couchbase 3.7.0 → 3.8.0

data/ext/couchbase/core/cluster.cxx

@@ -17,13 +17,18 @@
 
 #include <couchbase/build_config.hxx>
 
+#define COUCHBASE_CXX_CLIENT_IGNORE_CORE_DEPRECATIONS
 #include "cluster.hxx"
 
+#include "core/operations/document_view.hxx"
+#undef COUCHBASE_CXX_CLIENT_IGNORE_CORE_DEPRECATIONS
+
 #include "bucket.hxx"
 #include "capella_ca.hxx"
 #include "core/app_telemetry_meter.hxx"
 #include "core/app_telemetry_reporter.hxx"
 #include "core/diagnostics.hxx"
+#include "core/error.hxx"
 #include "core/impl/get_replica.hxx"
 #include "core/impl/lookup_in_replica.hxx"
 #include "core/impl/observe_seqno.hxx"
@@ -34,6 +39,7 @@
 #ifdef COUCHBASE_CXX_CLIENT_COLUMNAR
 #include "core/io/config_tracker.hxx"
 #endif
+#include "cluster_label_listener.hxx"
 #include "core/logger/logger.hxx"
 #include "core/management/analytics_link_azure_blob_external.hxx"
 #include "core/management/analytics_link_couchbase_remote.hxx"
@@ -67,7 +73,6 @@
 #include "core/operations/document_touch.hxx"
 #include "core/operations/document_unlock.hxx"
 #include "core/operations/document_upsert.hxx"
-#include "core/operations/document_view.hxx"
 #include "core/operations/http_noop.hxx"
 #include "core/operations/management/analytics_dataset_create.hxx"
 #include "core/operations/management/analytics_dataset_drop.hxx"
@@ -141,6 +146,7 @@
 #include "core/operations/management/view_index_get.hxx"
 #include "core/operations/management/view_index_get_all.hxx"
 #include "core/operations/management/view_index_upsert.hxx"
+#include "core/orphan_reporter.hxx"
 #include "core/platform/uuid.h"
 #include "core/protocol/hello_feature.hxx"
 #include "core/service_type.hxx"
@@ -157,6 +163,7 @@
 #include "mozilla_ca_bundle.hxx"
 #include "ping_collector.hxx"
 #include "ping_reporter.hxx"
+#include "tls_context_provider.hxx"
 
 #include <couchbase/codec/tao_json_serializer.hxx>
 #include <couchbase/error_codes.hxx>
@@ -294,7 +301,7 @@ public:
   explicit cluster_impl(asio::io_context& ctx)
     : ctx_(ctx)
     , work_(asio::make_work_guard(ctx_))
-    , session_manager_(std::make_shared<io::http_session_manager>(id_, ctx_, tls_))
+    , session_manager_(std::make_shared<io::http_session_manager>(id_, ctx_, tls_, origin_))
     , retry_backoff_(ctx_)
   {
   }
@@ -302,7 +309,7 @@ public:
   explicit cluster_impl(asio::io_context& ctx)
     : ctx_(ctx)
     , work_(asio::make_work_guard(ctx_))
-    , session_manager_(std::make_shared<io::http_session_manager>(id_, ctx_, tls_))
+    , session_manager_(std::make_shared<io::http_session_manager>(id_, ctx_, tls_, origin_))
   {
   }
 #endif
@@ -312,7 +319,7 @@ public:
     return ctx_;
   }
 
-  void configure_tls_options(bool has_capella_host)
+  void configure_tls_options(bool has_capella_host, const std::shared_ptr<asio::ssl::context>& ctx)
   {
     asio::ssl::context::options tls_options =
       asio::ssl::context::default_workarounds | // various bug workarounds that should be rather
@@ -326,19 +333,19 @@ public:
     if (origin_.options().tls_disable_v1_2 || has_capella_host) {
       tls_options |= asio::ssl::context::no_tlsv1_2; // published: 2008, still in use
     }
-    tls_.set_options(tls_options);
+    ctx->set_options(tls_options);
     switch (origin_.options().tls_verify) {
       case tls_verify_mode::none:
-        tls_.set_verify_mode(asio::ssl::verify_none);
+        ctx->set_verify_mode(asio::ssl::verify_none);
         break;
 
       case tls_verify_mode::peer:
-        tls_.set_verify_mode(asio::ssl::verify_peer);
+        ctx->set_verify_mode(asio::ssl::verify_peer);
         break;
     }
 
 #ifdef COUCHBASE_CXX_CLIENT_TLS_KEY_LOG_FILE
-    SSL_CTX_set_keylog_callback(tls_.native_handle(), [](const SSL* /* ssl */, const char* line) {
+    SSL_CTX_set_keylog_callback(ctx->native_handle(), [](const SSL* /* ssl */, const char* line) {
       std::ofstream keylog(COUCHBASE_CXX_CLIENT_TLS_KEY_LOG_FILE,
                            std::ios::out | std::ios::app | std::ios::binary);
       keylog << std::string_view(line) << std::endl;
@@ -351,6 +358,101 @@ public:
 #endif
   }
 
+  auto configure_tls_context(const std::shared_ptr<asio::ssl::context>& ctx) -> std::error_code
+  {
+    configure_tls_options(has_capella_host(), ctx);
+
+    if (origin_.options().trust_certificate.empty() &&
+        origin_.options().trust_certificate_value.empty()) {
+      // trust certificate is not explicitly specified
+      CB_LOG_DEBUG(R"([{}]: use default CA for TLS verify)", id_);
+      std::error_code ec{};
+
+      ctx->set_default_verify_paths(ec);
+      if (ec) {
+        CB_LOG_WARNING(R"([{}]: failed to load system CAs: {})", id_, ec.message());
+      }
+
+      ctx->add_certificate_authority(
+        asio::const_buffer(couchbase::core::default_ca::capellaCaCert,
+                           strlen(couchbase::core::default_ca::capellaCaCert)),
+        ec);
+
+      if (ec) {
+        CB_LOG_WARNING("[{}]: unable to load default CAs: {}", id_, ec.message());
+        // we don't consider this fatal and try to continue without it
+      }
+
+      if (const auto certificates = default_ca::mozilla_ca_certs();
+          !origin_.options().disable_mozilla_ca_certificates && !certificates.empty()) {
+        CB_LOG_DEBUG("[{}]: loading {} CA certificates from Mozilla bundle. Update date: \"{}\", "
+                     "SHA256: \"{}\"",
+                     id_,
+                     certificates.size(),
+                     default_ca::mozilla_ca_certs_date(),
+                     default_ca::mozilla_ca_certs_sha256());
+        for (const auto& cert : certificates) {
+          ctx->add_certificate_authority(asio::const_buffer(cert.body.data(), cert.body.size()),
+                                         ec);
+          if (ec) {
+            CB_LOG_WARNING("[{}]: unable to load CA \"{}\" from Mozilla bundle: {}",
+                           id_,
+                           cert.authority,
+                           ec.message());
+          }
+        }
+      }
+    } else { // trust certificate is explicitly specified
+      std::error_code ec{};
+      // load only the explicit certificate
+      // system and default capella certificates are not loaded
+      if (!origin_.options().trust_certificate_value.empty()) {
+        CB_LOG_DEBUG(R"([{}]: use TLS certificate passed through via options object)", id_);
+        ctx->add_certificate_authority(
+          asio::const_buffer(origin_.options().trust_certificate_value.data(),
+                             origin_.options().trust_certificate_value.size()),
+          ec);
+        if (ec) {
+          CB_LOG_WARNING(
+            "[{}]: unable to load CA passed via options object: {}", id_, ec.message());
+        }
+      }
+      if (!origin_.options().trust_certificate.empty()) {
+        CB_LOG_DEBUG(
+          R"([{}]: use TLS verify file: "{}")", id_, origin_.options().trust_certificate);
+        ctx->load_verify_file(origin_.options().trust_certificate, ec);
+        if (ec) {
+          CB_LOG_ERROR("[{}]: unable to load verify file \"{}\": {}",
+                       id_,
+                       origin_.options().trust_certificate,
+                       ec.message());
+          return ec;
+        }
+      }
+    }
+    if (origin_.credentials().uses_certificate()) {
+      std::error_code ec{};
+      CB_LOG_DEBUG(R"([{}]: use TLS certificate chain: "{}")", id_, origin_.certificate_path());
+      ctx->use_certificate_chain_file(origin_.certificate_path(), ec);
+      if (ec) {
+        CB_LOG_ERROR("[{}]: unable to load certificate chain \"{}\": {}",
+                     id_,
+                     origin_.certificate_path(),
+                     ec.message());
+        return ec;
+      }
+      CB_LOG_DEBUG(R"([{}]: use TLS private key: "{}")", id_, origin_.key_path());
+      ctx->use_private_key_file(origin_.key_path(), asio::ssl::context::file_format::pem, ec);
+      if (ec) {
+        CB_LOG_ERROR(
+          "[{}]: unable to load private key \"{}\": {}", id_, origin_.key_path(), ec.message());
+
+        return ec;
+      }
+    }
+    return {};
+  }
+
   void open(couchbase::core::origin origin,
             utils::movable_function<void(std::error_code)>&& handler)
   {
@@ -468,6 +570,7 @@ public:
                                      tls_,
                                      tracer_,
                                      meter_,
+                                     orphan_reporter_,
                                      app_telemetry_meter_,
                                      bucket_name,
                                      origin,
@@ -476,8 +579,7 @@ public:
         buckets_.try_emplace(bucket_name, b);
 
         // Register the tracer & the meter for config updates to track Cluster name & UUID
-        b->on_configuration_update(tracer_);
-        b->on_configuration_update(meter_);
+        b->on_configuration_update(cluster_label_listener_);
         b->on_configuration_update(app_telemetry_reporter_);
       }
     }
@@ -519,6 +621,50 @@ public:
     return handler({});
   }
 
+  auto update_credentials(const cluster_credentials& auth) -> core::error
+  {
+    if (stopped_) {
+      return { errc::network::cluster_closed, {} };
+    }
+
+    auto old_credentials = origin_.credentials();
+
+    if (!old_credentials.is_same_type(auth)) {
+      return { errc::common::invalid_argument,
+               "Cannot change authenticator type when updating credentials" };
+    }
+
+    origin_.update_credentials(auth);
+
+    // Separately update bucket and mcbp sessions as they have their own copies of the origin
+    for_each_bucket([&auth](const std::shared_ptr<bucket>& bucket) {
+      bucket->update_credentials(auth);
+    });
+    for_each_mcbp_session([&auth](auto& session) {
+      session.update_credentials(auth);
+    });
+
+    if (auth.requires_tls()) {
+      // Recreate and atomically swap the TLS context, existing sessions should continue to use the
+      // old one.
+      const auto new_ctx = std::make_shared<asio::ssl::context>(asio::ssl::context::tls_client);
+      auto ec = configure_tls_context(new_ctx);
+      if (ec) {
+        // Revert origin's credentials as these will not be synced to the active TLS context
+        origin_.update_credentials(old_credentials);
+        return { ec, {} };
+      }
+      tls_.set_ctx(new_ctx);
+    }
+
+    if (auth.uses_jwt()) {
+      for_each_mcbp_session([](auto& session) {
+        session.reauthenticate();
+      });
+    }
+    return {};
+  }
+
   auto origin() const -> std::pair<std::error_code, couchbase::core::origin>
   {
     if (stopped_) {
@@ -578,8 +724,7 @@ public:
     if constexpr (operations::is_compound_operation_v<Request>) {
       return request.execute(shared_from_this(), std::forward<Handler>(handler));
     } else {
-      return session_manager_->execute(
-        std::move(request), std::forward<Handler>(handler), origin_.credentials());
+      return session_manager_->execute(std::move(request), std::forward<Handler>(handler));
     }
   }
 
@@ -632,6 +777,19 @@ public:
     return bucket->second;
   }
 
+  void for_each_mcbp_session(utils::movable_function<void(io::mcbp_session&)> handler)
+  {
+    if (session_) {
+      handler(session_.value());
+    }
+
+    for_each_bucket([&handler](const std::shared_ptr<bucket>& bucket) {
+      bucket->for_each_session([&handler](io::mcbp_session& session) {
+        handler(session);
+      });
+    });
+  }
+
   void for_each_bucket(utils::movable_function<void(std::shared_ptr<bucket>)> handler)
   {
     std::vector<std::shared_ptr<bucket>> buckets{};
@@ -658,19 +816,8 @@ public:
     }
 
     // Warn users if they attempt to use Capella without TLS being enabled.
-    bool has_capella_host = false;
     {
-      bool has_non_capella_host = false;
-      static const std::string suffix = "cloud.couchbase.com";
-      for (const auto& node : origin_.get_hostnames()) {
-        if (auto pos = node.find(suffix);
-            pos != std::string::npos && pos + suffix.size() == node.size()) {
-          has_capella_host = true;
-        } else {
-          has_non_capella_host = true;
-        }
-      }
-
+      auto has_capella_host = this->has_capella_host();
       if (has_capella_host && !origin_.options().enable_tls) {
         CB_LOG_WARNING("[{}]: TLS is required when connecting to Couchbase Capella. Please enable "
                        "TLS by prefixing "
@@ -684,7 +831,7 @@ public:
           && origin_.options().trust_certificate_value.empty()     /* and certificate value has not been specified */
           && origin_.options().tls_verify != tls_verify_mode::none /* The user did not disable all TLS verification */
           &&
-          has_non_capella_host /* The connection string has a hostname that does NOT end in ".cloud.couchbase.com" */) {
+          !has_capella_host /* The connection string has a hostname that does NOT end in ".cloud.couchbase.com" */) {
         CB_LOG_WARNING("[{}] When TLS is enabled, the cluster options must specify certificate(s) "
                        "to trust or ensure that they are "
                        "available in system CA store. (Unless connecting to cloud.couchbase.com.)",
@@ -693,113 +840,16 @@ public:
     }
 
     if (origin_.options().enable_tls) {
-      configure_tls_options(has_capella_host);
-
-      if (origin_.options().trust_certificate.empty() &&
-          origin_.options()
-            .trust_certificate_value.empty()) { // trust certificate is not explicitly specified
-        CB_LOG_DEBUG(R"([{}]: use default CA for TLS verify)", id_);
-        std::error_code ec{};
-
-        // load system certificates
-        tls_.set_default_verify_paths(ec);
-        if (ec) {
-          CB_LOG_WARNING(R"([{}]: failed to load system CAs: {})", id_, ec.message());
-        }
-
-        // add the Capella Root CA in addition to system CAs
-        tls_.add_certificate_authority(
-          asio::const_buffer(couchbase::core::default_ca::capellaCaCert,
-                             strlen(couchbase::core::default_ca::capellaCaCert)),
-          ec);
-        if (ec) {
-          CB_LOG_WARNING("[{}]: unable to load default CAs: {}", id_, ec.message());
-          // we don't consider this fatal and try to continue without it
-        }
-
-        if (const auto certificates = default_ca::mozilla_ca_certs();
-            !origin_.options().disable_mozilla_ca_certificates && !certificates.empty()) {
-          CB_LOG_DEBUG("[{}]: loading {} CA certificates from Mozilla bundle. Update date: \"{}\", "
-                       "SHA256: \"{}\"",
-                       id_,
-                       certificates.size(),
-                       default_ca::mozilla_ca_certs_date(),
-                       default_ca::mozilla_ca_certs_sha256());
-          for (const auto& cert : certificates) {
-            tls_.add_certificate_authority(asio::const_buffer(cert.body.data(), cert.body.size()),
-                                           ec);
-            if (ec) {
-              CB_LOG_WARNING("[{}]: unable to load CA \"{}\" from Mozilla bundle: {}",
-                             id_,
-                             cert.authority,
-                             ec.message());
-            }
-          }
-        }
-      } else { // trust certificate is explicitly specified
-        std::error_code ec{};
-        // load only the explicit certificate
-        // system and default capella certificates are not loaded
-        if (!origin_.options().trust_certificate_value.empty()) {
-          CB_LOG_DEBUG(R"([{}]: use TLS certificate passed through via options object)", id_);
-          tls_.add_certificate_authority(
-            asio::const_buffer(origin_.options().trust_certificate_value.data(),
-                               origin_.options().trust_certificate_value.size()),
-            ec);
-          if (ec) {
-            CB_LOG_WARNING(
-              "[{}]: unable to load CA passed via options object: {}", id_, ec.message());
-          }
-        }
-        if (!origin_.options().trust_certificate.empty()) {
-          CB_LOG_DEBUG(
-            R"([{}]: use TLS verify file: "{}")", id_, origin_.options().trust_certificate);
-          tls_.load_verify_file(origin_.options().trust_certificate, ec);
-          if (ec) {
-            CB_LOG_ERROR("[{}]: unable to load verify file \"{}\": {}",
-                         id_,
-                         origin_.options().trust_certificate,
-                         ec.message());
-#ifdef __clang_analyzer__
-            // TODO(CXXCBC-549): clang-tidy-19 reports potential memory leak here
-            [[clang::suppress]]
-#endif
-            return close([ec, handler = std::move(handler)]() mutable {
-              return handler(ec);
-            });
-          }
-        }
-      }
-      if (origin_.credentials().uses_certificate()) {
-        std::error_code ec{};
-        CB_LOG_DEBUG(R"([{}]: use TLS certificate chain: "{}")", id_, origin_.certificate_path());
-        tls_.use_certificate_chain_file(origin_.certificate_path(), ec);
-        if (ec) {
-          CB_LOG_ERROR("[{}]: unable to load certificate chain \"{}\": {}",
-                       id_,
-                       origin_.certificate_path(),
-                       ec.message());
-#ifdef __clang_analyzer__
-          // TODO(CXXCBC-549): clang-tidy-19 reports potential memory leak here
-          [[clang::suppress]]
-#endif
-          return close([ec, handler = std::move(handler)]() mutable {
-            return handler(ec);
-          });
-        }
-        CB_LOG_DEBUG(R"([{}]: use TLS private key: "{}")", id_, origin_.key_path());
-        tls_.use_private_key_file(origin_.key_path(), asio::ssl::context::file_format::pem, ec);
-        if (ec) {
-          CB_LOG_ERROR(
-            "[{}]: unable to load private key \"{}\": {}", id_, origin_.key_path(), ec.message());
+      const auto ctx = tls_.get_ctx();
+      auto ec = configure_tls_context(ctx);
+      if (ec) {
 #ifdef __clang_analyzer__
-          // TODO(CXXCBC-549): clang-tidy-19 reports potential memory leak here
-          [[clang::suppress]]
+        // TODO(CXXCBC-549): clang-tidy-19 reports potential memory leak here
+        [[clang::suppress]]
 #endif
-          return close([ec, handler = std::move(handler)]() mutable {
-            return handler(ec);
-          });
-        }
+        return close([ec, handler = std::move(handler)]() mutable {
+          return handler(ec);
+        });
       }
       session_ = io::mcbp_session(id_, {}, ctx_, tls_, origin_, dns_srv_tracker_);
     } else {
@@ -833,7 +883,9 @@ public:
         self->session_manager_->set_configuration(config, self->origin_.options());
         self->session_->on_configuration_update(self->session_manager_);
         self->session_->on_configuration_update(self->app_telemetry_reporter_);
+        self->session_->on_configuration_update(self->cluster_label_listener_);
         self->app_telemetry_reporter_->update_config(config);
+        self->cluster_label_listener_->update_config(config);
         self->session_->on_stop([self]() {
           if (self->session_) {
             self->session_.reset();
@@ -859,11 +911,12 @@ public:
     // TODO(JC): retries on more failures?  Right now only retry if load_verify_file() fails...
 
     // Disables TLS v1.2 which should be okay cloud/columnar default.
-    configure_tls_options(true);
+    auto ctx = tls_.get_ctx();
+    configure_tls_options(true, ctx);
     if (origin_.options().security_options.trust_only_capella) {
       std::error_code ec{};
       CB_LOG_DEBUG(R"([{}]: use Capella CA for TLS verify)", id_);
-      tls_.add_certificate_authority(
+      ctx->add_certificate_authority(
         asio::const_buffer(couchbase::core::default_ca::capellaCaCert,
                            strlen(couchbase::core::default_ca::capellaCaCert)),
         ec);
@@ -889,7 +942,7 @@ public:
       // system and default capella certificates are not loaded
       if (!origin_.options().trust_certificate_value.empty()) {
         CB_LOG_DEBUG(R"([{}]: use TLS certificate passed through via options object)", id_);
-        tls_.add_certificate_authority(
+        ctx->add_certificate_authority(
           asio::const_buffer(origin_.options().trust_certificate_value.data(),
                              origin_.options().trust_certificate_value.size()),
           ec);
@@ -901,7 +954,7 @@ public:
       if (!origin_.options().trust_certificate.empty()) {
         CB_LOG_DEBUG(
           R"([{}]: use TLS verify file: "{}")", id_, origin_.options().trust_certificate);
-        tls_.load_verify_file(origin_.options().trust_certificate, ec);
+        ctx->load_verify_file(origin_.options().trust_certificate, ec);
         if (ec) {
           CB_LOG_ERROR("[{}]: unable to load verify file \"{}\": {}",
                        id_,
@@ -920,7 +973,7 @@ public:
       CB_LOG_DEBUG(R"([{}]: use default CA for TLS verify)", id_);
       std::error_code ec{};
       // load system certificates
-      tls_.set_default_verify_paths(ec);
+      ctx->set_default_verify_paths(ec);
       if (ec) {
         CB_LOG_WARNING(R"([{}]: failed to load system CAs: {})", id_, ec.message());
       }
@@ -930,7 +983,7 @@ public:
                    id_,
                    origin_.options().security_options.trust_only_certificates.size());
       for (const auto& cert : origin_.options().security_options.trust_only_certificates) {
-        tls_.add_certificate_authority(asio::const_buffer(cert.data(), cert.size()), ec);
+        ctx->add_certificate_authority(asio::const_buffer(cert.data(), cert.size()), ec);
         if (ec) {
           CB_LOG_WARNING("[{}]: unable to load CA: {}", id_, ec.message());
         }
@@ -1098,8 +1151,7 @@ public:
               bucket->ping(collector, timeout);
             });
           }
-          cluster->session_manager_->ping(
-            services, timeout, collector, cluster->origin_.credentials());
+          cluster->session_manager_->ping(services, timeout, collector);
         }
       }));
   }
@@ -1155,22 +1207,25 @@ public:
         for (const auto& [_, bucket] : buckets) {
           bucket->close();
         }
-        if (auto session_manager = std::move(self->session_manager_); session_manager) {
+        if (const auto session_manager = std::move(self->session_manager_); session_manager) {
           session_manager->close();
         }
         self->work_.reset();
-        if (auto tracer = std::move(self->tracer_); tracer) {
+        if (const auto tracer = std::move(self->tracer_); tracer) {
           tracer->stop();
         }
-        if (auto meter = std::move(self->meter_); meter) {
+        if (const auto meter = std::move(self->meter_); meter) {
           meter->stop();
         }
-        if (auto meter = std::move(self->app_telemetry_meter_); meter) {
+        if (const auto meter = std::move(self->app_telemetry_meter_); meter) {
           meter->disable();
         }
-        if (auto reporter = std::move(self->app_telemetry_reporter_); reporter) {
+        if (const auto reporter = std::move(self->app_telemetry_reporter_); reporter) {
           reporter->stop();
         }
+        if (const auto orphan_reporter = std::move(self->orphan_reporter_); orphan_reporter) {
+          orphan_reporter->stop();
+        }
         handler();
       }));
   }
@@ -1233,31 +1288,50 @@ public:
     return { {}, session_manager_ };
   }
 
+  auto tracer() const -> const std::shared_ptr<tracing::tracer_wrapper>&
+  {
+    return tracer_;
+  }
+
+  auto meter() const -> const std::shared_ptr<metrics::meter_wrapper>&
+  {
+    return meter_;
+  }
+
+  auto cluster_label_listener() -> const std::shared_ptr<cluster_label_listener>&
+  {
+    return cluster_label_listener_;
+  }
+
 private:
   void setup_observability()
   {
     // ignore the enable_tracing flag if a tracer was passed in
     if (nullptr != origin_.options().tracer) {
-      tracer_ = tracing::tracer_wrapper::create(origin_.options().tracer);
+      tracer_ = tracing::tracer_wrapper::create(origin_.options().tracer, cluster_label_listener_);
     } else {
       if (origin_.options().enable_tracing) {
         tracer_ =
           tracing::tracer_wrapper::create(std::make_shared<tracing::threshold_logging_tracer>(
-            ctx_, origin_.options().tracing_options));
+                                            ctx_, origin_.options().tracing_options),
+                                          cluster_label_listener_);
       } else {
-        tracer_ = tracing::tracer_wrapper::create(std::make_shared<tracing::noop_tracer>());
+        tracer_ = tracing::tracer_wrapper::create(std::make_shared<tracing::noop_tracer>(),
+                                                  cluster_label_listener_);
       }
     }
     tracer_->start();
     // ignore the metrics options if a meter was passed in.
     if (nullptr != origin_.options().meter) {
-      meter_ = metrics::meter_wrapper::create(origin_.options().meter);
+      meter_ = metrics::meter_wrapper::create(origin_.options().meter, cluster_label_listener_);
     } else {
       if (origin_.options().enable_metrics) {
         meter_ = metrics::meter_wrapper::create(
-          std::make_shared<metrics::logging_meter>(ctx_, origin_.options().metrics_options));
+          std::make_shared<metrics::logging_meter>(ctx_, origin_.options().metrics_options),
+          cluster_label_listener_);
       } else {
-        meter_ = metrics::meter_wrapper::create(std::make_shared<metrics::noop_meter>());
+        meter_ = metrics::meter_wrapper::create(std::make_shared<metrics::noop_meter>(),
+                                                cluster_label_listener_);
       }
     }
     meter_->start();
@@ -1267,14 +1341,32 @@ private:
 
     app_telemetry_meter_->update_agent(origin_.options().user_agent_extra);
     session_manager_->set_app_telemetry_meter(app_telemetry_meter_);
-    app_telemetry_reporter_ = std::make_shared<app_telemetry_reporter>(
-      app_telemetry_meter_, origin_.options(), origin_.credentials(), ctx_, tls_);
+    app_telemetry_reporter_ =
+      std::make_shared<app_telemetry_reporter>(app_telemetry_meter_, origin_, ctx_, tls_);
+
+    if (origin_.options().enable_orphan_reporting) {
+      orphan_reporter_ = std::make_shared<orphan_reporter>(ctx_, origin_.options().orphan_options);
+      orphan_reporter_->start();
+    }
+  }
+
+  auto has_capella_host() const -> bool
+  {
+    bool has_capella_host = false;
+    static const std::string suffix = "cloud.couchbase.com";
+    for (const auto& node : origin_.get_hostnames()) {
+      if (auto pos = node.find(suffix);
+          pos != std::string::npos && pos + suffix.size() == node.size()) {
+        has_capella_host = true;
+      }
+    }
+    return has_capella_host;
   }
 
   std::string id_{ uuid::to_string(uuid::random()) };
   asio::io_context& ctx_;
   asio::executor_work_guard<asio::io_context::executor_type> work_;
-  asio::ssl::context tls_{ asio::ssl::context::tls_client };
+  tls_context_provider tls_{};
   std::shared_ptr<io::http_session_manager> session_manager_;
   std::shared_ptr<app_telemetry_reporter> app_telemetry_reporter_{};
   std::optional<io::mcbp_session> session_{};
@@ -1282,8 +1374,12 @@ private:
   std::mutex buckets_mutex_{};
   std::map<std::string, std::shared_ptr<bucket>> buckets_{};
   couchbase::core::origin origin_{};
+  std::shared_ptr<class cluster_label_listener> cluster_label_listener_{
+    std::make_shared<class cluster_label_listener>()
+  };
   std::shared_ptr<tracing::tracer_wrapper> tracer_{ nullptr };
   std::shared_ptr<metrics::meter_wrapper> meter_{ nullptr };
+  std::shared_ptr<orphan_reporter> orphan_reporter_{ nullptr };
   std::atomic_bool stopped_{ false };
   std::shared_ptr<core::app_telemetry_meter> app_telemetry_meter_{
     std::make_shared<core::app_telemetry_meter>()
@@ -1417,6 +1513,15 @@ cluster::origin() const -> std::pair<std::error_code, couchbase::core::origin>
   return { errc::network::cluster_closed, {} };
 }
 
+auto
+cluster::update_credentials(const core::cluster_credentials& auth) const -> core::error
+{
+  if (impl_) {
+    return impl_->update_credentials(auth);
+  }
+  return { errc::network::cluster_closed, {} };
+}
+
 auto
 cluster::io_context() const -> asio::io_context&
 {
@@ -2376,6 +2481,34 @@ cluster::execute(impl::lookup_in_replica_request request,
   return impl_->execute(std::move(request), std::move(handler));
 }
 
+void
+cluster::execute(operations::lookup_in_replica_request_with_cancellation request,
+                 utils::movable_function<void(impl::lookup_in_replica_response)>&& handler) const
+{
+  return impl_->execute(std::move(request), std::move(handler));
+}
+
+void
+cluster::execute(operations::lookup_in_request_with_cancellation request,
+                 utils::movable_function<void(operations::lookup_in_response)>&& handler) const
+{
+  return impl_->execute(std::move(request), std::move(handler));
+}
+
+void
+cluster::execute(operations::get_replica_request_with_cancellation request,
+                 utils::movable_function<void(impl::get_replica_response)>&& handler) const
+{
+  return impl_->execute(std::move(request), std::move(handler));
+}
+
+void
+cluster::execute(operations::get_request_with_cancellation request,
+                 utils::movable_function<void(operations::get_response)>&& handler) const
+{
+  return impl_->execute(std::move(request), std::move(handler));
+}
+
 auto
 cluster::http_session_manager() const
   -> std::pair<std::error_code, std::shared_ptr<io::http_session_manager>>
@@ -2391,4 +2524,23 @@ cluster::to_string() const -> std::string
                      impl_ ? static_cast<const void*>(impl_.get()) : "(none)",
                      impl_ ? std::to_string(impl_.use_count()) : "(none)");
 }
+
+auto
+cluster::tracer() const -> const std::shared_ptr<tracing::tracer_wrapper>&
+{
+  return impl_->tracer();
+}
+
+auto
+cluster::meter() const -> const std::shared_ptr<metrics::meter_wrapper>&
+{
+  return impl_->meter();
+}
+
+auto
+cluster::cluster_label_listener() const -> const std::shared_ptr<core::cluster_label_listener>&
+{
+  return impl_->cluster_label_listener();
+}
+
 } // namespace couchbase::core