Related to #13740

- blocked_evals.total_blocked is the number of evals blocked for *any*
  reason
- blocked_evals.total_quota_limit is the number of evals blocked by
  quota limits, but critically: their resources are *not* counted in the
  cpu/memory

* chore(deps): bump github.com/mitchellh/mapstructure in /api

Bumps [github.com/mitchellh/mapstructure](https://github.com/mitchellh/mapstructure) from 1.4.3 to 1.5.0.
- [Release notes](https://github.com/mitchellh/mapstructure/releases)
- [Changelog](https://github.com/mitchellh/mapstructure/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mitchellh/mapstructure/compare/v1.4.3...v1.5.0

)

---
updated-dependencies:
- dependency-name: github.com/mitchellh/mapstructure
  dependency-type: direct:production
  update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>

* Also bump mapstructure in main go.mod
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Michael Schurter <mschurter@hashicorp.com>

* Vars from job prototype

* singular linked variable from job

* Links from task groups and tasks to their variables incl periodic and parameterized

* Lintfix

* Make sure they can list em before we list em

* Tests from job/group/task to var

* build(deps): bump github.com/gorilla/websocket in /api

Bumps [github.com/gorilla/websocket](https://github.com/gorilla/websocket) from 1.4.2 to 1.5.0.
- [Release notes](https://github.com/gorilla/websocket/releases)
- [Commits](https://github.com/gorilla/websocket/compare/v1.4.2...v1.5.0

)

---
updated-dependencies:
- dependency-name: github.com/gorilla/websocket
  dependency-type: direct:production
  update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>

* deps: also bump websocket dep in main binary
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Michael Schurter <mschurter@hashicorp.com>

Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.7.1+incompatible to 2.8.1+incompatible.
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](https://github.com/docker/distribution/compare/v2.7.1...v2.8.1

)

---
updated-dependencies:
- dependency-name: github.com/docker/distribution
  dependency-type: direct:production
  update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

See `message:` in rule for details.
Co-authored-by: Luiz Aoqui <luiz@hashicorp.com>

Plan rejections occur when the scheduler work and the leader plan
applier disagree on the feasibility of a plan. This may happen for valid
reasons: since Nomad does parallel scheduling, it is expected that
different workers will have a different state when computing placements.

As the final plan reaches the leader plan applier, it may no longer be
valid due to a concurrent scheduling taking up intended resources. In
these situations the plan applier will notify the worker that the plan
was rejected and that they should refresh their state before trying
again.

In some rare and unexpected circumstances it has been observed that
workers will repeatedly submit the same plan, even if they are always
rejected.

While the root cause is still unknown this mitigation has been put in
place. The plan applier will now track the history of plan rejections
per client and include in the plan result a list of node IDs that should
be set as ineligible if the number of rejections in a given time window
crosses a certain threshold. The window size and threshold value can be
adjusted in the server configuration.

To avoid marking several nodes as ineligible at one, the operation is rate
limited to 5 nodes every 30min, with an initial burst of 10 operations.

Fixes #13505

This fixes #13505 by treating reserved_ports like we treat a lot of jobspec settings: merging settings from more global stanzas (client.reserved.reserved_ports) "down" into more specific stanzas (client.host_networks[].reserved_ports).

As discussed in #13505 there are other options, and since it's totally broken right now we have some flexibility:

Treat overlapping reserved_ports on addresses as invalid and refuse to start agents. However, I'm not sure there's a cohesive model we want to publish right now since so much 0.9-0.12 compat code still exists! We would have to explain to folks that if their -network-interface and host_network addresses overlapped, they could only specify reserved_ports in one place or the other?! It gets ugly.
Use the global client.reserved.reserved_ports value as the default and treat host_network[].reserverd_ports as overrides. My first suggestion in the issue, but @groggemans made me realize the addresses on the agent's interface (as configured by -network-interface) may overlap with host_networks, so you'd need to remove the global reserved_ports from addresses shared with a shared network?! This seemed really confusing and subtle for users to me.
So I think "merging down" creates the most expressive yet understandable approach. I've played around with it a bit, and it doesn't seem too surprising. The only frustrating part is how difficult it is to observe the available addresses and ports on a node! However that's a job for another PR.

Bumps [github.com/hashicorp/consul/sdk](https://github.com/hashicorp/consul) from 0.8.0 to 0.9.0.
- [Release notes](https://github.com/hashicorp/consul/releases)
- [Changelog](https://github.com/hashicorp/consul/blob/main/CHANGELOG.md)
- [Commits](https://github.com/hashicorp/consul/compare/v0.8.0...v0.9.0

)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/consul/sdk
  dependency-type: direct:production
  update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github.com/docker/go-units from 0.3.3 to 0.4.0 in /api

Bumps [github.com/docker/go-units](https://github.com/docker/go-units) from 0.3.3 to 0.4.0.
- [Release notes](https://github.com/docker/go-units/releases)
- [Commits](https://github.com/docker/go-units/compare/v0.3.3...v0.4.0

)

---
updated-dependencies:
- dependency-name: github.com/docker/go-units
  dependency-type: direct:production
  update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>

* Tidy go.sum
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Michael Schurter <mschurter@hashicorp.com>

* SV CLI: var list
* Fix wildcard prefix filtering
Co-authored-by: Tim Gross <tgross@hashicorp.com>

In OSS we can upsert an allocation without worrying about whether that
alloc is in a namespace that actually exists, but in ENT that upsert
will add to the namespace's quotas. Ensure we're doing so in this
secure variables RPC test to fix the test breaking in the ENT repo.

* ACL check namespace value in SecureVariable
* Error on wildcard namespace

Remove other versions of Node installed in nvm to avoid issues where the
CI runner uses the wrong one.

* Sortable header added to variable page

* Showhide and copyable

* Failing test and TODO for wildcard

* Alias the namespace query parameter for Evals

* eval: fix list when using ACLs and * namespace

Apply the same verification process as in job, allocs and scaling
policy list endpoints to handle the eval list when using an ACL token
with limited namespace support but querying using the `*` wildcard
namespace.

* changelog: add entry for #13530

* ui: set namespace when querying eval

Evals have a unique UUID as ID, but when querying them the Nomad API
still expects a namespace query param, otherwise it assumes `default`.
Co-authored-by: Luiz Aoqui <luiz@hashicorp.com>

Secure Variables (feature branch)

The sidebar navigation tree for the `operator` sub-sub commands is
getting cluttered and we have a new set of commands coming to support
secure variables keyring as well. Move these all under their own
subtrees.

When the `Full` flag is passed for key rotation, we kick off a core
job to decrypt and re-encrypt all the secure variables so that they
use the new key.

* Related entities scaffolded

* Added hint on edit

* Re-classic'd

* Dont create entities when path goes beyond task level

* only show the related entities hint for new vars, not edited ones

* Unit tests for pathLinkedEntities

* Acceptance tests for linked entities

* Add hint on creation

* Will be vs Is on @new boolean flag

* Link styles and namespaces on links

* Unused component class

* Delog

* Defensive shouldShowLinked

* Properly instantiating the accessibilty check test

* ui:  inject router service into Variable ability to compute path

* ui:  test create secure variable ability

* refact:  update templates to properly check create ability

* chore:  update token factory to enable 1 path to have create ability

* refact:  remove router service injection for path variable

* refact:  update mirage factory for edit and delete perms on  path for testing

* ui:  handle path matching (#13474)

* test:  write specifications for nearestPath computation

* ui:  write logic for getting all paths

* ui:  nearestPathMatching algorithm

* test:  nearestPathMatching algorithm test

* ui:  handle namespace filtering for capabilities check (#13475)

* ui: add namespace handling

* refact:  add logical OR operator to handle unstructured  object.

* ui:  acceptance test for create flow in secure variables (#13500)

* test:  write happy path test for creating variable

* refact:  add missing data-test attributes

* test:  sad path for disabled button

* fix:  move comment in  file

* test:  acceptance test for editing a variable (#13529)

* refact:  add data-test variable

* test:  happy path and sad path for edit flow

* refact:  update test language to say disabled

* ui:  glob matching algorithm (#13533)

* ui: compute length difference (#13542)

* ui: compute length difference

* refact:  use glob matching and sorting algos in `nearestMatchingPath` (#13544)

* refact:  use const in compute

* ui:  smallest difference logic

* refact:  use glob matching and sorting algo in _nearestPathPath helper

* ui:  add can edit to variable capabilities (#13545)

* ui:  create edit capabilities getter

* ui:  add ember-can check for edit button

* refact:  update test to mock edit capabilities in policy

* fix:  remove unused var

* Edit capabilities for variables depend on Create
Co-authored-by: Phil Renaud <phil@riotindustries.com>
Co-authored-by: Phil Renaud <phil@riotindustries.com>
Co-authored-by: Phil Renaud <phil@riotindustries.com>

* refact:  update token factory (#13596)

* refact:  update rulesJSON in token factory to reflect schema update

* refact:  update capability names (#13597)

* refact:  update rules to match rulesJSON

* refact:  update create to write

* ui:  add `canDestroy` permissions (#13598)

* refact:  update rulesJSON in token factory to reflect schema update

* refact:  update rules to match rulesJSON

* refact:  update create to write

* ui:  add canDestroy capability

* test:  unit test for canDestroy

* ui:  add permission check to template

* test:  acceptance test for delete flow

* refact:  update test to use correct capability name

* refact:  update tests to reflect rulesJSON schema change

* ui:  update path matching logic to account for schema change (#13605)

* refact:  update path matching logic

* refact:  update tests to reflect rulesJSON change
Co-authored-by: Phil Renaud <phil@riotindustries.com>
Co-authored-by: Phil Renaud <phil@riotindustries.com>

* Toying with insert and update helpers before translation func

* Working prototype that lets you switch between json and tabular

* No longer add the bonus items row in json mode

* Trimmed the ivy from the codemirror (#13503)

* Trimmed the ivy from the codemirror

* editedJSONItems removal

* De-debugger

* Replaced other instances of IvyCodeMirror throughout the app (#13528)

* Replaced other instances of IvyCodeMirror throughout the app

* PR requests for codemirror modifier

* Screen reader setting as param

* Trying a simpler codemirror test helper

* Lint removal

* Screen Reader Label added for a11y

* JSONViewer cleanup

* JSON editor added to /new and all variables stringified before save or translate

* Give users a foothold when editing an empty item in JSON mode

* Copy the empty KV

* No duplicate keys in KV

* Better handling of cursor snapping in json edit field

* Catch formatting errors on the fly

* Basic...

* SV: CAS
    * Implement Check and Set for Delete and Upsert
    * Reading the conflict from the state store
    * Update endpoint for new error text
    * Updated HTTP api tests
    * Conflicts to the HTTP api

* SV: structs: Update SV time to UnixNanos
    * update mock to UnixNano; refactor

* SV: encrypter: quote KeyID in error
* SV: mock: add mock for namespace w/ SV

We need to track per-namespace storage usage for secure variables even
in Nomad OSS so that a cluster can be seamlessly upgraded from OSS to
ENT without having to re-calculate quota usage.

Provide a hook in the upsert RPC for enforcement of quotas in
ENT. This will be a no-op in Nomad OSS.

This changeset includes some additional unit tests for secure
variables ACL policies, so that we have explicit coverage of edge
cases we're discussing with the UI folks.

Add fields for configuring root key garbage collection and automatic
rotation. Fix the keystore path so that we write to a tempdir when in
dev mode.

* JSON view init

* Overeager config history reverted

* Set as query parameter

* border added to copy button

* More robust stringifyObject helper

* Testing for stringify-object helper

* ui:  add logic for create permission computed property

* ui:  update token factory and variable ability to simulate create permissions for dev env

* Did-insert modifier to add an extra row when editing

* Defensive logic on model existing

* Defensive pattern on copy keyValues

* Error thrown if you have no KVs on save

* Acceptance tests for flash messages and no-key-value adds

* Post-hoc accounting for new variable path routing

* Trim on key before validating it as existing

Extend the GC job to support periodic key rotation.

Update the GC process to safely support signed workload identity. We
can't GC any key used to sign a workload identity. Finding which key
was used to sign every allocation will be expensive, but there are not
that many keys. This lets us take a conservative approach: find the
oldest live allocation and ensure that we don't GC any key older than
that key.