From 16e7fd496541ef8b889095249492d4597e65b0d5 Mon Sep 17 00:00:00 2001
From: Andrew Stucki <andrew.stucki@hashicorp.com>
Date: Fri, 18 Nov 2022 15:38:22 -0500
Subject: [PATCH] Merge pull request #1743 from hashicorp/as/system-ca-fix

Add fix for api-gateway when using system-wide trusted CAs for external servers
---
 CHANGELOG.md                                  |  6 ++++++
 .../api-gateway-controller-deployment.bats    | 21 +++++++++++++++++--
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2d7e3d6198..8565dd7e95 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## UNRELEASED
+
+BUG FIXES:
+* Helm:
+  * Don't pass in a CA file to the API Gateway controller when `externalServers.useSystemRoots` is `true`. [[GH-1743](https://github.com/hashicorp/consul-k8s/pull/1743)]
+
 ## 1.0.0 (November 17, 2022)
 
 BREAKING CHANGES:
diff --git a/charts/consul/test/unit/api-gateway-controller-deployment.bats b/charts/consul/test/unit/api-gateway-controller-deployment.bats
index b61486c2ed..5f00cb65a0 100755
--- a/charts/consul/test/unit/api-gateway-controller-deployment.bats
+++ b/charts/consul/test/unit/api-gateway-controller-deployment.bats
@@ -1377,6 +1377,7 @@ load _helpers
       -s templates/api-gateway-controller-deployment.yaml  \
       --set 'apiGateway.enabled=true' \
       --set 'apiGateway.image=bar' \
+      --set 'global.tls.enabled=true' \
       --set 'server.enabled=false' \
       --set 'externalServers.hosts[0]=external-consul.host' \
       --set 'externalServers.enabled=true' \
@@ -1384,7 +1385,20 @@ load _helpers
       --set 'client.enabled=true' \
       . | tee /dev/stderr |
       yq '.spec.template.spec.containers[0].env[0].name == "CONSUL_CACERT"' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
+  [ "${actual}" = "true" ]
+}
+
+@test "apiGateway/Deployment: CONSUL_CACERT is set when using tls and internal servers" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/api-gateway-controller-deployment.yaml  \
+      --set 'apiGateway.enabled=true' \
+      --set 'apiGateway.image=bar' \
+      --set 'global.tls.enabled=true' \
+      --set 'server.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].env[0].name == "CONSUL_CACERT"' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
 }
 
 @test "apiGateway/Deployment: CONSUL_CACERT is not set when using tls and useSystemRoots" {
@@ -1395,7 +1409,10 @@ load _helpers
       --set 'apiGateway.image=bar' \
       --set 'global.tls.enabled=true' \
       --set 'server.enabled=false' \
+      --set 'externalServers.hosts[0]=external-consul.host' \
+      --set 'externalServers.enabled=true' \
+      --set 'externalServers.useSystemRoots=true' \
       . | tee /dev/stderr |
       yq '.spec.template.spec.containers[0].env[0].name == "CONSUL_CACERT"' | tee /dev/stderr)
-  [ "${actual}" = "true" ]
+  [ "${actual}" = "false" ]
 }