerator) makeAppCluster(cfgSnap *proxycfg.ConfigSnapshot, nam
 		protocol = cfg.Protocol
 	}
 	if protocol == "http2" || protocol == "grpc" {
-		if err := s.setHttp2ProtocolOptions(c); err != nil {
-			return c, err
+		if name == xdscommon.LocalAppClusterName {
+			if err := s.setLocalAppHttpProtocolOptions(c); err != nil {
+				return c, err
+			}
+		} else {
+			if err := s.setHttp2ProtocolOptions(c); err != nil {
+				return c, err
+			}
 		}
 	}
 	if cfg.MaxInboundConnections > 0 {
@@ -2016,6 +2022,29 @@ func (s *ResourceGenerator) setHttp2ProtocolOptions(c *envoy_cluster_v3.Cluster)
 	return nil
 }
 
+// Allows forwarding either HTTP/1.1 or HTTP/2 traffic to the local application.
+// The protocol used depends on the protocol received from the downstream service
+// on the public listener.
+func (s *ResourceGenerator) setLocalAppHttpProtocolOptions(c *envoy_cluster_v3.Cluster) error {
+	cfg := &envoy_upstreams_v3.HttpProtocolOptions{
+		UpstreamProtocolOptions: &envoy_upstreams_v3.HttpProtocolOptions_UseDownstreamProtocolConfig{
+			UseDownstreamProtocolConfig: &envoy_upstreams_v3.HttpProtocolOptions_UseDownstreamHttpConfig{
+				HttpProtocolOptions:  &envoy_core_v3.Http1ProtocolOptions{},
+				Http2ProtocolOptions: &envoy_core_v3.Http2ProtocolOptions{},
+			},
+		},
+	}
+	any, err := anypb.New(cfg)
+	if err != nil {
+		return err
+	}
+	c.TypedExtensionProtocolOptions = map[string]*anypb.Any{
+		"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": any,
+	}
+
+	return nil
+}
+
 // generatePeeredClusterName returns an SNI-like cluster name which mimics PeeredServiceSNI
 // but excludes partition information which could be ambiguous (local vs remote partition).
 func generatePeeredClusterName(uid proxycfg.UpstreamID, tb *pbpeering.PeeringTrustBundle) string {
diff --git a/agent/xds/delta.go b/agent/xds/delta.go
index a0894954eaec..e303447ee5c8 100644
--- a/agent/xds/delta.go
+++ b/agent/xds/delta.go
@@ -116,7 +116,13 @@ func getEnvoyConfiguration(proxySnapshot proxysnapshot.ProxySnapshot, logger hcl
 		)
 		c := proxySnapshot.(*proxytracker.ProxyState)
 		logger.Trace("ProxyState", c)
-		return generator.AllResourcesFromIR(c)
+		resources, err := generator.AllResourcesFromIR(c)
+		if err != nil {
+			logger.Error("error generating resources from proxy state template", "err", err)
+			return nil, err
+		}
+		logger.Trace("generated resources from proxy state template", "resources", resources)
+		return resources, nil
 	default:
 		return nil, errors.New("proxysnapshot must be of type ProxyState or ConfigSnapshot")
 	}
@@ -428,9 +434,8 @@ func newResourceIDFromEnvoyNode(node *envoy_config_core_v3.Node) *pbresource.ID
 		Tenancy: &pbresource.Tenancy{
 			Namespace: entMeta.NamespaceOrDefault(),
 			Partition: entMeta.PartitionOrDefault(),
-			PeerName:  "local",
 		},
-		Type: mesh.ProxyStateTemplateV1AlphaType,
+		Type: mesh.ProxyStateTemplateType,
 	}
 }
 
diff --git a/agent/xds/testdata/clusters/expose-paths-grpc-new-cluster-http1.latest.golden b/agent/xds/testdata/clusters/expose-paths-grpc-new-cluster-http1.latest.golden
index 3eb573197758..9bc45fc80295 100644
--- a/agent/xds/testdata/clusters/expose-paths-grpc-new-cluster-http1.latest.golden
+++ b/agent/xds/testdata/clusters/expose-paths-grpc-new-cluster-http1.latest.golden
@@ -53,8 +53,9 @@
       "typedExtensionProtocolOptions": {
         "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
           "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
-          "explicitHttpConfig": {
-            "http2ProtocolOptions": {}
+          "useDownstreamProtocolConfig": {
+            "http2ProtocolOptions": {},
+            "httpProtocolOptions": {}
           }
         }
       }
diff --git a/agent/xdsv2/cluster_resources.go b/agent/xdsv2/cluster_resources.go
index b0a79fd0aa13..66dc78bc49f8 100644
--- a/agent/xdsv2/cluster_resources.go
+++ b/agent/xdsv2/cluster_resources.go
@@ -164,7 +164,13 @@ func (pr *ProxyResources) makeEnvoyStaticCluster(name string, protocol string, s
 	if ok {
 		cluster.LoadAssignment = makeEnvoyClusterLoadAssignment(name, endpointList.Endpoints)
 	}
-	err := addHttpProtocolOptions(protocol, cluster)
+
+	var err error
+	if name == xdscommon.LocalAppClusterName {
+		err = addLocalAppHttpProtocolOptions(protocol, cluster)
+	} else {
+		err = addHttpProtocolOptions(protocol, cluster)
+	}
 	if err != nil {
 		return nil, err
 	}
@@ -243,6 +249,30 @@ func (pr *ProxyResources) makeEnvoyAggregateCluster(name string, protocol string
 	return clusters, nil
 }
 
+func addLocalAppHttpProtocolOptions(protocol string, c *envoy_cluster_v3.Cluster) error {
+	if !(protocol == "http2" || protocol == "grpc") {
+		// do not error.  returning nil means it won't get set.
+		return nil
+	}
+	cfg := &envoy_upstreams_v3.HttpProtocolOptions{
+		UpstreamProtocolOptions: &envoy_upstreams_v3.HttpProtocolOptions_UseDownstreamProtocolConfig{
+			UseDownstreamProtocolConfig: &envoy_upstreams_v3.HttpProtocolOptions_UseDownstreamHttpConfig{
+				HttpProtocolOptions:  &envoy_core_v3.Http1ProtocolOptions{},
+				Http2ProtocolOptions: &envoy_core_v3.Http2ProtocolOptions{},
+			},
+		},
+	}
+	any, err := anypb.New(cfg)
+	if err != nil {
+		return err
+	}
+	c.TypedExtensionProtocolOptions = map[string]*anypb.Any{
+		"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": any,
+	}
+
+	return nil
+}
+
 func addHttpProtocolOptions(protocol string, c *envoy_cluster_v3.Cluster) error {
 	if !(protocol == "http2" || protocol == "grpc") {
 		// do not error.  returning nil means it won't get set.
@@ -346,6 +376,8 @@ func addEnvoyLBToCluster(dynamicConfig *pbproxystate.DynamicEndpointGroupConfig,
 }
 
 // TODO(proxystate): In a future PR this will create clusters and add it to ProxyResources.proxyState
+// Currently, we do not traverse the listener -> endpoint paths and instead just generate each resource by iterating
+// through its top level map. In the future we want to traverse these paths to ensure each listener has a cluster, etc.
 func (pr *ProxyResources) makeEnvoyClusterFromL4Destination(l4 *pbproxystate.L4Destination) error {
 	return nil
 }
diff --git a/agent/xdsv2/listener_resources.go b/agent/xdsv2/listener_resources.go
index ca8a3fa3b31b..2ea703c6994d 100644
--- a/agent/xdsv2/listener_resources.go
+++ b/agent/xdsv2/listener_resources.go
@@ -540,14 +540,13 @@ func (pr *ProxyResources) makeEnvoyTLSParameters(defaultParams *pbproxystate.TLS
 }
 
 func (pr *ProxyResources) makeEnvoyTransportSocket(ts *pbproxystate.TransportSocket) (*envoy_core_v3.TransportSocket, error) {
-	// TODO(JM): did this just make tests pass.  Figure out whether proxyState.Tls will always be available.
-	if pr.proxyState.Tls == nil {
-		return nil, nil
-	}
 	if ts == nil {
 		return nil, nil
 	}
 	commonTLSContext := &envoy_tls_v3.CommonTlsContext{}
+	if ts.AlpnProtocols != nil {
+		commonTLSContext.AlpnProtocols = ts.AlpnProtocols
+	}
 
 	// Create connection TLS. Listeners should only look at inbound TLS.
 	switch ts.ConnectionTls.(type) {
@@ -555,16 +554,16 @@ func (pr *ProxyResources) makeEnvoyTransportSocket(ts *pbproxystate.TransportSoc
 		downstreamContext := &envoy_tls_v3.DownstreamTlsContext{}
 		downstreamContext.CommonTlsContext = commonTLSContext
 		// Set TLS Parameters.
-		tlsParams := pr.makeEnvoyTLSParameters(pr.proxyState.Tls.InboundTlsParameters, ts.TlsParameters)
-		commonTLSContext.TlsParams = tlsParams
+		if pr.proxyState.Tls != nil {
+			tlsParams := pr.makeEnvoyTLSParameters(pr.proxyState.Tls.InboundTlsParameters, ts.TlsParameters)
+			commonTLSContext.TlsParams = tlsParams
+		} else {
+			commonTLSContext.TlsParams = &envoy_tls_v3.TlsParameters{}
+		}
 
 		// Set the certificate config on the tls context.
 		// For inbound mesh, we need to add the identity certificate
 		// and the validation context for the mesh depending on the provided trust bundle names.
-		if pr.proxyState.Tls == nil {
-			// if tls is nil but connection tls is provided, then the proxy state is misconfigured
-			return nil, fmt.Errorf("proxyState.Tls is required to generate router's transport socket")
-		}
 		im := ts.ConnectionTls.(*pbproxystate.TransportSocket_InboundMesh).InboundMesh
 		leaf, ok := pr.proxyState.LeafCertificates[im.IdentityKey]
 		if !ok {
@@ -640,9 +639,13 @@ func (pr *ProxyResources) makeEnvoyTransportSocket(ts *pbproxystate.TransportSoc
 	case *pbproxystate.TransportSocket_InboundNonMesh:
 		downstreamContext := &envoy_tls_v3.DownstreamTlsContext{}
 		downstreamContext.CommonTlsContext = commonTLSContext
-		// Set TLS Parameters
-		tlsParams := pr.makeEnvoyTLSParameters(pr.proxyState.Tls.InboundTlsParameters, ts.TlsParameters)
-		commonTLSContext.TlsParams = tlsParams
+		// Set TLS Parameters.
+		if pr.proxyState.Tls != nil {
+			tlsParams := pr.makeEnvoyTLSParameters(pr.proxyState.Tls.InboundTlsParameters, ts.TlsParameters)
+			commonTLSContext.TlsParams = tlsParams
+		} else {
+			commonTLSContext.TlsParams = &envoy_tls_v3.TlsParameters{}
+		}
 		// For non-mesh, we don't care about validation context as currently we don't support mTLS for non-mesh connections.
 		nonMeshTLS := ts.ConnectionTls.(*pbproxystate.TransportSocket_InboundNonMesh).InboundNonMesh
 		err := pr.addNonMeshCertConfig(commonTLSContext, nonMeshTLS)
@@ -657,15 +660,15 @@ func (pr *ProxyResources) makeEnvoyTransportSocket(ts *pbproxystate.TransportSoc
 	case *pbproxystate.TransportSocket_OutboundMesh:
 		upstreamContext := &envoy_tls_v3.UpstreamTlsContext{}
 		upstreamContext.CommonTlsContext = commonTLSContext
-		// Set TLS Parameters
-		tlsParams := pr.makeEnvoyTLSParameters(pr.proxyState.Tls.OutboundTlsParameters, ts.TlsParameters)
-		commonTLSContext.TlsParams = tlsParams
+		// Set TLS Parameters.
+		if pr.proxyState.Tls != nil {
+			tlsParams := pr.makeEnvoyTLSParameters(pr.proxyState.Tls.OutboundTlsParameters, ts.TlsParameters)
+			commonTLSContext.TlsParams = tlsParams
+		} else {
+			commonTLSContext.TlsParams = &envoy_tls_v3.TlsParameters{}
+		}
 		// For outbound mesh, we need to insert the mesh identity certificate
 		// and the validation context for the mesh depending on the provided trust bundle names.
-		if pr.proxyState.Tls == nil {
-			// if tls is nil but connection tls is provided, then the proxy state is misconfigured
-			return nil, fmt.Errorf("proxyState.Tls is required to generate router's transport socket")
-		}
 		om := ts.GetOutboundMesh()
 		leaf, ok := pr.proxyState.LeafCertificates[om.IdentityKey]
 		if !ok {
diff --git a/agent/xdsv2/resources_test.go b/agent/xdsv2/resources_test.go
index edc20bccc4a0..4b0ea814b0f5 100644
--- a/agent/xdsv2/resources_test.go
+++ b/agent/xdsv2/resources_test.go
@@ -4,17 +4,19 @@
 package xdsv2
 
 import (
+	"os"
+	"path/filepath"
+	"sort"
+	"testing"
+
 	envoy_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
 	envoy_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
+
 	"github.com/hashicorp/consul/agent/xds/response"
 	"github.com/hashicorp/consul/envoyextensions/xdscommon"
 	proxytracker "github.com/hashicorp/consul/internal/mesh/proxy-tracker"
 	meshv1alpha1 "github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1"
 	"github.com/hashicorp/consul/sdk/testutil"
-	"os"
-	"path/filepath"
-	"sort"
-	"testing"
 
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/encoding/protojson"
diff --git a/agent/xdsv2/testdata/input/l4-single-implicit-destination-tproxy.golden b/agent/xdsv2/testdata/input/l4-single-implicit-destination-tproxy.golden
index f17fbfac21c2..72715b72154b 100644
--- a/agent/xdsv2/testdata/input/l4-single-implicit-destination-tproxy.golden
+++ b/agent/xdsv2/testdata/input/l4-single-implicit-destination-tproxy.golden
@@ -53,7 +53,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 },
                 "sni": "api-1.default.dc1.internal.foo.consul"
               },
@@ -64,7 +65,19 @@
           }
         }
       }
+    },
+  "leafCertificates": {
+    "test-identity": {
+        "cert": "cert1",
+        "key": "key1"
+    }
+  },
+  "trustBundles": {
+    "local": {
+        "trustDomain": "foo.consul",
+        "roots": ["root1"]
     }
+  }
   },
   "requiredEndpoints": {
     "api-1.default.dc1.internal.foo.consul": {
diff --git a/agent/xdsv2/testdata/output/clusters/l4-single-implicit-destination-tproxy.golden b/agent/xdsv2/testdata/output/clusters/l4-single-implicit-destination-tproxy.golden
index d4f50e5ccc12..76f814eb3924 100644
--- a/agent/xdsv2/testdata/output/clusters/l4-single-implicit-destination-tproxy.golden
+++ b/agent/xdsv2/testdata/output/clusters/l4-single-implicit-destination-tproxy.golden
@@ -10,7 +10,42 @@
           "ads":  {},
           "resourceApiVersion":  "V3"
         }
-      }
+      },
+      "name": "tcp.api-1.default.dc1.internal.foo.consul",
+      "transportSocket": {
+        "name": "tls",
+        "typedConfig": {
+          "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+          "commonTlsContext": {
+            "alpnProtocols": [
+              "consul~tcp"
+            ],
+            "tlsCertificates": [
+              {
+                "certificateChain": {
+                  "inlineString": "cert1\n"
+                },
+                "privateKey": {
+                  "inlineString": "key1\n"
+                }
+              }
+            ],
+            "tlsParams": {},
+            "validationContext": {
+              "matchSubjectAltNames": [
+                {
+                  "exact": "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity"
+                }
+              ],
+              "trustedCa": {
+                "inlineString": "root1\n"
+              }
+            }
+          },
+          "sni": "api-1.default.dc1.internal.foo.consul"
+        }
+      },
+      "type": "EDS"
     }
   ],
   "typeUrl":  "type.googleapis.com/envoy.config.cluster.v3.Cluster",
diff --git a/api/operator_audit.go b/api/operator_audit.go
new file mode 100644
index 000000000000..b255d67f4e31
--- /dev/null
+++ b/api/operator_audit.go
@@ -0,0 +1,40 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+// The /v1/operator/audit-hash endpoint is available only in Consul Enterprise and
+// interact with its audit logging subsystem.
+
+package api
+
+type AuditHashRequest struct {
+	Input string
+}
+
+type AuditHashResponse struct {
+	Hash string
+}
+
+func (op *Operator) AuditHash(a *AuditHashRequest, q *QueryOptions) (*AuditHashResponse, error) {
+	r := op.c.newRequest("POST", "/v1/operator/audit-hash")
+	r.setQueryOptions(q)
+	r.obj = a
+
+	rtt, resp, err := op.c.doRequest(r)
+	if err != nil {
+		return nil, err
+	}
+	defer closeResponseBody(resp)
+	if err := requireOK(resp); err != nil {
+		return nil, err
+	}
+
+	wm := &WriteMeta{}
+	wm.RequestTime = rtt
+
+	var out AuditHashResponse
+	if err := decodeBody(resp, &out); err != nil {
+		return nil, err
+	}
+
+	return &out, nil
+}
diff --git a/command/debug/debug.go b/command/debug/debug.go
index 291e0d79e86b..9fe18280b820 100644
--- a/command/debug/debug.go
+++ b/command/debug/debug.go
@@ -26,6 +26,8 @@ import (
 
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/command/flags"
+
+	"github.com/hashicorp/hcdiag/command"
 )
 
 const (
@@ -81,6 +83,7 @@ type cmd struct {
 	interval time.Duration
 	duration time.Duration
 	output   string
+	since    string
 	archive  bool
 	capture  []string
 	client   *api.Client
@@ -135,6 +138,8 @@ func (c *cmd) init() {
 	c.flags.StringVar(&c.output, "output", defaultFilename, "The path "+
 		"to the compressed archive that will be created with the "+
 		"information after collection.")
+	c.flags.StringVar(&c.since, "since", "", "Flag used for hcdiag command, time within"+
+		"which information is collected")
 
 	c.http = &flags.HTTPFlags{}
 	flags.Merge(c.flags, c.http.ClientFlags())
@@ -181,9 +186,17 @@ func (c *cmd) Run(args []string) int {
 	}
 
 	c.UI.Output("Starting debugger and capturing static information...")
+	c.UI.Info(fmt.Sprintf(" Agent Version: '%s'", version))
+
+	if c.since != "" {
+		runCommand := command.NewRunCommand(&cli.BasicUi{
+			Writer: os.Stdout, ErrorWriter: os.Stderr,
+		})
+		runCommand.Run([]string{"-consul", fmt.Sprintf("-since=%s", c.since)})
+		return 0
+	}
 
 	// Output metadata about target agent
-	c.UI.Info(fmt.Sprintf(" Agent Version: '%s'", version))
 	c.UI.Info(fmt.Sprintf("      Interval: '%s'", c.interval))
 	c.UI.Info(fmt.Sprintf("      Duration: '%s'", c.duration))
 	c.UI.Info(fmt.Sprintf("        Output: '%s'", archiveName))
@@ -772,6 +785,11 @@ Usage: consul debug [options]
   strongly recommend review of the data within the archive prior to
   transmitting it.
 
+  To get information from past, -since flag can be used. It internally uses
+  hcdiag -consul -since
+      
+      $ consul debug -since 1h
+
   For a full list of options and examples, please see the Consul
   documentation.
 `
diff --git a/command/debug/debug_test.go b/command/debug/debug_test.go
index 1340ed057f8d..c05d115873f0 100644
--- a/command/debug/debug_test.go
+++ b/command/debug/debug_test.go
@@ -95,6 +95,33 @@ func TestDebugCommand(t *testing.T) {
 	require.Equal(t, "", ui.ErrorWriter.String(), "expected no error output")
 }
 
+func TestDebugCommand_WithSinceFlag(t *testing.T) {
+	if testing.Short() {
+		t.Skip("too slow for testing.Short")
+	}
+
+	a := agent.NewTestAgent(t, `
+		enable_debug = true
+	`)
+
+	defer a.Shutdown()
+	testrpc.WaitForLeader(t, a.RPC, "dc1")
+
+	ui := cli.NewMockUi()
+	cmd := New(ui)
+	cmd.validateTiming = false
+
+	args := []string{
+		"-since=1m",
+	}
+
+	t.Setenv("CONSUL_HTTP_ADDR", a.HTTPAddr())
+
+	code := cmd.Run(args)
+	require.Equal(t, 0, code)
+	require.Equal(t, "", ui.ErrorWriter.String())
+}
+
 func validLogFile(raw []byte) fs.CompareResult {
 	scanner := bufio.NewScanner(bytes.NewReader(raw))
 	for scanner.Scan() {
diff --git a/go.mod b/go.mod
index 6f66be3244ab..d828a475a5bb 100644
--- a/go.mod
+++ b/go.mod
@@ -60,8 +60,9 @@ require (
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/hashicorp/go-version v1.2.1
 	github.com/hashicorp/golang-lru v0.5.4
+	github.com/hashicorp/hcdiag v0.5.1
 	github.com/hashicorp/hcl v1.0.0
-	github.com/hashicorp/hcl/v2 v2.6.0
+	github.com/hashicorp/hcl/v2 v2.14.1
 	github.com/hashicorp/hcp-scada-provider v0.2.3
 	github.com/hashicorp/hcp-sdk-go v0.61.0
 	github.com/hashicorp/hil v0.0.0-20200423225030-a18a1cd20038
@@ -79,7 +80,7 @@ require (
 	github.com/imdario/mergo v0.3.15
 	github.com/kr/text v0.2.0
 	github.com/miekg/dns v1.1.50
-	github.com/mitchellh/cli v1.1.0
+	github.com/mitchellh/cli v1.1.4
 	github.com/mitchellh/copystructure v1.2.0
 	github.com/mitchellh/go-testing-interface v1.14.0
 	github.com/mitchellh/hashstructure v0.0.0-20170609045927-2bca23e0e452
@@ -96,10 +97,10 @@ require (
 	github.com/prometheus/client_golang v1.14.0
 	github.com/rboyer/safeio v0.2.3
 	github.com/ryanuber/columnize v2.1.2+incompatible
-	github.com/shirou/gopsutil/v3 v3.22.8
+	github.com/shirou/gopsutil/v3 v3.22.9
 	github.com/stretchr/testify v1.8.3
 	github.com/xeipuuv/gojsonschema v1.2.0
-	github.com/zclconf/go-cty v1.2.0
+	github.com/zclconf/go-cty v1.11.1
 	go.etcd.io/bbolt v1.3.7
 	go.opentelemetry.io/otel v1.16.0
 	go.opentelemetry.io/otel/metric v1.16.0
@@ -141,10 +142,12 @@ require (
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/DataDog/datadog-go v4.8.2+incompatible // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.1.1 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/agext/levenshtein v1.2.1 // indirect
-	github.com/apparentlymart/go-textseg v1.0.0 // indirect
-	github.com/apparentlymart/go-textseg/v12 v12.0.0 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
 	github.com/benbjohnson/immutable v0.4.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -159,6 +162,7 @@ require (
 	github.com/coreos/etcd v3.3.27+incompatible // indirect
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf // indirect
 	github.com/coreos/pkg v0.0.0-20220810130054-c7d1c02cb6cf // indirect
+	github.com/cosiner/argv v0.1.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/denverdino/aliyungo v0.0.0-20170926055100-d3308649c661 // indirect
 	github.com/digitalocean/godo v1.10.0 // indirect
@@ -201,12 +205,13 @@ require (
 	github.com/hashicorp/mdns v1.0.4 // indirect
 	github.com/hashicorp/net-rpc-msgpackrpc/v2 v2.0.0 // indirect
 	github.com/hashicorp/vic v1.5.1-0.20190403131502-bbfe86ec9443 // indirect
+	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/joyent/triton-go v1.7.1-0.20200416154420-6801d15b779f // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/linode/linodego v0.10.0 // indirect
-	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
+	github.com/lufia/plan9stats v0.0.0-20220913051719-115f729f3c8c // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.17 // indirect
@@ -214,7 +219,8 @@ require (
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
+	github.com/mitchellh/go-ps v1.0.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
@@ -222,10 +228,10 @@ require (
 	github.com/oklog/run v1.0.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
 	github.com/packethost/packngo v0.1.1-0.20180711074735-b9cb5096f54c // indirect
-	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
+	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/posener/complete v1.2.3 // indirect
-	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
+	github.com/power-devops/perfstat v0.0.0-20220216144756-c35f1ee13d7c // indirect
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/common v0.39.0 // indirect
@@ -235,14 +241,16 @@ require (
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 // indirect
 	github.com/segmentio/fasthash v1.0.3 // indirect
+	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/softlayer/softlayer-go v0.0.0-20180806151055-260589d94c7d // indirect
+	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
 	github.com/tencentcloud/tencentcloud-sdk-go v1.0.162 // indirect
 	github.com/tklauser/go-sysconf v0.3.10 // indirect
-	github.com/tklauser/numcpus v0.4.0 // indirect
+	github.com/tklauser/numcpus v0.5.0 // indirect
 	github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926 // indirect
 	github.com/vmware/govmomi v0.18.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
diff --git a/go.sum b/go.sum
index 9291cb5530f5..a809cbba8070 100644
--- a/go.sum
+++ b/go.sum
@@ -99,6 +99,14 @@ github.com/DataDog/datadog-go v2.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/DataDog/datadog-go v4.8.2+incompatible h1:qbcKSx29aBLD+5QLvlQZlGmRMF/FfGqFLFev/1TDzRo=
 github.com/DataDog/datadog-go v4.8.2+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
+github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
+github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
+github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
+github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc=
+github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
+github.com/Masterminds/sprig/v3 v3.2.0/go.mod h1:tWhwTbUTndesPNeF0C900vKoq283u6zp4APT9vaF3SI=
+github.com/Masterminds/sprig/v3 v3.2.2 h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmyxvxX8=
+github.com/Masterminds/sprig/v3 v3.2.2/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
@@ -111,8 +119,8 @@ github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdko
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/abdullin/seq v0.0.0-20160510034733-d5467c17e7af h1:DBNMBMuMiWYu0b+8KMJuWmfCkcxl09JwdlqwDZZ6U14=
 github.com/abdullin/seq v0.0.0-20160510034733-d5467c17e7af/go.mod h1:5Jv4cbFiHJMsVxt52+i0Ha45fjshj6wxYr1r19tB9bw=
-github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tjT8=
-github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
+github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
+github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -120,11 +128,8 @@ github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRF
 github.com/aliyun/alibaba-cloud-sdk-go v1.62.156 h1:K4N91T1+RlSlx+t2dujeDviy4ehSGVjEltluDgmeHS4=
 github.com/aliyun/alibaba-cloud-sdk-go v1.62.156/go.mod h1:Api2AkmMgGaSUAhmk76oaFObkoeCPc/bKAqcyplPODs=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
-github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM=
-github.com/apparentlymart/go-textseg v1.0.0 h1:rRmlIsPEEhUTIKQb7T++Nz/A5Q6C9IuX2wFoYVvnCs0=
-github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk=
-github.com/apparentlymart/go-textseg/v12 v12.0.0 h1:bNEQyAGak9tojivJNkoqWErVCQbjdL7GzRt3F8NvfJ0=
-github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec=
+github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
+github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e h1:QEF07wC0T1rKkctt1RINW/+RMTVmiwxETico2l3gxJA=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
@@ -197,6 +202,8 @@ github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/coreos/pkg v0.0.0-20220810130054-c7d1c02cb6cf h1:GOPo6vn/vTN+3IwZBvXX0y5doJfSC7My0cdzelyOCsQ=
 github.com/coreos/pkg v0.0.0-20220810130054-c7d1c02cb6cf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
+github.com/cosiner/argv v0.1.0 h1:BVDiEL32lwHukgJKP87btEPenzrrHUjajs/8yzaqcXg=
+github.com/cosiner/argv v0.1.0/go.mod h1:EusR6TucWKX+zFgtdUsKT2Cvg45K5rtpCcWz4hK06d8=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -251,8 +258,8 @@ github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/frankban/quicktest v1.10.0/go.mod h1:ui7WezCLWMWxVWr1GETZY3smRy0G4KWq9vcPtJmFl7Y=
-github.com/frankban/quicktest v1.13.0 h1:yNZif1OkDfNoDfb9zZa9aXIpejNR4F23Wely0c+Qdqk=
 github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU=
+github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
@@ -319,7 +326,6 @@ github.com/go-ozzo/ozzo-validation v3.6.0+incompatible/go.mod h1:gsEKFIVnabGBt6m
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
-github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
 github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0=
@@ -375,7 +381,6 @@ github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71
 github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -417,7 +422,6 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-querystring v0.0.0-20170111101155-53e6ce116135/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
@@ -559,10 +563,12 @@ github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
 github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
+github.com/hashicorp/hcdiag v0.5.1 h1:KZcx9xzRfEOQ2OMbwPxVvHyXwLLRqYpSHxCEOtHfQ6w=
+github.com/hashicorp/hcdiag v0.5.1/go.mod h1:RMC2KkffN9uJ+5mFSaL67ZFVj4CDeetPF2d/53XpwXo=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hashicorp/hcl/v2 v2.6.0 h1:3krZOfGY6SziUXa6H9PJU6TyohHn7I+ARYnhbeNBz+o=
-github.com/hashicorp/hcl/v2 v2.6.0/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY=
+github.com/hashicorp/hcl/v2 v2.14.1 h1:x0BpjfZ+CYdbiz+8yZTQ+gdLO7IXvOut7Da+XJayx34=
+github.com/hashicorp/hcl/v2 v2.14.1/go.mod h1:e4z5nxYlWNPdDSNYX+ph14EvWYMFm3eP0zIUqPc2jr0=
 github.com/hashicorp/hcp-scada-provider v0.2.3 h1:AarYR+/Pcv+cMvPdAlb92uOBmZfEH6ny4+DT+4NY2VQ=
 github.com/hashicorp/hcp-scada-provider v0.2.3/go.mod h1:ZFTgGwkzNv99PLQjTsulzaCplCzOTBh0IUQsPKzrQFo=
 github.com/hashicorp/hcp-sdk-go v0.61.0 h1:x4hJ8SlLI5WCE8Uzcu4q5jfdOEz/hFxfUkhAdoFdzSg=
@@ -609,10 +615,14 @@ github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKe
 github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 h1:xixZ2bWeofWV68J+x6AzmKuVM/JWCQwkWm6GW/MUR6I=
 github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
+github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw=
+github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM=
 github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
@@ -665,13 +675,13 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 h1:MtvEpTB6LX3vkb4ax0b5D2DHbNAUsen0Gx5wZoq3lV4=
-github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
 github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/linode/linodego v0.7.1/go.mod h1:ga11n3ivecUrPCHN0rANxKmfWBJVkOXfLMZinAbj2sY=
 github.com/linode/linodego v0.10.0 h1:AMdb82HVgY8o3mjBXJcUv9B+fnJjfDMn2rNRGbX+jvM=
 github.com/linode/linodego v0.10.0/go.mod h1:cziNP7pbvE3mXIPneHj0oRY8L1WtGEIKlZ8LANE4eXA=
-github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
+github.com/lufia/plan9stats v0.0.0-20220913051719-115f729f3c8c h1:VtwQ41oftZwlMnOEbMWQtSEUgU64U4s+GHk7hZK+jtY=
+github.com/lufia/plan9stats v0.0.0-20220913051719-115f729f3c8c/go.mod h1:JKx41uQRwqlTZabZc+kILPrO/3jlKnQ2Z8b7YiVw5cE=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
@@ -710,8 +720,9 @@ github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJys
 github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
 github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
-github.com/mitchellh/cli v1.1.0 h1:tEElEatulEHDeedTxwckzyYMA5c86fbmNIUL1hBIiTg=
 github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI=
+github.com/mitchellh/cli v1.1.4 h1:qj8czE26AU4PbiaPXK5uVmMSM+V5BYsFBiM9HhGRLUA=
+github.com/mitchellh/cli v1.1.4/go.mod h1:vTLESy5mRhKOs9KDp0/RATawxP1UqBmdrpVRMnpcvKQ=
 github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db h1:62I3jR2EmQ4l5rM/4FEfDWcRD+abF5XlKShorW5LRoQ=
 github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db/go.mod h1:l0dey0ia/Uv7NcFFVbCLtqEBQbrT4OCwCSKTEv6enCw=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
@@ -719,13 +730,15 @@ github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa1
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
+github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/go-testing-interface v1.14.0 h1:/x0XQ6h+3U3nAyk1yx+bHPURrKa9sVVvYbuqZ7pIAtI=
 github.com/mitchellh/go-testing-interface v1.14.0/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8=
-github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
-github.com/mitchellh/go-wordwrap v1.0.0 h1:6GlHJ/LTGMrIJbwgdqdl2eEH8o+Exx/0m8ir9Gns0u4=
 github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
+github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
+github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
 github.com/mitchellh/hashstructure v0.0.0-20170609045927-2bca23e0e452 h1:hOY53G+kBFhbYFpRVxHl5eS7laP6B1+Cq+Z9Dry1iMU=
 github.com/mitchellh/hashstructure v0.0.0-20170609045927-2bca23e0e452/go.mod h1:QjSHrPWS+BGUVBYkbTZWEnOh3G1DutKwClXU/ABz6AQ=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
@@ -790,8 +803,9 @@ github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30/go.mod h1:85jBQOZwp
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pierrec/lz4 v2.5.2+incompatible h1:WCjObylUIOlKy/+7Abdn34TLIkXiA4UWUMhxq9m9ZXI=
 github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
+github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=
+github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -802,8 +816,9 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
 github.com/posener/complete v1.2.3 h1:NP0eAhjcjImqslEwo/1hq7gpajME0fTLTezBKDqfXqo=
 github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s=
-github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
+github.com/power-devops/perfstat v0.0.0-20220216144756-c35f1ee13d7c h1:NRoLoZvkBTKvR5gQLgA3e0hqjkY9u1wm+iOL45VN/qI=
+github.com/power-devops/perfstat v0.0.0-20220216144756-c35f1ee13d7c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 h1:J9b7z+QKAmPf4YLrFg6oQUotqHQeUNWwkvo7jZp1GLU=
 github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
@@ -862,10 +877,13 @@ github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUt
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/segmentio/fasthash v1.0.3 h1:EI9+KE1EwvMLBWwjpRDc+fEM+prwxDYbslddQGtrmhM=
 github.com/segmentio/fasthash v1.0.3/go.mod h1:waKX8l2N8yckOgmSsXJi7x1ZfdKZ4x7KRMzBtS3oedY=
-github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
-github.com/shirou/gopsutil/v3 v3.22.8 h1:a4s3hXogo5mE2PfdfJIonDbstO/P+9JszdfhAHSzD9Y=
-github.com/shirou/gopsutil/v3 v3.22.8/go.mod h1:s648gW4IywYzUfE/KjXxUsqrqx/T2xO5VqOXxONeRfI=
+github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
+github.com/shirou/gopsutil/v3 v3.22.9 h1:yibtJhIVEMcdw+tCTbOPiF1VcsuDeTE4utJ8Dm4c5eA=
+github.com/shirou/gopsutil/v3 v3.22.9/go.mod h1:bBYl1kjgEJpWpxeHmLI+dVHWtyAwfcmSBLDsp2TNT8A=
 github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4=
+github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
+github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
+github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
@@ -883,11 +901,13 @@ github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B
 github.com/spf13/afero v1.2.1/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
+github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
@@ -918,8 +938,9 @@ github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tklauser/go-sysconf v0.3.10 h1:IJ1AZGZRWbY8T5Vfk04D9WOA5WSejdflXxP03OUqALw=
 github.com/tklauser/go-sysconf v0.3.10/go.mod h1:C8XykCvCb+Gn0oNCWPIlcb0RuglQTYaQ2hGm7jmxEFk=
-github.com/tklauser/numcpus v0.4.0 h1:E53Dm1HjH1/R2/aoCtXtPgzmElmn51aOkhCFSuZq//o=
 github.com/tklauser/numcpus v0.4.0/go.mod h1:1+UI3pD8NW14VMwdgJNJ1ESk2UnwhAnz5hMwiKKqXCQ=
+github.com/tklauser/numcpus v0.5.0 h1:ooe7gN0fg6myJ0EKoTAf5hebTZrH52px3New/D9iJ+A=
+github.com/tklauser/numcpus v0.5.0/go.mod h1:OGzpTxpcIMNGYQdit2BYL1pvk/dSOaJWjKoflh+RQjo=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926 h1:G3dpKMzFDjgEh2q1Z7zUUtKa8ViPtH+ocF0bE0g00O8=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
@@ -929,7 +950,6 @@ github.com/uber/jaeger-lib v2.4.1+incompatible h1:td4jdvLcExb4cBISKIpHuGoVXh+dVK
 github.com/uber/jaeger-lib v2.4.1+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U=
 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
-github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
 github.com/vmware/govmomi v0.18.0 h1:f7QxSmP7meCtoAmiKZogvVbLInT+CZx6Px6K5rYsJZo=
 github.com/vmware/govmomi v0.18.0/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
@@ -955,8 +975,8 @@ github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPRg=
 github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-github.com/zclconf/go-cty v1.2.0 h1:sPHsy7ADcIZQP3vILvTjrh74ZA175TFP5vqiNK1UmlI=
-github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8=
+github.com/zclconf/go-cty v1.11.1 h1:UMMYDL4riBFaPdzjEWcDdWG7x/Adz8E8f9OX/MGR7V4=
+github.com/zclconf/go-cty v1.11.1/go.mod h1:s9IfD1LK5ccNMSWCVFCE2rJfHiZgi7JijgeWIMfhLvA=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
 go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
@@ -1001,7 +1021,6 @@ golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
-golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -1009,7 +1028,9 @@ golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
@@ -1063,7 +1084,6 @@ golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180611182652-db08ff08e862/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1166,7 +1186,6 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190419153524-e8e3143a4f4a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190515120540-06a5c4944438/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190523142557-0e01d883c5c5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1505,6 +1524,7 @@ gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/internal/auth/internal/types/computed_traffic_permissions.go b/internal/auth/internal/types/computed_traffic_permissions.go
index 753d875f8b1e..8d30c1f0200e 100644
--- a/internal/auth/internal/types/computed_traffic_permissions.go
+++ b/internal/auth/internal/types/computed_traffic_permissions.go
@@ -10,7 +10,7 @@ import (
 )
 
 const (
-	ComputedTrafficPermissionsKind = "ComputedTrafficPermission"
+	ComputedTrafficPermissionsKind = "ComputedTrafficPermissions"
 )
 
 var (
diff --git a/internal/mesh/internal/controllers/register.go b/internal/mesh/internal/controllers/register.go
index cc62da83dec0..b9272e58053d 100644
--- a/internal/mesh/internal/controllers/register.go
+++ b/internal/mesh/internal/controllers/register.go
@@ -21,6 +21,7 @@ import (
 type Dependencies struct {
 	TrustDomainFetcher sidecarproxy.TrustDomainFetcher
 	LocalDatacenter    string
+	DefaultAllow       bool
 	TrustBundleFetcher xds.TrustBundleFetcher
 	ProxyUpdater       xds.ProxyUpdater
 	LeafCertManager    *leafcert.Manager
@@ -44,7 +45,7 @@ func Register(mgr *controller.Manager, deps Dependencies) {
 		m                   = sidecarproxymapper.New(destinationsCache, proxyCfgCache, computedRoutesCache, identitiesCache)
 	)
 	mgr.Register(
-		sidecarproxy.Controller(destinationsCache, proxyCfgCache, computedRoutesCache, identitiesCache, m, deps.TrustDomainFetcher, deps.LocalDatacenter),
+		sidecarproxy.Controller(destinationsCache, proxyCfgCache, computedRoutesCache, identitiesCache, m, deps.TrustDomainFetcher, deps.LocalDatacenter, deps.DefaultAllow),
 	)
 
 	mgr.Register(routes.Controller())
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/builder.go b/internal/mesh/internal/controllers/sidecarproxy/builder/builder.go
index 0c0cd0661d17..ba600f4fe044 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/builder.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/builder.go
@@ -16,6 +16,7 @@ type Builder struct {
 	proxyCfg           *pbmesh.ProxyConfiguration
 	trustDomain        string
 	localDatacenter    string
+	defaultAllow       bool
 }
 
 func New(
@@ -23,12 +24,14 @@ func New(
 	identity *pbresource.Reference,
 	trustDomain string,
 	dc string,
+	defaultAllow bool,
 	proxyCfg *pbmesh.ProxyConfiguration,
 ) *Builder {
 	return &Builder{
 		id:              id,
 		trustDomain:     trustDomain,
 		localDatacenter: dc,
+		defaultAllow:    defaultAllow,
 		proxyCfg:        proxyCfg,
 		proxyStateTemplate: &pbmesh.ProxyStateTemplate{
 			ProxyState: &pbmesh.ProxyState{
@@ -55,6 +58,7 @@ func (b *Builder) Build() *pbmesh.ProxyStateTemplate {
 	b.proxyStateTemplate.RequiredTrustBundles[b.id.Tenancy.PeerName] = &pbproxystate.TrustBundleRef{
 		Peer: b.id.Tenancy.PeerName,
 	}
+	b.proxyStateTemplate.ProxyState.TrafficPermissionDefaultAllow = b.defaultAllow
 
 	return b.proxyStateTemplate
 }
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder.go b/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder.go
index 147d6a7b5452..126e5bfc68e1 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder.go
@@ -508,7 +508,8 @@ func (b *Builder) addCluster(clusterName, sni, portName string, destinationIdent
 								OutboundMesh: &pbproxystate.OutboundMeshMTLS{
 									IdentityKey: b.proxyStateTemplate.ProxyState.Identity.Name,
 									ValidationContext: &pbproxystate.MeshOutboundValidationContext{
-										SpiffeIds: spiffeIDs,
+										SpiffeIds:              spiffeIDs,
+										TrustBundlePeerNameKey: b.id.Tenancy.PeerName,
 									},
 									Sni: sni,
 								},
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder_multiport_test.go b/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder_multiport_test.go
index 1443acc63255..a8a8e0820147 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder_multiport_test.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder_multiport_test.go
@@ -210,7 +210,7 @@ func TestBuildMultiportImplicitDestinations(t *testing.T) {
 
 	for name, c := range cases {
 		t.Run(name, func(t *testing.T) {
-			proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), trustDomain, datacenter, proxyCfg).
+			proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), trustDomain, datacenter, false, proxyCfg).
 				BuildDestinations(c.getDestinations()).
 				Build()
 
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder_test.go b/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder_test.go
index a2381da05d6c..9af0853bef33 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder_test.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/destination_builder_test.go
@@ -243,7 +243,7 @@ func TestBuildExplicitDestinations(t *testing.T) {
 
 	for name, c := range cases {
 		t.Run(name, func(t *testing.T) {
-			proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), "foo.consul", "dc1", nil).
+			proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), "foo.consul", "dc1", false, nil).
 				BuildDestinations(c.destinations).
 				Build()
 
@@ -360,7 +360,7 @@ func TestBuildImplicitDestinations(t *testing.T) {
 
 	for name, c := range cases {
 		t.Run(name, func(t *testing.T) {
-			proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), "foo.consul", "dc1", proxyCfg).
+			proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), "foo.consul", "dc1", false, proxyCfg).
 				BuildDestinations(c.destinations).
 				Build()
 
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go
index 61ccccfbf7ba..c339dd34c93a 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go
@@ -243,6 +243,9 @@ func (b *Builder) addInboundListener(name string, workload *pbcatalog.Workload)
 		},
 	}
 
+	// Add TLS inspection capability to be able to parse ALPN and/or SNI information from inbound connections.
+	listener.Capabilities = append(listener.Capabilities, pbproxystate.Capability_CAPABILITY_L4_TLS_INSPECTION)
+
 	return b.NewListenerBuilder(listener)
 }
 
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_multiport_test.go b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_multiport_test.go
index 96b795109f53..e1d4cb664a08 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_multiport_test.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_multiport_test.go
@@ -88,7 +88,7 @@ func TestBuildLocalApp_Multiport(t *testing.T) {
 
 	for name, c := range cases {
 		t.Run(name, func(t *testing.T) {
-			proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), "foo.consul", "dc1", nil).
+			proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), "foo.consul", "dc1", false, nil).
 				BuildLocalApp(c.workload, nil).
 				Build()
 
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go
index 66985c74b4e8..ba372efe68de 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go
@@ -21,8 +21,9 @@ import (
 
 func TestBuildLocalApp(t *testing.T) {
 	cases := map[string]struct {
-		workload *pbcatalog.Workload
-		ctp      *pbauth.ComputedTrafficPermissions
+		workload     *pbcatalog.Workload
+		ctp          *pbauth.ComputedTrafficPermissions
+		defaultAllow bool
 	}{
 		"source/l4-single-workload-address-without-ports": {
 			workload: &pbcatalog.Workload{
@@ -83,12 +84,13 @@ func TestBuildLocalApp(t *testing.T) {
 					},
 				},
 			},
+			defaultAllow: true,
 		},
 	}
 
 	for name, c := range cases {
 		t.Run(name, func(t *testing.T) {
-			proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), "foo.consul", "dc1", nil).
+			proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), "foo.consul", "dc1", c.defaultAllow, nil).
 				BuildLocalApp(c.workload, c.ctp).
 				Build()
 			actual := protoToJSON(t, proxyTmpl)
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden
index aee378f1902f..81597958362b 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-implicit-and-explicit-destinations-tproxy.golden
@@ -18,7 +18,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
@@ -43,7 +44,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multi-destination.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multi-destination.golden
index 1c393ec7dc0f..4dd21947a754 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multi-destination.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multi-destination.golden
@@ -28,7 +28,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
@@ -53,7 +54,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden
index d23c1ff1c74f..145b38ecd3ae 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-multiple-implicit-destinations-tproxy.golden
@@ -18,7 +18,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
@@ -43,7 +44,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-ip-port-bind-address.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-ip-port-bind-address.golden
index 3ac00f37a719..0f4689784f27 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-ip-port-bind-address.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-ip-port-bind-address.golden
@@ -28,7 +28,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
@@ -50,7 +51,9 @@
               "outboundMesh": {
                 "identityKey": "test-identity",
                 "sni": "api-2.default.dc1.internal.foo.consul",
-                "validationContext": {}
+                "validationContext": {
+                  "trustBundlePeerNameKey": "local"
+                }
               }
             }
           }
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-unix-socket-bind-address.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-unix-socket-bind-address.golden
index 69e075a3493e..e0d2566656c3 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-unix-socket-bind-address.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-destination-unix-socket-bind-address.golden
@@ -18,7 +18,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-implicit-destination-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-implicit-destination-tproxy.golden
index 8941ab072835..2158ad93fd45 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-implicit-destination-tproxy.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/l4-single-implicit-destination-tproxy.golden
@@ -18,7 +18,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/mixed-multi-destination.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/mixed-multi-destination.golden
index c0394a25bcff..ee03beb415a6 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/mixed-multi-destination.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/mixed-multi-destination.golden
@@ -18,7 +18,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
@@ -40,7 +41,9 @@
               "outboundMesh": {
                 "identityKey": "test-identity",
                 "sni": "api-2.default.dc1.internal.foo.consul",
-                "validationContext": {}
+                "validationContext": {
+                  "trustBundlePeerNameKey": "local"
+                }
               }
             }
           }
@@ -74,7 +77,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api1-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
@@ -99,7 +103,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api2-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-multiple-implicit-destinations-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-multiple-implicit-destinations-tproxy.golden
index f7f3c9ffa7ee..7260bdc283df 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-multiple-implicit-destinations-tproxy.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-multiple-implicit-destinations-tproxy.golden
@@ -18,7 +18,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
@@ -43,7 +44,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api-app2-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
@@ -68,7 +70,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
@@ -93,7 +96,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api-app2-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-tproxy.golden
index 61ffc42206ea..7db01393db89 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-tproxy.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-tproxy.golden
@@ -18,7 +18,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
@@ -43,7 +44,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-with-multiple-workloads-tproxy.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-with-multiple-workloads-tproxy.golden
index 61ffc42206ea..7db01393db89 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-with-multiple-workloads-tproxy.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/destination/multiport-l4-single-implicit-destination-with-multiple-workloads-tproxy.golden
@@ -18,7 +18,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
@@ -43,7 +44,8 @@
                 "validationContext": {
                   "spiffeIds": [
                     "spiffe://foo.consul/ap/default/ns/default/identity/api-app-identity"
-                  ]
+                  ],
+                  "trustBundlePeerNameKey": "local"
                 }
               }
             }
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden
index d9320a445ac8..acac9b81949f 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden
@@ -29,6 +29,9 @@
     },
     "listeners": [
       {
+        "capabilities": [
+          "CAPABILITY_L4_TLS_INSPECTION"
+        ],
         "direction": "DIRECTION_INBOUND",
         "hostPort": {
           "host": "10.0.0.2",
@@ -74,7 +77,8 @@
           }
         ]
       }
-    ]
+    ],
+    "trafficPermissionDefaultAllow": true
   },
   "requiredLeafCertificates": {
     "test-identity": {
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-without-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-without-ports.golden
index f9136e89d314..fea63239f276 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-without-ports.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-without-ports.golden
@@ -29,6 +29,9 @@
     },
     "listeners": [
       {
+        "capabilities": [
+          "CAPABILITY_L4_TLS_INSPECTION"
+        ],
         "direction": "DIRECTION_INBOUND",
         "hostPort": {
           "host": "10.0.0.1",
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-single-workload-address-without-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-single-workload-address-without-ports.golden
index f9136e89d314..fea63239f276 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-single-workload-address-without-ports.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-single-workload-address-without-ports.golden
@@ -29,6 +29,9 @@
     },
     "listeners": [
       {
+        "capabilities": [
+          "CAPABILITY_L4_TLS_INSPECTION"
+        ],
         "direction": "DIRECTION_INBOUND",
         "hostPort": {
           "host": "10.0.0.1",
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-with-specific-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-with-specific-ports.golden
index f7240ea25605..f84bc6dfbcc7 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-with-specific-ports.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-with-specific-ports.golden
@@ -44,6 +44,9 @@
     },
     "listeners": [
       {
+        "capabilities": [
+          "CAPABILITY_L4_TLS_INSPECTION"
+        ],
         "direction": "DIRECTION_INBOUND",
         "hostPort": {
           "host": "10.0.0.3",
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-without-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-without-ports.golden
index e66f1e13d352..b588d6a747ba 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-without-ports.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-without-ports.golden
@@ -44,6 +44,9 @@
     },
     "listeners": [
       {
+        "capabilities": [
+          "CAPABILITY_L4_TLS_INSPECTION"
+        ],
         "direction": "DIRECTION_INBOUND",
         "hostPort": {
           "host": "10.0.0.1",
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-single-workload-address-without-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-single-workload-address-without-ports.golden
index e66f1e13d352..b588d6a747ba 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-single-workload-address-without-ports.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-single-workload-address-without-ports.golden
@@ -44,6 +44,9 @@
     },
     "listeners": [
       {
+        "capabilities": [
+          "CAPABILITY_L4_TLS_INSPECTION"
+        ],
         "direction": "DIRECTION_INBOUND",
         "hostPort": {
           "host": "10.0.0.1",
diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-workload-with-only-mesh-port.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-workload-with-only-mesh-port.golden
index da29255b87ab..f47ebba21d16 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-workload-with-only-mesh-port.golden
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-workload-with-only-mesh-port.golden
@@ -17,6 +17,9 @@
     },
     "listeners": [
       {
+        "capabilities": [
+          "CAPABILITY_L4_TLS_INSPECTION"
+        ],
         "direction": "DIRECTION_INBOUND",
         "hostPort": {
           "host": "10.0.0.1",
diff --git a/internal/mesh/internal/controllers/sidecarproxy/controller.go b/internal/mesh/internal/controllers/sidecarproxy/controller.go
index 416d77261066..98dab6ae75ec 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/controller.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/controller.go
@@ -35,6 +35,7 @@ func Controller(
 	mapper *sidecarproxymapper.Mapper,
 	trustDomainFetcher TrustDomainFetcher,
 	dc string,
+	defaultAllow bool,
 ) controller.Controller {
 	if destinationsCache == nil || proxyCfgCache == nil || computedRoutesCache == nil || identitiesCache == nil || mapper == nil || trustDomainFetcher == nil {
 		panic("destinations cache, proxy configuration cache, computed routes cache, identities cache, mapper, and trust domain fetcher are required")
@@ -99,6 +100,7 @@ func Controller(
 			identitiesCache:     identitiesCache,
 			getTrustDomain:      trustDomainFetcher,
 			dc:                  dc,
+			defaultAllow:        defaultAllow,
 		})
 }
 
@@ -108,6 +110,7 @@ type reconciler struct {
 	computedRoutesCache *sidecarproxycache.ComputedRoutesCache
 	identitiesCache     *sidecarproxycache.IdentitiesCache
 	getTrustDomain      TrustDomainFetcher
+	defaultAllow        bool
 	dc                  string
 }
 
@@ -194,11 +197,16 @@ func (r *reconciler) Reconcile(ctx context.Context, rt controller.Runtime, req c
 		ctp = trafficPermissions.Data
 	}
 
-	b := builder.New(req.ID, identityRefFromWorkload(workload), trustDomain, r.dc, proxyCfg).
+	b := builder.New(req.ID, identityRefFromWorkload(workload), trustDomain, r.dc, r.defaultAllow, proxyCfg).
 		BuildLocalApp(workload.Data, ctp)
 
 	// Get all destinationsData.
 	destinationsRefs := r.destinationsCache.DestinationsBySourceProxy(req.ID)
+	if len(destinationsRefs) > 0 {
+		rt.Logger.Trace("found destinations for this proxy", "id", req.ID, "destination_refs", destinationsRefs)
+	} else {
+		rt.Logger.Trace("did not find any destinations for this proxy", "id", req.ID)
+	}
 	destinationsData, statuses, err := dataFetcher.FetchExplicitDestinationsData(ctx, destinationsRefs)
 	if err != nil {
 		rt.Logger.Error("error fetching explicit destinations for this proxy", "error", err)
diff --git a/internal/mesh/internal/controllers/sidecarproxy/controller_test.go b/internal/mesh/internal/controllers/sidecarproxy/controller_test.go
index 902c9f47de6b..6aab1931e873 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/controller_test.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/controller_test.go
@@ -226,7 +226,7 @@ func (suite *meshControllerTestSuite) SetupTest() {
 		Tenancy: suite.apiWorkloadID.Tenancy,
 	}
 
-	suite.proxyStateTemplate = builder.New(suite.apiWorkloadID, identityRef, "test.consul", "dc1", nil).
+	suite.proxyStateTemplate = builder.New(suite.apiWorkloadID, identityRef, "test.consul", "dc1", false, nil).
 		BuildLocalApp(suite.apiWorkload, suite.computedTrafficPermissionsData).
 		Build()
 }
@@ -357,7 +357,7 @@ func (suite *meshControllerTestSuite) TestController() {
 	)
 	trustDomainFetcher := func() (string, error) { return "test.consul", nil }
 
-	mgr.Register(Controller(destinationsCache, proxyCfgCache, computedRoutesCache, identitiesCache, m, trustDomainFetcher, "dc1"))
+	mgr.Register(Controller(destinationsCache, proxyCfgCache, computedRoutesCache, identitiesCache, m, trustDomainFetcher, "dc1", false))
 	mgr.SetRaftLeader(true)
 	go mgr.Run(suite.ctx)
 
@@ -554,7 +554,10 @@ func (suite *meshControllerTestSuite) TestController() {
 		requireImplicitDestinationsFound(t, "db", webProxyStateTemplate)
 	})
 
-	testutil.RunStep(suite.T(), "computed traffic permissions force regeneration", func(t *testing.T) {
+	testutil.RunStep(suite.T(), "traffic permissions", func(t *testing.T) {
+		dec := resourcetest.MustDecode[*pbmesh.ProxyStateTemplate](t, apiProxyStateTemplate)
+		require.False(t, dec.Data.ProxyState.TrafficPermissionDefaultAllow)
+
 		suite.runtime.Logger.Trace("deleting computed traffic permissions")
 		_, err := suite.client.Delete(suite.ctx, &pbresource.DeleteRequest{Id: suite.computedTrafficPermissions.Id})
 		require.NoError(t, err)
@@ -622,6 +625,37 @@ func (suite *meshControllerTestSuite) TestController() {
 	})
 }
 
+func (suite *meshControllerTestSuite) TestControllerDefaultAllow() {
+	// Run the controller manager
+	mgr := controller.NewManager(suite.client, suite.runtime.Logger)
+
+	// Initialize controller dependencies.
+	var (
+		destinationsCache   = sidecarproxycache.NewDestinationsCache()
+		proxyCfgCache       = sidecarproxycache.NewProxyConfigurationCache()
+		computedRoutesCache = sidecarproxycache.NewComputedRoutesCache()
+		identitiesCache     = sidecarproxycache.NewIdentitiesCache()
+		m                   = sidecarproxymapper.New(destinationsCache, proxyCfgCache, computedRoutesCache, identitiesCache)
+	)
+	trustDomainFetcher := func() (string, error) { return "test.consul", nil }
+
+	mgr.Register(Controller(destinationsCache, proxyCfgCache, computedRoutesCache, identitiesCache, m, trustDomainFetcher, "dc1", true))
+	mgr.SetRaftLeader(true)
+	go mgr.Run(suite.ctx)
+
+	var (
+		// Create proxy state template IDs to check against in this test.
+		webProxyStateTemplateID = resourcetest.Resource(types.ProxyStateTemplateType, "web-def").ID()
+	)
+
+	retry.Run(suite.T(), func(r *retry.R) {
+		suite.client.RequireResourceExists(r, webProxyStateTemplateID)
+		webProxyStateTemplate := suite.client.RequireResourceExists(r, webProxyStateTemplateID)
+		dec := resourcetest.MustDecode[*pbmesh.ProxyStateTemplate](r, webProxyStateTemplate)
+		require.True(r, dec.Data.ProxyState.TrafficPermissionDefaultAllow)
+	})
+}
+
 func TestMeshController(t *testing.T) {
 	suite.Run(t, new(meshControllerTestSuite))
 }
diff --git a/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher.go b/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher.go
index 4bf5df4827b9..98d301b40287 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher.go
@@ -352,7 +352,12 @@ func (f *Fetcher) FetchImplicitDestinationsData(
 					if err != nil {
 						return nil, err
 					}
-					endpointsMap[seRK] = se
+					// We only add the endpoint to the map if it's not nil. If it's missing on lookup now, the
+					// controller should get triggered when the endpoint exists again since it watches service
+					// endpoints.
+					if se != nil {
+						endpointsMap[seRK] = se
+					}
 				}
 			}
 		}
@@ -439,6 +444,12 @@ func (f *Fetcher) FetchAndMergeProxyConfigurations(ctx context.Context, id *pbre
 		proto.Merge(result.DynamicConfig, proxyCfg.DynamicConfig)
 	}
 
+	// Default the outbound listener port. If we don't do the nil check here, then BuildDestinations will panic creating
+	// the outbound listener.
+	if result.DynamicConfig.TransparentProxy == nil {
+		result.DynamicConfig.TransparentProxy = &pbmesh.TransparentProxy{OutboundListenerPort: 15001}
+	}
+
 	return result, nil
 }
 
diff --git a/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher_test.go b/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher_test.go
index fb73b93c2a3a..4e3835db1542 100644
--- a/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher_test.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher_test.go
@@ -1029,6 +1029,9 @@ func (suite *dataFetcherSuite) TestFetcher_FetchAndMergeProxyConfigurations() {
 		DynamicConfig: &pbmesh.DynamicConfig{
 			Mode:          pbmesh.ProxyMode_PROXY_MODE_TRANSPARENT,
 			MutualTlsMode: pbmesh.MutualTLSMode_MUTUAL_TLS_MODE_DEFAULT,
+			TransparentProxy: &pbmesh.TransparentProxy{
+				OutboundListenerPort: 15001,
+			},
 		},
 	}
 
diff --git a/internal/mesh/internal/mappers/sidecarproxymapper/mapper.go b/internal/mesh/internal/mappers/sidecarproxymapper/mapper.go
index 23b762ff59cd..7de9c8f55aa2 100644
--- a/internal/mesh/internal/mappers/sidecarproxymapper/mapper.go
+++ b/internal/mesh/internal/mappers/sidecarproxymapper/mapper.go
@@ -5,6 +5,7 @@ package sidecarproxymapper
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/hashicorp/consul/internal/catalog"
 	"github.com/hashicorp/consul/internal/controller"
@@ -54,6 +55,9 @@ func mapSelectorToProxyStateTemplates(ctx context.Context,
 		if err != nil {
 			return nil, err
 		}
+		if len(resp.Resources) == 0 {
+			return nil, fmt.Errorf("no workloads found")
+		}
 		for _, r := range resp.Resources {
 			id := resource.ReplaceType(types.ProxyStateTemplateType, r.Id)
 			result = append(result, controller.Request{
diff --git a/internal/resource/authz.go b/internal/resource/authz.go
new file mode 100644
index 000000000000..77a5d7850f9a
--- /dev/null
+++ b/internal/resource/authz.go
@@ -0,0 +1,20 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package resource
+
+func peerNameV2ToV1(peer string) string {
+	// The name of the local/default peer is different between v1 and v2.
+	if peer == "local" {
+		return ""
+	}
+	return peer
+}
+
+func peerNameV1ToV2(peer string) string {
+	// The name of the local/default peer is different between v1 and v2.
+	if peer == "" {
+		return "local"
+	}
+	return peer
+}
diff --git a/internal/resource/authz_ce.go b/internal/resource/authz_ce.go
index 4d68ccd6b98a..f970eb35d7fd 100644
--- a/internal/resource/authz_ce.go
+++ b/internal/resource/authz_ce.go
@@ -13,5 +13,7 @@ import (
 
 // AuthorizerContext builds an ACL AuthorizerContext for the given tenancy.
 func AuthorizerContext(t *pbresource.Tenancy) *acl.AuthorizerContext {
-	return &acl.AuthorizerContext{Peer: t.PeerName}
+	return &acl.AuthorizerContext{
+		Peer: peerNameV2ToV1(t.PeerName),
+	}
 }
diff --git a/internal/resource/authz_ce_test.go b/internal/resource/authz_ce_test.go
new file mode 100644
index 000000000000..1487d9f9743b
--- /dev/null
+++ b/internal/resource/authz_ce_test.go
@@ -0,0 +1,52 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !consulent
+// +build !consulent
+
+package resource
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/hashicorp/consul/acl"
+	"github.com/hashicorp/consul/proto-public/pbresource"
+)
+
+func TestAuthorizerContext_CE(t *testing.T) {
+	t.Run("no peer", func(t *testing.T) {
+		require.Equal(t,
+			&acl.AuthorizerContext{},
+			AuthorizerContext(&pbresource.Tenancy{
+				Partition: "foo",
+				Namespace: "bar",
+			}),
+		)
+	})
+
+	t.Run("with local peer", func(t *testing.T) {
+		require.Equal(t,
+			&acl.AuthorizerContext{},
+			AuthorizerContext(&pbresource.Tenancy{
+				Partition: "foo",
+				Namespace: "bar",
+				PeerName:  "local",
+			}),
+		)
+	})
+
+	t.Run("with non-local peer", func(t *testing.T) {
+		require.Equal(t,
+			&acl.AuthorizerContext{
+				Peer: "remote",
+			},
+			AuthorizerContext(&pbresource.Tenancy{
+				Partition: "foo",
+				Namespace: "bar",
+				PeerName:  "remote",
+			}),
+		)
+	})
+}
diff --git a/internal/resource/resourcetest/decode.go b/internal/resource/resourcetest/decode.go
index d68fff865517..109ad39ceb75 100644
--- a/internal/resource/resourcetest/decode.go
+++ b/internal/resource/resourcetest/decode.go
@@ -4,8 +4,6 @@
 package resourcetest
 
 import (
-	"testing"
-
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/proto"
 
@@ -13,8 +11,8 @@ import (
 	"github.com/hashicorp/consul/proto-public/pbresource"
 )
 
-func MustDecode[T proto.Message](t *testing.T, res *pbresource.Resource) *resource.DecodedResource[T] {
-	dec, err := resource.Decode[T](res)
+func MustDecode[Tp proto.Message](t T, res *pbresource.Resource) *resource.DecodedResource[Tp] {
+	dec, err := resource.Decode[Tp](res)
 	require.NoError(t, err)
 	return dec
 }
diff --git a/test-integ/go.mod b/test-integ/go.mod
index 9557119b876b..eac8a8ef12a5 100644
--- a/test-integ/go.mod
+++ b/test-integ/go.mod
@@ -26,7 +26,7 @@ require (
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/DataDog/datadog-go v4.8.2+incompatible // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/agext/levenshtein v1.2.1 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/aliyun/alibaba-cloud-sdk-go v1.62.156 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
 	github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e // indirect
@@ -149,7 +149,7 @@ require (
 	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.0 // indirect
-	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/hashstructure v0.0.0-20170609045927-2bca23e0e452 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
@@ -171,7 +171,7 @@ require (
 	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
 	github.com/otiai10/copy v1.10.0 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
-	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
+	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
diff --git a/test-integ/go.sum b/test-integ/go.sum
index 0cc1e0467df1..e5edc4188f32 100644
--- a/test-integ/go.sum
+++ b/test-integ/go.sum
@@ -77,8 +77,8 @@ github.com/Microsoft/hcsshim v0.10.0-rc.8 h1:YSZVvlIIDD1UxQpJp0h+dnpLUw+TrY0cx8o
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tjT8=
-github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
+github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
+github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -609,8 +609,9 @@ github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.
 github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/go-testing-interface v1.14.0 h1:/x0XQ6h+3U3nAyk1yx+bHPURrKa9sVVvYbuqZ7pIAtI=
 github.com/mitchellh/go-testing-interface v1.14.0/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8=
-github.com/mitchellh/go-wordwrap v1.0.0 h1:6GlHJ/LTGMrIJbwgdqdl2eEH8o+Exx/0m8ir9Gns0u4=
 github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
+github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
+github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
 github.com/mitchellh/hashstructure v0.0.0-20170609045927-2bca23e0e452 h1:hOY53G+kBFhbYFpRVxHl5eS7laP6B1+Cq+Z9Dry1iMU=
 github.com/mitchellh/hashstructure v0.0.0-20170609045927-2bca23e0e452/go.mod h1:QjSHrPWS+BGUVBYkbTZWEnOh3G1DutKwClXU/ABz6AQ=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
@@ -673,8 +674,9 @@ github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaR
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
-github.com/pierrec/lz4 v2.5.2+incompatible h1:WCjObylUIOlKy/+7Abdn34TLIkXiA4UWUMhxq9m9ZXI=
 github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
+github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=
+github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
diff --git a/test-integ/peering_commontopo/ac7_2_rotate_leader_test.go b/test-integ/peering_commontopo/ac7_2_rotate_leader_test.go
index b1ba326741c9..a5684ebbc024 100644
--- a/test-integ/peering_commontopo/ac7_2_rotate_leader_test.go
+++ b/test-integ/peering_commontopo/ac7_2_rotate_leader_test.go
@@ -196,7 +196,7 @@ func (s *ac7_2RotateLeaderSuite) test(t *testing.T, ct *commonTopo) {
 func rotateLeader(t *testing.T, cl *api.Client) {
 	t.Helper()
 	oldLeader := findLeader(t, cl)
-	_, err := cl.Operator().RaftLeaderTransfer(nil)
+	_, err := cl.Operator().RaftLeaderTransfer("", nil)
 	require.NoError(t, err)
 	retry.RunWith(&retry.Timer{Timeout: 30 * time.Second, Wait: time.Second}, t, func(r *retry.R) {
 		newLeader := findLeader(r, cl)
diff --git a/test/integration/consul-container/go.mod b/test/integration/consul-container/go.mod
index db5fcca4ae2d..4bdd39740f7d 100644
--- a/test/integration/consul-container/go.mod
+++ b/test/integration/consul-container/go.mod
@@ -171,7 +171,7 @@ require (
 	github.com/opencontainers/runc v1.1.8 // indirect
 	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
-	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
+	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
 	github.com/prometheus/client_golang v1.14.0 // indirect
diff --git a/test/integration/consul-container/go.sum b/test/integration/consul-container/go.sum
index 2d86e3ef9c35..2c338754432f 100644
--- a/test/integration/consul-container/go.sum
+++ b/test/integration/consul-container/go.sum
@@ -665,8 +665,9 @@ github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaR
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
-github.com/pierrec/lz4 v2.5.2+incompatible h1:WCjObylUIOlKy/+7Abdn34TLIkXiA4UWUMhxq9m9ZXI=
 github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
+github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=
+github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
diff --git a/test/integration/consul-container/test/envoy_extensions/otel_access_logging_test.go b/test/integration/consul-container/test/envoy_extensions/otel_access_logging_test.go
new file mode 100644
index 000000000000..87bb7b4d6165
--- /dev/null
+++ b/test/integration/consul-container/test/envoy_extensions/otel_access_logging_test.go
@@ -0,0 +1,133 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package envoyextensions
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	"github.com/testcontainers/testcontainers-go"
+
+	"github.com/hashicorp/consul/api"
+	"github.com/hashicorp/consul/sdk/testutil/retry"
+	libassert "github.com/hashicorp/consul/test/integration/consul-container/libs/assert"
+	libcluster "github.com/hashicorp/consul/test/integration/consul-container/libs/cluster"
+	"github.com/hashicorp/consul/test/integration/consul-container/libs/topology"
+)
+
+// TestOTELAccessLogging Summary
+// This verifies that the OpenTelemetry access logging Envoy extension works as expected.
+// A simulated client (a direct HTTP call) talks to its upstream proxy through the mesh.
+// The upstream (static-server) is configured with a `builtin/otel-access-logging` extension that
+// sends Envoy access logs to an OpenTelemetry collector for incoming HTTP requests.
+// The OpenTelemetry collector is deployed as a container named `otel-collector` on the local network,
+// and configured to write Envoy access logs to its stdout log stream.
+//
+// Steps:
+//   - Create a single agent cluster.
+//   - Create the example static-server and sidecar containers, then register them both with Consul
+//   - Create an example static-client sidecar, then register both the service and sidecar with Consul
+//   - Create an OpenTelemetry collector container on the local network, this doesn't need to be registered with Consul.
+//   - Configure the static-server service with a `builtin/otel-access-logging` EnvoyExtension targeting the
+//     otel-collector service.
+//   - Make sure a call to the client sidecar local bind port results in Envoy access logs being sent to the
+//     otel-collector.
+func TestOTELAccessLogging(t *testing.T) {
+	t.Parallel()
+
+	cluster, _, _ := topology.NewCluster(t, &topology.ClusterConfig{
+		NumServers:                1,
+		NumClients:                1,
+		ApplyDefaultProxySettings: true,
+		BuildOpts: &libcluster.BuildOptions{
+			Datacenter:             "dc1",
+			InjectAutoEncryption:   true,
+			InjectGossipEncryption: true,
+		},
+	})
+
+	launchInfo := createLocalOTELService(t, cluster)
+
+	clientService := createServices(t, cluster)
+	_, port := clientService.GetAddr()
+	_, adminPort := clientService.GetAdminAddr()
+
+	libassert.AssertUpstreamEndpointStatus(t, adminPort, "static-server.default", "HEALTHY", 1)
+	libassert.GetEnvoyListenerTCPFilters(t, adminPort)
+
+	libassert.AssertContainerState(t, clientService, "running")
+	libassert.AssertFortioName(t, fmt.Sprintf("http://localhost:%d", port), "static-server", "")
+
+	// Apply the OpenTelemetry Access Logging Envoy extension to the static-server
+	consul := cluster.APIClient(0)
+	defaults := api.ServiceConfigEntry{
+		Kind:     api.ServiceDefaults,
+		Name:     "static-server",
+		Protocol: "http",
+		EnvoyExtensions: []api.EnvoyExtension{{
+			Name: "builtin/otel-access-logging",
+			Arguments: map[string]any{
+				"Config": map[string]any{
+					"LogName": "otel-integration-test",
+					"GrpcService": map[string]any{
+						"Target": map[string]any{"URI": "127.0.0.1:4317"},
+					},
+				},
+			},
+		}},
+	}
+	consul.ConfigEntries().Set(&defaults, nil)
+
+	// Make requests from the static-client to the static-server and look for the access logs
+	// to show up in the `otel-collector` container logs.
+	retry.RunWith(&retry.Timer{Timeout: 60 * time.Second, Wait: time.Second}, t, func(r *retry.R) {
+		doRequest(t, fmt.Sprintf("http://localhost:%d", port), http.StatusOK)
+		reader, err := launchInfo.Container.Logs(context.Background())
+		require.NoError(r, err)
+		log, err := io.ReadAll(reader)
+		require.NoError(r, err)
+		require.Contains(r, string(log), `log_name: Str(otel-integration-test)`)
+		require.Contains(r, string(log), `cluster_name: Str(static-server)`)
+		require.Contains(r, string(log), `node_name: Str(static-server-sidecar-proxy)`)
+	})
+}
+
+func createLocalOTELService(t *testing.T, cluster *libcluster.Cluster) *libcluster.LaunchInfo {
+	node := cluster.Agents[0]
+
+	cwd, err := os.Getwd()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req := testcontainers.ContainerRequest{
+		Image:      "otel/opentelemetry-collector@sha256:7df7482ca6f2f3523cd389ac62c2851a652c67ac3b25fc67cd9248966aa706c1",
+		AutoRemove: true,
+		Name:       "otel-collector",
+		Env:        make(map[string]string),
+		Cmd:        []string{"--config", "/testdata/otel/config.yaml"},
+		Mounts: []testcontainers.ContainerMount{{
+			Source: testcontainers.DockerBindMountSource{
+				HostPath: fmt.Sprintf("%s/testdata", cwd),
+			},
+			Target:   "/testdata",
+			ReadOnly: true,
+		}},
+	}
+
+	ctx := context.Background()
+
+	exposedPorts := []string{}
+	li, err := libcluster.LaunchContainerOnNode(ctx, node, req, exposedPorts)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return li
+}
diff --git a/test/integration/consul-container/test/envoy_extensions/testdata/otel/config.yaml b/test/integration/consul-container/test/envoy_extensions/testdata/otel/config.yaml
new file mode 100644
index 000000000000..ae2ba85f4fe7
--- /dev/null
+++ b/test/integration/consul-container/test/envoy_extensions/testdata/otel/config.yaml
@@ -0,0 +1,30 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+receivers:
+  otlp:
+    protocols:
+      grpc:
+      http:
+
+processors:
+  batch:
+
+exporters:
+  logging:
+    verbosity: Detailed
+
+service:
+  pipelines:
+    traces:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [logging]
+    metrics:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [logging]
+    logs:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [logging]
diff --git a/website/content/api-docs/acl/binding-rules.mdx b/website/content/api-docs/acl/binding-rules.mdx
index 043086f58a2a..10be5f9d201a 100644
--- a/website/content/api-docs/acl/binding-rules.mdx
+++ b/website/content/api-docs/acl/binding-rules.mdx
@@ -62,38 +62,63 @@ The corresponding CLI command is [`consul acl binding-rule create`](/consul/comm
   - `BindType=service` - The computed bind name value is used as an
     `ACLServiceIdentity.ServiceName` field in the token that is created.
 
+    <CodeBlockConfig heading="Equivalent payload for Consul token API endpoint">
+
     ```json
-    { ...other fields...
-        "ServiceIdentities": [
-            { "ServiceName": "<computed BindName>" }
-        ]
+    {
+      "AccessorID": "<token accessor ID>",
+      "SecretID": "<token secret ID>",
+      "ServiceIdentities": [
+        {
+          "ServiceName": "<computed BindName>"
+        }
+      ]
     }
     ```
 
+    </CodeBlockConfig>
+
   - `BindType=node` - The computed bind name value is used as an
     `ACLNodeIdentity.NodeName` field in the token that is created.
 
+    <CodeBlockConfig heading="Equivalent payload for Consul token API endpoint">
+
     ```json
-    { ...other fields...
-        "NodeIdentities": [
-            { "NodeName": "<computed BindName>", "Datacenter": "<local datacenter>" }
-        ]
+    {
+      "AccessorID": "<token accessor ID>",
+      "SecretID": "<token secret ID>",
+      "NodeIdentities": [
+        {
+          "NodeName": "<computed BindName>",
+          "Datacenter": "<local datacenter>"
+        }
+      ]
     }
     ```
 
+    </CodeBlockConfig>
+
   - `BindType=role` - The computed bind name value is used as a `RoleLink.Name`
     field in the token that is created. This binding rule will only apply if a
     role with the given name exists at login-time. If it does not then this
     rule is ignored.
 
+    <CodeBlockConfig heading="Equivalent payload for Consul token API endpoint">
+
     ```json
-    { ...other fields...
-        "Roles": [
-            { "Name": "<computed BindName>" }
-        ]
+    {
+      "AccessorID": "<token accessor ID>",
+      "SecretID": "<token secret ID>",
+      "Roles": [
+        {
+          "Name": "<computed BindName>"
+        }
+      ]
     }
     ```
 
+    </CodeBlockConfig>
+
 - `BindName` `(string: <required>)` - The name to bind to a token at
   login-time. What it binds to can be adjusted with different values of the
   `BindType` field. This can either be a plain string or lightly templated
@@ -250,38 +275,63 @@ The corresponding CLI command is [`consul acl binding-rule update`](/consul/comm
   - `BindType=service` - The computed bind name value is used as an
     `ACLServiceIdentity.ServiceName` field in the token that is created.
 
+    <CodeBlockConfig heading="Equivalent payload for Consul token API endpoint">
+
     ```json
-    { ...other fields...
-        "ServiceIdentities": [
-            { "ServiceName": "<computed BindName>" }
-        ]
+    {
+      "AccessorID": "<token accessor ID>",
+      "SecretID": "<token secret ID>",
+      "ServiceIdentities": [
+        {
+          "ServiceName": "<computed BindName>"
+        }
+      ]
     }
     ```
 
+    </CodeBlockConfig>
+
   - `BindType=node` - The computed bind name value is used as an
     `ACLNodeIdentity.NodeName` field in the token that is created.
 
+    <CodeBlockConfig heading="Equivalent payload for Consul token API endpoint">
+
     ```json
-    { ...other fields...
-        "NodeIdentities": [
-            { "NodeName": "<computed BindName>", "Datacenter": "<local datacenter>" }
-        ]
+    {
+      "AccessorID": "<token accessor ID>",
+      "SecretID": "<token secret ID>",
+      "NodeIdentities": [
+        {
+          "NodeName": "<computed BindName>",
+          "Datacenter": "<local datacenter>"
+        }
+      ]
     }
     ```
 
+    </CodeBlockConfig>
+
   - `BindType=role` - The computed bind name value is used as a `RoleLink.Name`
     field in the token that is created. This binding rule will only apply if a
     role with the given name exists at login-time. If it does not then this
     rule is ignored.
 
+    <CodeBlockConfig heading="Equivalent payload for Consul token API endpoint">
+
     ```json
-    { ...other fields...
-        "Roles": [
-            { "Name": "<computed BindName>" }
-        ]
+    {
+      "AccessorID": "<token accessor ID>",
+      "SecretID": "<token secret ID>",
+      "Roles": [
+        {
+          "Name": "<computed BindName>"
+        }
+      ]
     }
     ```
 
+    </CodeBlockConfig>
+
 - `BindName` `(string: <required>)` - The name to bind to a token at
   login-time. What it binds to can be adjusted with different values of the
   `BindType` field. This can either be a plain string or lightly templated
diff --git a/website/content/commands/debug.mdx b/website/content/commands/debug.mdx
index 0473c32cc8cf..6aa04dfe842b 100644
--- a/website/content/commands/debug.mdx
+++ b/website/content/commands/debug.mdx
@@ -2,7 +2,7 @@
 layout: commands
 page_title: 'Commands: Debug'
 description: >-
-  The `consul debug` command monitors an agent to capture a record its actions according to defined durations and intervals. 
+  The `consul debug` command monitors an agent to capture a record its actions according to defined durations and intervals.
 ---
 
 # Consul Debug
@@ -121,3 +121,11 @@ and `-duration` flags.
 $ consul debug -interval=15s -duration=1m
 ...
 ```
+
+To capture information since a particular time in past `-since` flag
+can be used.
+
+```shell-sesion
+$ consul debug -since 1h
+...
+```
diff --git a/website/content/docs/connect/config-entries/control-plane-request-limit.mdx b/website/content/docs/connect/config-entries/control-plane-request-limit.mdx
index 8eb00d66d112..c89e87832dbd 100644
--- a/website/content/docs/connect/config-entries/control-plane-request-limit.mdx
+++ b/website/content/docs/connect/config-entries/control-plane-request-limit.mdx
@@ -41,30 +41,34 @@ When every field is defined, a control plane request limit configuration entry h
 
 ```hcl
 kind = "control-plane-request-limit"
-mode = "permissive"
 name = "<name-for-the-entry>"
+
+mode = "permissive"
+
 read_rate =  100
 write_rate = 100
+
 kv = {
   read_rate =  100
   write_rate = 100
-  }
+}
+
 acl = {
   read_rate =  100
   write_rate = 100
-mode = "permissive"
-  }
+}
+
 catalog = {
   read_rate =  100
   write_rate = 100
-  }
+}
 ```
 
 ```json
 {
   "kind": "control-plane-request-limit",
-  "mode": "permissive",
   "name": "<name-for-the-entry>",
+  "mode": "permissive",
   "read_rate":  100,
   "write_rate": 100,
   "kv": {
@@ -75,7 +79,7 @@ catalog = {
     "read_rate": 100,
     "write_rate": 100
     },
-  "catalog: {
+  "catalog": {
     "read_rate": 100,
     "write_rate": 100
   }
@@ -83,20 +87,25 @@ catalog = {
 ```
 
 ```yaml
-kind: control-plane-request-limit
-mode: permissive
-name: <name-for-the-entry>
-read_rate: 100
-write_rate: 100
-kv:
-  read_rate: 100
-  write_rate: 100
-acl:
-  read_rate: 100
-  write_rate: 100
-catalog:
-  read_rate: 100
-  write_rate: 100
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ControlPlaneRequestLimit
+metadata:
+  name: <name-for-the-entry>
+spec:
+  mode: permissive
+  # the maximum number of read requests per second that the agent allows.
+  readRate: 100
+  # the maximum number of write requests per second that the agent allows.
+  writeRate: 100
+  kv:
+    readRate: 100
+    writeRate: 100
+  acl:
+    readRate: 100
+    writeRate: 100
+  catalog:
+    readRate: 100
+    writeRate: 100
 ```
 
 </CodeTabs>
diff --git a/website/content/docs/connect/config-entries/jwt-provider.mdx b/website/content/docs/connect/config-entries/jwt-provider.mdx
index 9ab8214cce6f..9ea7ce40ba01 100644
--- a/website/content/docs/connect/config-entries/jwt-provider.mdx
+++ b/website/content/docs/connect/config-entries/jwt-provider.mdx
@@ -132,74 +132,74 @@ Kind = "jwt-provider"                                # required
 Name = "<name-of-provider-configuration-entry>"      # required
 Issuer = "<jwt-issuer>"                              # required
 JSONWebKeySet = {                                    # required
-    Local = {                                        # cannot specify with JWKS{}.Remote
-        JWKS = "<JWKS-as-base64-string>"             # cannot specify with JWKS{}.Local{}.Filename
-        Filename = "<path/to/JWKS/file>"             # cannot specify with JWKS{}.Local{}.String
-    }
+  Local = {                                        # cannot specify with JWKS{}.Remote
+    JWKS = "<JWKS-as-base64-string>"             # cannot specify with JWKS{}.Local{}.Filename
+    Filename = "<path/to/JWKS/file>"             # cannot specify with JWKS{}.Local{}.String
+  }
 }
 JSONWebKeySet = {
-        Remote = {                                   # cannot specify with JWKS{}.Local
-          URI = "<uniform-resource-identifier>"
-          RequestTimeoutMs = 1500
-          CacheDuration = "5m"
-          FetchAsynchronously = false
-          RetryPolicy = {
-            NumRetries = 0
-            RetryPolicyBackoff = {
-              BaseInterval = "1s"
-              MaxInterval = "10s"
-            }
-          }
-          JWKSCluster = {
-            DiscoveryType = "STATIC"
-            ConnectTimeout = "10s"
-            # specify only one child: TrustedCA or CaCertificateProviderInstance
-            TLSCertificates = {
-              # specify only one child: Filename, EnvironmentVariable, InlineString or InlineBytes
-              TrustedCA = {
-                Filename = "<path/to/cert/file>"
-                EnvironmentVariable = "<env-variable>"
-                InlineString = "<inline-string>"
-                InlineBytes = "\302\000\302\302\302\302"
-              }
-            }
-            TLSCertificates = {
-              CaCertificateProviderInstance = {
-                InstanceName = "<instance-name>"
-                CertificateName = "<certificate-name>"
-              }
-            }
-          }
+  Remote = {                                   # cannot specify with JWKS{}.Local
+    URI = "<uniform-resource-identifier>"
+    RequestTimeoutMs = 1500
+    CacheDuration = "5m"
+    FetchAsynchronously = false
+    RetryPolicy = {
+      NumRetries = 0
+      RetryPolicyBackoff = {
+        BaseInterval = "1s"
+        MaxInterval = "10s"
+      }
+    }
+    JWKSCluster = {
+      DiscoveryType = "STATIC"
+      ConnectTimeout = "10s"
+      # specify only one child: TrustedCA or CaCertificateProviderInstance
+      TLSCertificates = {
+        # specify only one child: Filename, EnvironmentVariable, InlineString or InlineBytes
+        TrustedCA = {
+          Filename = "<path/to/cert/file>"
+          EnvironmentVariable = "<env-variable>"
+          InlineString = "<inline-string>"
+          InlineBytes = "\302\000\302\302\302\302"
         }
       }
+      TLSCertificates = {
+        CaCertificateProviderInstance = {
+          InstanceName = "<instance-name>"
+          CertificateName = "<certificate-name>"
+        }
+      }
+    }
+  }
+}
 
 Audiences = ["<aud-claims>"]
 Locations = [
-    {
-        Header = {
-            Name = "<name-of-header-with-token>"
-            ValuePrefix = "<prefix-in-header-before-token>"
-            Forward = false
-        }
-    },
-    {
-        QueryParam = {
-            Name = "<name-of-query-parameter-with-token>"
-        }
-    },
-    {
-        Cookie = {
-            Name = "<name-of-cookie-with-token>"
-        }
+  {
+    Header = {
+      Name = "<name-of-header-with-token>"
+      ValuePrefix = "<prefix-in-header-before-token>"
+      Forward = false
+    }
+  },
+  {
+    QueryParam = {
+      Name = "<name-of-query-parameter-with-token>"
     }
+  },
+  {
+    Cookie = {
+      Name = "<name-of-cookie-with-token>"
+    }
+  }
 ]
 Forwarding = {
-    HeaderName = "<name-appended-to-forwarding-header>"
-    PadForwardPayloadHeader = false
+  HeaderName = "<name-appended-to-forwarding-header>"
+  PadForwardPayloadHeader = false
 }
 ClockSkewSeconds = 30
 CacheConfig = {
-    Size = 0
+  Size = 0
 }
 ```
 
@@ -209,77 +209,78 @@ CacheConfig = {
 
 ```json
 {
-"Kind": "jwt-provider",                               // required
-"Name": "<name-of-provider-configuration-entry>",     // required
-"Issuer": "<jwt-issuer>",                             // required
-"JSONWebKeySet": {                                    // required
+  "Kind": "jwt-provider",                               // required
+  "Name": "<name-of-provider-configuration-entry>",     // required
+  "Issuer": "<jwt-issuer>",                             // required
+  "JSONWebKeySet": {                                    // required
     "Local": {                                        // cannot specify with JWKS.Remote
-        "JWKS": "<JWKS-as-base64-string>",            // cannot specify with JWKS.Local.Filename
-        "Filename": "<path/to/JWKS/file>"             // cannot specify with JWKS.Local.String
+      "JWKS": "<JWKS-as-base64-string>",            // cannot specify with JWKS.Local.Filename
+      "Filename": "<path/to/JWKS/file>"             // cannot specify with JWKS.Local.String
     }
-},
-"JSONWebKeySet": {
-        "Remote": {                                   // cannot specify with JWKS.Local
-          "URI": "<uniform-resource-identifier>",
-          "RequestTimeoutMs": "1500",
-          "CacheDuration": "5m",
-          "FetchAsynchronously": "false",
-          "RetryPolicy": {
-            "NumRetries": "0",
-            "RetryPolicyBackOff": {
-              "BaseInterval": "1s",
-              "MaxInterval": "10s"
-            }
+  },
+  "JSONWebKeySet": {
+    "Remote": {                                   // cannot specify with JWKS.Local
+      "URI": "<uniform-resource-identifier>",
+      "RequestTimeoutMs": "1500",
+      "CacheDuration": "5m",
+      "FetchAsynchronously": "false",
+      "RetryPolicy": {
+        "NumRetries": "0",
+        "RetryPolicyBackOff": {
+          "BaseInterval": "1s",
+          "MaxInterval": "10s"
+        }
+      },
+      "JWKSCluster": {
+        "DiscoveryType": "STATIC",
+        "ConnectTimeout": "10s",
+        // specify only one child: TrustedCA or CaCertificateProviderInstance
+        "TLSCertificates": {
+          // specify only one child: Filename, EnvironmentVariable, InlineString or InlineBytes
+          "TrustedCA": {
+            "Filename": "<path/to/cert/file>",
+            "EnvironmentVariable": "<env-variable>",
+            "InlineString": "<inline-string>",
+            "InlineBytes": "\302\000\302\302\302\302"
           },
-          "JWKSCluster": {
-            "DiscoveryType": "STATIC",
-            "ConnectTimeout": "10s",
-            // specify only one child: TrustedCA or CaCertificateProviderInstance
-            "TLSCertificates": {
-              // specify only one child: Filename, EnvironmentVariable, InlineString or InlineBytes
-              "TrustedCA": {
-                "Filename": "<path/to/cert/file>",
-                "EnvironmentVariable": "<env-variable>",
-                "InlineString": "<inline-string>",
-                "InlineBytes": "\302\000\302\302\302\302"
-            },
-            "TLSCertificates": {
-              "CaCertificateProviderInstance": {
-                "InstanceName": "<instance-name>",
-                "CertificateName": "<certificate-name>"
-              }
-            }
+        },
+        "TLSCertificates": {
+          "CaCertificateProviderInstance": {
+            "InstanceName": "<instance-name>",
+            "CertificateName": "<certificate-name>"
           }
         }
-},
-"Audiences": ["<aud-claims>"],
-"Locations": [
+      }
+    }
+  },
+  "Audiences": ["<aud-claims>"],
+  "Locations": [
     {
-        "Header": {
-            "Name": "<name-of-header-with-token>",
-            "ValuePrefix": "<prefix-in-header-before-token>",
-            "Forward": "false"
-        }
+      "Header": {
+        "Name": "<name-of-header-with-token>",
+        "ValuePrefix": "<prefix-in-header-before-token>",
+        "Forward": "false"
+      }
     },
     {
-        "QueryParam": {
-            "Name":"<name-of-query-parameter-with-token>",
-        }
+      "QueryParam": {
+        "Name":"<name-of-query-parameter-with-token>",
+      }
     },
     {
-        "Cookie": {
-            "Name": "<name-of-cookie-with-token>"
-        }
+      "Cookie": {
+        "Name": "<name-of-cookie-with-token>"
+      }
     }
-],
-"Forwarding": {
+  ],
+  "Forwarding": {
     "HeaderName": "<name-appended-to-forwarding-header>",
     "PadForwardPayloadHeader": "false"
-},
-"ClockSkewSeconds": "30",
-"CacheConfig": {
+  },
+  "ClockSkewSeconds": "30",
+  "CacheConfig": {
     "Size": "0"
-}
+  }
 }
 ```
 
@@ -1280,12 +1281,12 @@ Forwarding = {
 
 ```yaml
 apiVersion: consul.hashicorp.com/v1alpha1
-kind: jwtProvider
+kind: JWTProvider
 metadata:
   name: okta
 spec:
   issuer: okta
-  jsonwebkeyset:
+  jsonWebKeySet:
     remote:
       uri: https://<org>.okta.com/oauth2/default/v1/keys
       cacheDuration: 30m
diff --git a/website/content/docs/connect/gateways/mesh-gateway/index.mdx b/website/content/docs/connect/gateways/mesh-gateway/index.mdx
index 17821edf531f..120db3390107 100644
--- a/website/content/docs/connect/gateways/mesh-gateway/index.mdx
+++ b/website/content/docs/connect/gateways/mesh-gateway/index.mdx
@@ -15,13 +15,13 @@ Datacenters can reside in different clouds or runtime environments where general
 Mesh gateways can be used with any of the following Consul configurations for managing separate datacenters or partitions.
 
 1. WAN Federation
-  * [Mesh gateways can be used to route service-to-service traffic between datacenters](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters)
-  * [Mesh gateways can be used to route all WAN traffic, including from Consul servers](/consul/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways)
+    * [Mesh gateways can be used to route service-to-service traffic between datacenters](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters)
+    * [Mesh gateways can be used to route all WAN traffic, including from Consul servers](/consul/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways)
 2. Cluster Peering
-  * [Mesh gateways can be used to route service-to-service traffic between datacenters](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering)
-  * [Mesh gateways can be used to route control-plane traffic from Consul servers](/consul/docs/connect/gateways/mesh-gateway/peering-via-mesh-gateways)
+    * [Mesh gateways can be used to route service-to-service traffic between datacenters](/consul/docs/connect/cluster-peering/usage/establish-cluster-peering)
+    * [Mesh gateways can be used to route control-plane traffic from Consul servers](/consul/docs/connect/gateways/mesh-gateway/peering-via-mesh-gateways)
 3. Admin Partitions
-  * [Mesh gateways can be used to route service-to-service traffic between admin partitions in the same Consul datacenter](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions)
+    * [Mesh gateways can be used to route service-to-service traffic between admin partitions in the same Consul datacenter](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions)
 
 ### Consul
 
@@ -84,22 +84,36 @@ Use the following example configurations to help you understand some of the comm
 
 The following `proxy-defaults` configuration will enable gateways for all mesh services in the `local` mode.
 
-<CodeTabs heading="Example: Enabling gateways globally.">
+<CodeTabs heading="Example: Enabling gateways globally">
 
 ```hcl
 Kind = "proxy-defaults"
 Name = "global"
 MeshGateway {
-   Mode = "local"
+  Mode = "local"
 }
 ```
 
 ```yaml
-Kind: proxy-defaults
-MeshGateway:
-- Mode: local
-Name: global
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ProxyDefaults
+metadata:
+  name: global
+spec:
+  meshGateway:
+    mode: local
 ```
+
+```json
+{
+  "Kind": "proxy-defaults",
+  "Name": "global",
+  "MeshGateway": {
+    "Mode": "local"
+  }
+}
+```
+
 </CodeTabs>
 
 ### Enabling Gateways Per Service
@@ -112,15 +126,28 @@ The following `service-defaults` configuration will enable gateways for all mesh
 Kind = "service-defaults"
 Name = "web"
 MeshGateway {
-   Mode = "local"
+  Mode = "local"
 }
 ```
 
 ```yaml
-Kind: service-defaults
-MeshGateway:
-- Mode: local
-Name: web
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceDefaults
+metadata:
+  name: web
+spec:
+  meshGateway:
+    mode: local
+```
+
+```json
+{
+  "Kind": "service-defaults",
+  "Name": "web",
+  "MeshGateway": {
+    "Mode": "local"
+  }
+}
 ```
 
 </CodeTabs>
@@ -134,22 +161,22 @@ The following [proxy service configuration](/consul/docs/connect/proxies/deploy-
 
 ```hcl
 service {
-   name = "web-sidecar-proxy"
-   kind = "connect-proxy"
-   port = 8181
-   proxy {
-      destination_service_name = "web"
-      mesh_gateway {
-         mode = "remote"
+  name = "web-sidecar-proxy"
+  kind = "connect-proxy"
+  port = 8181
+  proxy {
+    destination_service_name = "web"
+    mesh_gateway {
+      mode = "remote"
+    }
+    upstreams = [
+      {
+        destination_name = "api"
+        datacenter = "secondary"
+        local_bind_port = 10000
       }
-      upstreams = [
-         {
-            destination_name = "api"
-            datacenter = "secondary"
-            local_bind_port = 10000
-         }
-      ]
-   }
+    ]
+  }
 }
 
 # Or alternatively inline with the service definition:
@@ -161,7 +188,7 @@ service {
     sidecar_service {
       proxy {
         mesh_gateway {
-         mode = "remote"
+          mode = "remote"
         }
         upstreams = [
           {
@@ -176,19 +203,27 @@ service {
 }
 ```
 
-```yaml
-service:
-- kind: connect-proxy
-  name: web-sidecar-proxy
-  port: 8181
-  proxy:
-  - destination_service_name: web
-    mesh_gateway:
-    - mode: remote
-    upstreams:
-    - datacenter: secondary
-      destination_name: api
-      local_bind_port: 100
+```json
+{
+  "service": {
+    "kind": "connect-proxy",
+    "name": "web-sidecar-proxy",
+    "port": 8181,
+    "proxy": {
+      "destination_service_name": "web",
+      "mesh_gateway": {
+        "mode": "remote"
+      },
+      "upstreams": [
+        {
+          "destination_name": "api",
+          "datacenter": "secondary",
+          "local_bind_port": 10000
+        }
+      ]
+    }
+  }
+}
 ```
 
 </CodeTabs>
@@ -201,59 +236,73 @@ The following service definition will enable gateways in the `local` mode for on
 
 ```hcl
 service {
-   name = "web-sidecar-proxy"
-   kind = "connect-proxy"
-   port = 8181
-   proxy {
-      destination_service_name = "web"
-      upstreams = [
-         {
-            destination_name = "api"
-            destination_peer = "cluster-01"
-            local_bind_port = 10000
-            mesh_gateway {
-               mode = "remote"
-            }
-         },
-         {
-            destination_name = "db"
-            datacenter = "secondary"
-            local_bind_port = 10001
-            mesh_gateway {
-               mode = "local"
-            }
-         },
-         {
-            destination_name = "logging"
-            datacenter = "secondary"
-            local_bind_port = 10002
-            mesh_gateway {
-               mode = "none"
-            }
-         },
+  name = "web-sidecar-proxy"
+  kind = "connect-proxy"
+  port = 8181
+  proxy {
+    destination_service_name = "web"
+    upstreams = [
+      {
+        destination_name = "api"
+        destination_peer = "cluster-01"
+        local_bind_port = 10000
+        mesh_gateway {
+          mode = "remote"
+        }
+      },
+      {
+        destination_name = "db"
+        datacenter = "secondary"
+        local_bind_port = 10001
+        mesh_gateway {
+          mode = "local"
+        }
+      },
+      {
+        destination_name = "logging"
+        datacenter = "secondary"
+        local_bind_port = 10002
+        mesh_gateway {
+          mode = "none"
+        }
+      },
+    ]
+  }
+}
+```
+```json
+{
+  "service": {
+    "kind": "connect-proxy",
+    "name": "web-sidecar-proxy",
+    "port": 8181,
+    "proxy": {
+      "destination_service_name": "web",
+      "upstreams": [
+        {
+          "destination_name": "api",
+          "local_bind_port": 10000,
+          "mesh_gateway": {
+            "mode": "remote"
+          }
+        },
+        {
+          "destination_name": "db",
+          "local_bind_port": 10001,
+          "mesh_gateway": {
+            "mode": "local"
+          }
+        },
+        {
+          "destination_name": "logging",
+          "local_bind_port": 10002,
+          "mesh_gateway": {
+            "mode": "none"
+          }
+        }
       ]
-   }
+    }
+  }
 }
 ```
-```yaml
-service:
-- kind: connect-proxy
-  name: web-sidecar-proxy
-  port: 8181
-  proxy:
-  - destination_service_name: web
-    upstreams:
-    - destination_name: api
-      local_bind_port: 10000
-      mesh_gateway:
-      - mode: remote
-    - destination_name: db
-      local_bind_port: 10001
-      mesh_gateway:
-      - mode: local
-    - destination_name: logging
-      local_bind_port: 10002
-      mesh_gateway:
-      - mode: none
-  ```
   </CodeTabs>
diff --git a/website/content/docs/connect/gateways/mesh-gateway/peering-via-mesh-gateways.mdx b/website/content/docs/connect/gateways/mesh-gateway/peering-via-mesh-gateways.mdx
index 7fa47f215a1d..a7fae5c2820c 100644
--- a/website/content/docs/connect/gateways/mesh-gateway/peering-via-mesh-gateways.mdx
+++ b/website/content/docs/connect/gateways/mesh-gateway/peering-via-mesh-gateways.mdx
@@ -121,9 +121,13 @@ Peering {
 ```
 
 ```yaml
-Kind: mesh
-Peering:
-  PeerThroughMeshGateways: true
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: Mesh
+metadata:
+  name: mesh
+spec:
+  peering:
+    peerThroughMeshGateways: true
 ```
 </CodeTabs>
 
diff --git a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions.mdx b/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions.mdx
index 22a4e9d9b8f7..4c7fe3ba2aa1 100644
--- a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions.mdx
+++ b/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions.mdx
@@ -78,7 +78,7 @@ Use the following example configurations to help you understand some of the comm
 
 The following `proxy-defaults` configuration will enable gateways for all mesh services in the `local` mode.
 
-<CodeTabs heading="Example: Enabling gateways globally.">
+<CodeTabs heading="Example: Enabling gateways globally">
 
 ```hcl
 Kind = "proxy-defaults"
@@ -89,10 +89,23 @@ MeshGateway {
 ```
 
 ```yaml
-Kind: proxy-defaults
-MeshGateway:
-- Mode: local
-Name: global
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ProxyDefaults
+metadata:
+  name: global
+spec:
+  meshGateway:
+    mode: local
+```
+
+```json
+{
+  "Kind": "proxy-defaults",
+  "Name": "global",
+  "MeshGateway": {
+    "Mode": "local"
+  }
+}
 ```
 
 </CodeTabs>
@@ -112,11 +125,25 @@ MeshGateway {
 ```
 
 ```yaml
-Kind: service-defaults
-MeshGateway:
-- Mode: local
-Name: web
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceDefaults
+metadata:
+  name: web
+spec:
+  meshGateway:
+    mode: local
 ```
+
+```json
+{
+  "Kind": "service-defaults",
+  "Name": "web",
+  "MeshGateway": {
+    "Mode": "local"
+  }
+}
+```
+
 </CodeTabs>
 
 ### Enabling Gateways for a Service Instance
@@ -124,7 +151,7 @@ Name: web
 The following [proxy service configuration](/consul/docs/connect/proxies/deploy-service-mesh-proxies)
 enables gateways for `web` service instances in the `finance` partition.
 
-<CodeTabs heading="Example: Enabling gateways for a service instance.">
+<CodeTabs heading="Example: Enabling gateways for a service instance">
 
 ```hcl
 service {
@@ -149,21 +176,29 @@ service {
 }
 ```
 
-```yaml
-service:
-- kind: connect-proxy
-  name: web-sidecar-proxy
-  port: 8181
-  proxy:
-  - destination_service_name: web
-    mesh_gateway:
-    - mode: local
-    upstreams:
-    - destination_name: billing
-      destination_namespace: default
-      destination_partition: finance
-      destination_type: service
-      local_bind_port: 9090
+```json
+{
+  "service": {
+    "kind": "connect-proxy",
+    "name": "web-sidecar-proxy",
+    "port": 8181,
+    "proxy": {
+      "destination_service_name": "web",
+      "mesh_gateway": {
+        "mode": "local"
+      },
+      "upstreams": [
+        {
+          "destination_name": "billing",
+          "destination_namespace": "default",
+          "destination_partition": "finance",
+          "destination_type": "service",
+          "local_bind_port": 9090
+        }
+      ]
+    }
+  }
+}
 ```
 </CodeTabs>
 
@@ -171,7 +206,7 @@ service:
 
 The following service definition will enable gateways in `local` mode for three different partitions. Note that each service exists in the same namespace, but are separated by admin partition.
 
-<CodeTabs heading="Example: Enabling gateways for a proxy upstream.">
+<CodeTabs heading="Example: Enabling gateways for a proxy upstream">
 
 ```hcl
 service {
@@ -213,31 +248,45 @@ service {
 }
 ```
 
-```yaml
-service:
-- kind: connect-proxy
-  name: web-sidecar-proxy
-  port: 8181
-  proxy:
-  - destination_service_name: web
-    upstreams:
-    - destination_name: api
-      destination_namespace: dev
-      destination_partition: api
-      local_bind_port: 10000
-      mesh_gateway:
-      - mode: local
-    - destination_name: db
-      destination_namespace: dev
-      destination_partition: db
-      local_bind_port: 10001
-      mesh_gateway:
-      - mode: local
-    - destination_name: logging
-      destination_namespace: dev
-      destination_partition: logging
-      local_bind_port: 10002
-      mesh_gateway:
-      - mode: local
+```json
+{
+  "service": {
+    "kind": "connect-proxy",
+    "name": "web-sidecar-proxy",
+    "port": 8181,
+    "proxy": {
+      "destination_service_name": "web",
+      "upstreams": [
+        {
+          "destination_name": "api",
+          "destination_namespace": "dev",
+          "destination_partition": "api",
+          "local_bind_port": 10000,
+          "mesh_gateway": {
+            "mode": "local"
+          }
+        },
+        {
+          "destination_name": "db",
+          "destination_namespace": "dev",
+          "destination_partition": "db",
+          "local_bind_port": 10001,
+          "mesh_gateway": {
+            "mode": "local"
+          }
+        },
+        {
+          "destination_name": "logging",
+          "destination_namespace": "dev",
+          "destination_partition": "logging",
+          "local_bind_port": 10002,
+          "mesh_gateway": {
+            "mode": "local"
+          }
+        }
+      ]
+    }
+  }
+}
 ```
 </CodeTabs>
diff --git a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters.mdx b/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters.mdx
index dc017e0af232..d9df2de8f18c 100644
--- a/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters.mdx
+++ b/website/content/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters.mdx
@@ -94,7 +94,7 @@ Use the following example configurations to help you understand some of the comm
 
 The following `proxy-defaults` configuration will enable gateways for all mesh services in the `local` mode.
 
-<CodeTabs heading="Example: Enabling gateways globally.">
+<CodeTabs heading="Example: Enabling gateways globally">
 
 ```hcl
 Kind = "proxy-defaults"
@@ -105,10 +105,23 @@ MeshGateway {
 ```
 
 ```yaml
-Kind: proxy-defaults
-MeshGateway:
-- Mode: local
-Name: global
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ProxyDefaults
+metadata:
+  name: global
+spec:
+  meshGateway:
+    mode: local
+```
+
+```json
+{
+  "Kind": "proxy-defaults",
+  "Name": "global",
+  "MeshGateway": {
+    "Mode": "local"
+  }
+}
 ```
 </CodeTabs>
 
@@ -127,12 +140,24 @@ MeshGateway {
 ```
 
 ```yaml
-Kind: service-defaults
-MeshGateway:
-- Mode: local
-Name: web
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceDefaults
+metadata:
+  name: web
+spec:
+  meshGateway:
+    mode: local
 ```
 
+```json
+{
+  "Kind": "service-defaults",
+  "Name": "web",
+  "MeshGateway": {
+    "Mode": "local"
+  }
+}
+
 </CodeTabs>
 
 ### Enabling Gateways for a Service Instance
@@ -186,19 +211,27 @@ service {
 }
 ```
 
-```yaml
-service:
-- kind: connect-proxy
-  name: web-sidecar-proxy
-  port: 8181
-  proxy:
-  - destination_service_name: web
-    mesh_gateway:
-    - mode: remote
-    upstreams:
-    - datacenter: secondary
-      destination_name: api
-      local_bind_port: 100
+```json
+{
+  "service": {
+    "kind": "connect-proxy",
+    "name": "web-sidecar-proxy",
+    "port": 8181,
+    "proxy": {
+      "destination_service_name": "web",
+      "mesh_gateway": {
+        "mode": "remote"
+      },
+      "upstreams": [
+        {
+          "destination_name": "api",
+          "datacenter": "secondary",
+          "local_bind_port": 10000
+        }
+      ]
+    }
+  }
+}
 ```
 
 </CodeTabs>
@@ -242,25 +275,39 @@ service {
    }
 }
 ```
-```yaml
-service:
-- kind: connect-proxy
-  name: web-sidecar-proxy
-  port: 8181
-  proxy:
-  - destination_service_name: web
-    upstreams:
-    - destination_name: api
-      local_bind_port: 10000
-      mesh_gateway:
-      - mode: remote
-    - destination_name: db
-      local_bind_port: 10001
-      mesh_gateway:
-      - mode: local
-    - destination_name: logging
-      local_bind_port: 10002
-      mesh_gateway:
-      - mode: none
-  ```
-  </CodeTabs>
+```json
+{
+  "service": {
+    "kind": "connect-proxy",
+    "name": "web-sidecar-proxy",
+    "port": 8181,
+    "proxy": {
+      "destination_service_name": "web",
+      "upstreams": [
+        {
+          "destination_name": "api",
+          "local_bind_port": 10000,
+          "mesh_gateway": {
+            "mode": "remote"
+          }
+        },
+        {
+          "destination_name": "db",
+          "local_bind_port": 10001,
+          "mesh_gateway": {
+            "mode": "local"
+          }
+        },
+        {
+          "destination_name": "logging",
+          "local_bind_port": 10002,
+          "mesh_gateway": {
+            "mode": "none"
+          }
+        }
+      ]
+    }
+  }
+}
+```
+</CodeTabs>
diff --git a/website/content/docs/connect/proxies/envoy-extensions/configuration/ext-authz.mdx b/website/content/docs/connect/proxies/envoy-extensions/configuration/ext-authz.mdx
index 477b889c23a1..ebe7f99a96e3 100644
--- a/website/content/docs/connect/proxies/envoy-extensions/configuration/ext-authz.mdx
+++ b/website/content/docs/connect/proxies/envoy-extensions/configuration/ext-authz.mdx
@@ -100,7 +100,7 @@ Click on a property name to view additional details, including default values.
       - [`StatusOnError`](#arguments-config-statusonerror): number | `403` | HTTP only
       - [`StatPrefix`](#arguments-config-statprefix): string | `response`
       - [`WithRequestBody`](#arguments-config-withrequestbody): map | HTTP only
-         - [`MaxRequestBytes`](#arguments-config-withrequestbody-maxrequestbytes): number 
+         - [`MaxRequestBytes`](#arguments-config-withrequestbody-maxrequestbytes): number
          - [`AllowPartialMessage`](#arguments-config-withrequestbody-allowpartialmessage): boolean | `false`
          - [`PackAsBytes`](#arguments-config-withrequestbody-packasbytes): boolean | `false`
 
diff --git a/website/content/docs/connect/proxies/envoy-extensions/configuration/property-override.mdx b/website/content/docs/connect/proxies/envoy-extensions/configuration/property-override.mdx
index 8ccb49a391fb..610371b303da 100644
--- a/website/content/docs/connect/proxies/envoy-extensions/configuration/property-override.mdx
+++ b/website/content/docs/connect/proxies/envoy-extensions/configuration/property-override.mdx
@@ -177,16 +177,16 @@ EnvoyExtensions = [
       ProxyType = "connect-proxy",
       Patches = [
         {
-          "ResourceFilter" = {
-            "ResourceType" = "cluster",
-            "TrafficDirection" = "outbound",
-            "Service" = {
-              "Name" = "other-svc"
-            },
-          },
-          "Op" = "add",
-          "Path" =  "/respect_dns_ttl",
-          "Value" = true,
+          ResourceFilter = {
+            ResourceType = "cluster"
+            TrafficDirection = "outbound"
+            Service = {
+              Name = "other-svc"
+            }
+          }
+          Op = "add"
+          Path =  "/respect_dns_ttl"
+          Value = true
         }
       ]
     }
diff --git a/website/content/docs/connect/proxies/envoy-extensions/usage/apigee-ext-authz.mdx b/website/content/docs/connect/proxies/envoy-extensions/usage/apigee-ext-authz.mdx
index fff6bb28574f..a0492de0b246 100644
--- a/website/content/docs/connect/proxies/envoy-extensions/usage/apigee-ext-authz.mdx
+++ b/website/content/docs/connect/proxies/envoy-extensions/usage/apigee-ext-authz.mdx
@@ -8,21 +8,21 @@ description: Learn how to use the `ext-authz` Envoy extension to delegate data p
 
 This topic describes how to use the external authorization Envoy extension to delegate data plane authorization requests to Apigee.
 
-For more detailed guidance, refer to the [`learn-consul-apigee-external-authz` repo on GitHub](https://github.com/hashicorp-education/learn-consul-apigee-external-authz).
+For more detailed guidance, refer to the [`learn-consul-apigee-external-authz` repo](https://github.com/hashicorp-education/learn-consul-apigee-external-authz) on GitHub.
 
 ## Workflow
 
 Complete the following steps to use the external authorization extension with Apigee:
 
 1. Deploy the Apigee Adapter for Envoy and register the service in Consul.
-1. Configure the `EnvoyExtensions` block in a service defaults or proxy defaults configuration entry. 
+1. Configure the `EnvoyExtensions` block in a service defaults or proxy defaults configuration entry.
 1. Apply the configuration entry.
 
 ## Deploy the Apigee Adapter for Envoy
 
 The [Apigee Adapter for Envoy](https://cloud.google.com/apigee/docs/api-platform/envoy-adapter/v2.0.x/concepts) is an Apigee-managed API gateway that uses Envoy to proxy API traffic.
 
-To download and install Apigee Adapter for Envoy, refer to the [getting started documentation](https://cloud.google.com/apigee/docs/api-platform/envoy-adapter/v2.0.x/getting-started) or follow along with the [`learn-consul-apigee-external-authz` repo on GitHub](https://github.com/hashicorp-education/learn-consul-apigee-external-authz).
+To download and install Apigee Adapter for Envoy, refer to the [getting started documentation](https://cloud.google.com/apigee/docs/api-platform/envoy-adapter/v2.0.x/getting-started) or follow along with the [`learn-consul-apigee-external-authz` repo](https://github.com/hashicorp-education/learn-consul-apigee-external-authz) on GitHub.
 
 After you deploy the service in your desired runtime, create a service defaults configuration entry for the service's gRPC protocol.
 
diff --git a/website/content/docs/connect/proxies/envoy-extensions/usage/ext-authz.mdx b/website/content/docs/connect/proxies/envoy-extensions/usage/ext-authz.mdx
index a0e6630b74d0..51a004c17b32 100644
--- a/website/content/docs/connect/proxies/envoy-extensions/usage/ext-authz.mdx
+++ b/website/content/docs/connect/proxies/envoy-extensions/usage/ext-authz.mdx
@@ -82,7 +82,7 @@ EnvoyExtensions = [
 </CodeBlockConfig>
 </Tab>
 <Tab heading="Kubernetes" group="yaml">
-<CodeBlockConfig filename="api-auth-service-defaults">
+<CodeBlockConfig filename="api-auth-service-defaults.yaml">
 
 ```yaml
 apiVersion: consul.hashicorp.com/v1alpha1
diff --git a/website/content/docs/connect/proxies/envoy-extensions/usage/lua.mdx b/website/content/docs/connect/proxies/envoy-extensions/usage/lua.mdx
index 08fb6b05d0b4..5bac9081360b 100644
--- a/website/content/docs/connect/proxies/envoy-extensions/usage/lua.mdx
+++ b/website/content/docs/connect/proxies/envoy-extensions/usage/lua.mdx
@@ -224,4 +224,4 @@ end
 ]
 ```
 
-</CodeBlockConfig>
\ No newline at end of file
+</CodeBlockConfig>
diff --git a/website/content/docs/connect/proxies/envoy-extensions/usage/wasm.mdx b/website/content/docs/connect/proxies/envoy-extensions/usage/wasm.mdx
index de899efe48c6..5f5b371e7362 100644
--- a/website/content/docs/connect/proxies/envoy-extensions/usage/wasm.mdx
+++ b/website/content/docs/connect/proxies/envoy-extensions/usage/wasm.mdx
@@ -125,30 +125,33 @@ EOF
 <CodeBlockConfig filename="wasm-extension-serve-waf.yaml">
 
 ```yaml
-kind: service-defaults
-name: api
-protocol: http
-envoyExtensions:
-  - name: builtin/wasm
-    required: true
-    arguments:
-      protocol: http
-      listenerType: inbound
-      pluginConfig:
-        VmConfig:
-          Code:
-            Remote:
-              HttpURI:
-                Service:
-                  Name: file-server
-                  URI: https://file-server/waf.wasm
-         Configuration:
-           rules:
-           - Include @demo-conf
-           - Include @crs-setup-demo-conf
-           - SecDebugLogLevel 9
-           - SecRuleEngine On
-           - Include @owasp_crs/*.conf
+apiVersion: consul.hashicorp.com/v1alpha1
+kind: ServiceDefaults
+metadata:
+  name: api
+spec:
+  protocol: http
+  envoyExtensions:
+    - name: builtin/wasm
+      required: true
+      arguments:
+        protocol: http
+        listenerType: inbound
+        pluginConfig:
+          VmConfig:
+            Code:
+              Remote:
+                HttpURI:
+                  Service:
+                    Name: file-server
+                    URI: https://file-server/waf.wasm
+          Configuration:
+            rules:
+            - Include @demo-conf
+            - Include @crs-setup-demo-conf
+            - SecDebugLogLevel 9
+            - SecRuleEngine On
+            - Include @owasp_crs/*.conf
 ```
 
 </CodeBlockConfig>
diff --git a/website/content/docs/k8s/annotations-and-labels.mdx b/website/content/docs/k8s/annotations-and-labels.mdx
index 0735ede6cce1..4e4177bc7206 100644
--- a/website/content/docs/k8s/annotations-and-labels.mdx
+++ b/website/content/docs/k8s/annotations-and-labels.mdx
@@ -81,7 +81,8 @@ The following Kubernetes resource annotations could be used on a pod to control
   local port to listen for those connections. When transparent proxy is enabled,
   this annotation is optional. This annotation can be either _labeled_ or _unlabeled_. We recommend the labeled format because it has a more consistent syntax and can be used to reference cluster peers as upstreams.
 
- - **Labeled**:
+    You cannot reference auto-generated environment variables when the upstream annotation contains a dot. This is because Consul also renders the environment variables to include a dot. For example, Consul renders the variables generated for `static-server.svc:8080` as `STATIC-SERVER.SVC_CONNECT_SERVICE_HOST` and `STATIC_SERVER.SVC_CONNECT_SERVICE_PORT`, which makes the variables unusable.
+    - **Labeled**:
 
       The labeled annotation format allows you to reference any service as an upstream. You can specify a Consul Enterprise namespace. You can also specify an admin partition in the same datacenter, a cluster peer, or a WAN-federated datacenter.
 
diff --git a/website/content/docs/k8s/connect/index.mdx b/website/content/docs/k8s/connect/index.mdx
index 4b7def3609fd..a5ba50fcbb8e 100644
--- a/website/content/docs/k8s/connect/index.mdx
+++ b/website/content/docs/k8s/connect/index.mdx
@@ -167,6 +167,7 @@ upstream. This is analogous to the standard Kubernetes service environment varia
 point instead to the correct local proxy port to establish connections via
 service mesh.
 
+You cannot reference auto-generated environment variables when the upstream annotation contains a dot. This is because Consul also renders the environment variables to include a dot. For example, Consul renders the variables generated for `static-server.svc:8080` as `STATIC-SERVER.SVC_CONNECT_SERVICE_HOST` and `STATIC_SERVER.SVC_CONNECT_SERVICE_PORT`, which makes the variables unusable.
 You can verify access to the static text server using `kubectl exec`.
 Because transparent proxy is enabled by default,
 use Kubernetes DNS to connect to your desired upstream.
diff --git a/website/content/docs/k8s/connect/transparent-proxy/enable-transparent-proxy.mdx b/website/content/docs/k8s/connect/transparent-proxy/enable-transparent-proxy.mdx
index 7db6a6db0396..be8dca3e41c2 100644
--- a/website/content/docs/k8s/connect/transparent-proxy/enable-transparent-proxy.mdx
+++ b/website/content/docs/k8s/connect/transparent-proxy/enable-transparent-proxy.mdx
@@ -43,8 +43,8 @@ connectInject:
 
 Apply the `consul.hashicorp.com/transparent-proxy=true` label to enable transparent proxy for a Kubernetes namespace. The label overrides the `connectInject.transparentProxy.defaultEnabled` Helm value and defines the default behavior of Pods in the namespace. The following example enables transparent proxy for Pods in the `my-app` namespace:
 
-```bash
-kubectl label namespaces my-app "consul.hashicorp.com/transparent-proxy=true"
+```shell-session
+$ kubectl label namespaces my-app "consul.hashicorp.com/transparent-proxy=true"
 ```
 ### Individual service
 
@@ -121,12 +121,11 @@ The [`consul.hashicorp.com/transparent-proxy-exclude-inbound-ports`](/consul/doc
 <CodeBlockConfig heading="Exclude inbound port numbers from redirection">
 
 ```yaml
-"metadata": {
-  "annotations": {
-    "consul.hashicorp.com/transparent-proxy-exclude-inbound-ports" : "8200, 8201”
-  }
-}
+metadata:
+  annotations:
+    consul.hashicorp.com/transparent-proxy-exclude-inbound-ports: "8200, 8201"
 ```
+
 </CodeBlockConfig>
 
 ### Exclude outbound ports
@@ -136,11 +135,9 @@ The [`consul.hashicorp.com/transparent-proxy-exclude-outbound-ports`](/consul/do
 <CodeBlockConfig heading="Exclude outbound port numbers from redirection">
 
 ```yaml
-"metadata": {
-  "annotations": {
-    "consul.hashicorp.com/transparent-proxy-exclude-outbound-ports" : "8200, 8201”
-  }
-}
+metadata:
+  annotations":
+    consul.hashicorp.com/transparent-proxy-exclude-outbound-ports: "8200, 8201"
 ```
 
 </CodeBlockConfig>
@@ -154,11 +151,9 @@ In the following example, services in the `3.3.3.3/24` IP range are not redirect
 <CodeBlockConfig heading="Exclude outbound CIDR blocks from redirection">
 
 ```yaml
-"metadata": {
-  "annotations": {
-    "consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs" : "3.3.3.3,3.3.3.3/24"
-  }
-}
+metadata:
+  annotations:
+    consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs: "3.3.3.3,3.3.3.3/24"
 ```
 </CodeBlockConfig>
 
@@ -171,9 +166,9 @@ In the following example, services with the IDs `4444 ` and `44444 ` are not red
 <CodeBlockConfig heading="Exclude user IDs from redirection">
 
 ```yaml
-"metadata": {
-  "annotations": {
-    "consul.hashicorp.com/transparent-proxy-exclude-uids" : "4444,44444”
+metadata:
+  annotations:
+    consul.hashicorp.com/transparent-proxy-exclude-uids: "4444,44444"
   }
 }
 ```
@@ -201,7 +196,7 @@ then you must configure services in one Kubernetes cluster to explicitly dial a
 The following example configures the service to dial an upstream service called `my-service` in datacenter `dc2` on port `1234`:
 
 ```yaml
-  "consul.hashicorp.com/connect-service-upstreams": "my-service:1234:dc2"
+consul.hashicorp.com/connect-service-upstreams: "my-service:1234:dc2"
 ```
 
 If your Consul cluster is deployed to a [single datacenter spanning multiple Kubernetes clusters](/consul/docs/k8s/deployment-configurations/single-dc-multi-k8s),
@@ -210,7 +205,7 @@ then you must configure services in one Kubernetes cluster to explicitly dial a
 The following example configures the service to dial an upstream service called `my-service` in another Kubernetes cluster on port `1234`:
 
 ```yaml
-"consul.hashicorp.com/connect-service-upstreams": "my-service:1234"
+consul.hashicorp.com/connect-service-upstreams: "my-service:1234"
 ```
 
 You do not need to configure services to explicitly dial upstream services if your Consul clusters are connected with a [peering connection](/consul/docs/connect/cluster-peering).
diff --git a/website/content/docs/nia/cli/task.mdx b/website/content/docs/nia/cli/task.mdx
index ea105918480d..d5ead540cc65 100644
--- a/website/content/docs/nia/cli/task.mdx
+++ b/website/content/docs/nia/cli/task.mdx
@@ -34,7 +34,7 @@ task_example.hcl:
 task {
   name           = "task_a"
   description    = ""
-  enabled        = true,
+  enabled        = true
   providers      = []
   module         = "org/example/module"
   version        = "1.0.0"
diff --git a/website/content/docs/nia/configuration.mdx b/website/content/docs/nia/configuration.mdx
index f54a4ef51e0a..c5c87d18c620 100644
--- a/website/content/docs/nia/configuration.mdx
+++ b/website/content/docs/nia/configuration.mdx
@@ -277,7 +277,7 @@ A `task` block configures which task to execute in automation. Use  the `conditi
 task {
   name           = "taskA"
   description    = ""
-  enabled        = true,
+  enabled        = true
   providers      = []
   module         = "org/example/module"
   version        = "1.0.0"
diff --git a/website/content/docs/security/acl/auth-methods/aws-iam.mdx b/website/content/docs/security/acl/auth-methods/aws-iam.mdx
index 72e17f7cbf92..bf4433a1a18e 100644
--- a/website/content/docs/security/acl/auth-methods/aws-iam.mdx
+++ b/website/content/docs/security/acl/auth-methods/aws-iam.mdx
@@ -86,7 +86,9 @@ parameters for an auth method of type `aws-iam`:
 
 ```json
 {
-    ...other fields...
+    "Name": "example-iam-auth",
+    "Type": "aws-iam",
+    "Description": "Example AWS IAM auth method",
     "Config": {
       "BoundIAMPrincipalARNs": ["arn:aws:iam::123456789012:role/MyRoleName"],
       "EnableIAMEntityDetails": true,
diff --git a/website/content/docs/security/acl/auth-methods/jwt.mdx b/website/content/docs/security/acl/auth-methods/jwt.mdx
index 1e99502c0c56..c019ad18ff0a 100644
--- a/website/content/docs/security/acl/auth-methods/jwt.mdx
+++ b/website/content/docs/security/acl/auth-methods/jwt.mdx
@@ -92,7 +92,9 @@ parameters are required to properly configure an auth method of type
 
 ```json
 {
-    ...other fields...
+    "Name": "example-jwt-auth-static-keys",
+    "Type": "jwt",
+    "Description": "Example JWT auth method with static keys",
     "Config": {
         "BoundIssuer": "corp-issuer",
         "JWTValidationPubKeys": [
@@ -113,7 +115,9 @@ parameters are required to properly configure an auth method of type
 
 ```json
 {
-    ...other fields...
+    "Name": "example-jwt-auth-jwks",
+    "Type": "jwt",
+    "Description": "Example JWT auth method with JWKS",
     "Config": {
         "JWKSURL": "https://my-corp-jwks-url.example.com/",
         "ClaimMappings": {
@@ -131,7 +135,9 @@ parameters are required to properly configure an auth method of type
 
 ```json
 {
-    ...other fields...
+    "Name": "example-oidc-auth",
+    "Type": "oidc",
+    "Description": "Example OIDC auth method",
     "Config": {
         "BoundAudiences": [
             "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt"
diff --git a/website/content/docs/security/acl/auth-methods/kubernetes.mdx b/website/content/docs/security/acl/auth-methods/kubernetes.mdx
index 13f76481c98c..a5505f5d0bad 100644
--- a/website/content/docs/security/acl/auth-methods/kubernetes.mdx
+++ b/website/content/docs/security/acl/auth-methods/kubernetes.mdx
@@ -1,6 +1,6 @@
 ---
 layout: docs
-page_title: Kubernetes Auth Method 
+page_title: Kubernetes Auth Method
 description: >-
   Use the Kubernetes auth method type to authenticate to Consul with a Kubernetes service account token and receive an ACL token with privileges based on JWT identity attributes. Learn how to configure auth method parameters using this reference page and example configuration.
 ---
@@ -61,7 +61,9 @@ parameters are required to properly configure an auth method of type
 
 ```json
 {
-    ...other fields...
+    "Name": "example-k8s-auth",
+    "Type": "kubernetes",
+    "Description": "Example JWT auth method",
     "Config": {
         "Host": "https://192.0.2.42:8443",
         "CACert": "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----\n",
diff --git a/website/content/docs/security/acl/auth-methods/oidc.mdx b/website/content/docs/security/acl/auth-methods/oidc.mdx
index 0c0f9efda06b..677db04ffcd5 100644
--- a/website/content/docs/security/acl/auth-methods/oidc.mdx
+++ b/website/content/docs/security/acl/auth-methods/oidc.mdx
@@ -86,7 +86,9 @@ parameters are required to properly configure an auth method of type
 
 ```json
 {
-    ...other fields...
+    "Name": "example-oidc-auth",
+    "Type": "oidc",
+    "Description": "Example OIDC auth method",
     "Config": {
         "AllowedRedirectURIs": [
             "http://localhost:8550/oidc/callback",
diff --git a/website/content/docs/services/discovery/dns-static-lookups.mdx b/website/content/docs/services/discovery/dns-static-lookups.mdx
index 6c26fc006091..c23e52dce04e 100644
--- a/website/content/docs/services/discovery/dns-static-lookups.mdx
+++ b/website/content/docs/services/discovery/dns-static-lookups.mdx
@@ -234,11 +234,13 @@ _redis._tcp.service.phx1.peer.consul. 0 IN SRV 1 1 29142 0a010d56.addr.consul.
 If a service registered with Consul is configured with an explicit IP address or addresses in the  [`address`](/consul/docs/services/configuration/services-configuration-reference#address) or [`tagged_address`](/consul/docs/services/configuration/services-configuration-reference#tagged_address) parameter, then Consul returns the hostname in the target field of the answer section for the DNS SRV query according to the following format:
 
 ```text
-<hexadecimal-encoded IP>.addr.<datacenter>.consul`.
+<hexadecimal-encoded IP>.addr.<datacenter>.consul.
 ```
 
 In the following example, the `rabbitmq` service is registered with an explicit IPv4 address of `192.0.2.10`.
 
+<CodeTabs>
+
 ```hcl
 node_name = "node1"
 
@@ -247,6 +249,9 @@ services {
   address = "192.0.2.10"
   port = 5672
 }
+```
+
+```json
 {
   "node_name": "node1",
   "services": [
@@ -259,6 +264,8 @@ services {
 }
 ```
 
+</CodeTabs>
+
 The following example SRV query response contains a single record with a hostname written as a hexadecimal value:
 
 ```shell-session
@@ -275,6 +282,8 @@ $ echo -n "c000020a" | perl -ne 'printf("%vd\n", pack("H*", $_))'
 
 In the following example, the `rabbitmq` service is registered with an explicit IPv6 address of `2001:db8:1:2:cafe::1337`.
 
+<CodeTabs>
+
 ```hcl
 node_name = "node1"
 
@@ -283,6 +292,9 @@ services {
   address = "2001:db8:1:2:cafe::1337"
   port = 5672
 }
+```
+
+```json
 {
   "node_name": "node1",
   "services": [
@@ -295,6 +307,8 @@ services {
 }
 ```
 
+</CodeTabs>
+
 The following example SRV query response contains a single record with a hostname written as a hexadecimal value:
 
 ```shell-session
diff --git a/website/content/docs/services/usage/define-services.mdx b/website/content/docs/services/usage/define-services.mdx
index 60f19997eb30..5b1450fe1a6a 100644
--- a/website/content/docs/services/usage/define-services.mdx
+++ b/website/content/docs/services/usage/define-services.mdx
@@ -110,26 +110,6 @@ service {
 }
 ```
 </CodeBlockConfig>
-<CodeBlockConfig heading="service.yaml">
-
-```yaml
-service:
-- id: redis
-  meta:
-  - custom_meta_key: custom_meta_value
-  name: redis
-  port: 80
-  tagged_addresses:
-  - lan:
-    - address: 192.168.0.55
-      port: 8000
-    wan:
-    - address: 198.18.0.23
-      port: 80
-  tags:
-  - primary
-```
-</CodeBlockConfig>
 </CodeTabs>
 
 ### Health checks
@@ -427,10 +407,12 @@ service {
 ```
 
 ```json
-"service": {
-  ## ...
-  "enable_tag_override": true,
-  ## ...
+{
+  "service": {
+    ## ...
+    "enable_tag_override": true,
+    ## ...
+  }
 }
 ```
 
diff --git a/website/content/partials/jwt_claim_mapping_details.mdx b/website/content/partials/jwt_claim_mapping_details.mdx
index d5f9415b1abf..5d0131471b9b 100644
--- a/website/content/partials/jwt_claim_mapping_details.mdx
+++ b/website/content/partials/jwt_claim_mapping_details.mdx
@@ -19,13 +19,18 @@ rule, and the lists of values mapped by `ListClaimMappings` cannot.
 Assume this is your config snippet:
 
 ```json
-{ ...other fields...
-  "ClaimMappings": {
-    "givenName": "first_name",
-    "surname": "last_name"
-  },
-  "ListClaimMappings": {
-    "groups": "groups"
+{
+  "Name": "example-auth-method",
+  "Type": "<jwt|oidc>",
+  "Description": "Example auth method",
+  "Config": {
+    "ClaimMappings": {
+      "givenName": "first_name",
+      "surname": "last_name"
+    },
+    "ListClaimMappings": {
+      "groups": "groups"
+    }
   }
 }
 ```