From 3f046cf4bd7d51ee508438e0d1d7c4c197425353 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 9 Sep 2021 15:02:13 -0400
Subject: [PATCH 01/58] Add global.gossipEncryption.autogenerate to values.yaml

---
 charts/consul/values.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
index e1c0726deb..6cefddb413 100644
--- a/charts/consul/values.yaml
+++ b/charts/consul/values.yaml
@@ -143,6 +143,8 @@ global:
     # secretKey is the key within the Kubernetes secret that holds the gossip
     # encryption key.
     secretKey: ""
+    # autogenerate a gossip encryption key at the given secretName and secretKey.
+    autogenerate: false
 
   # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries.
   # These values are given as `-recursor` flags to Consul servers and clients.

From 36918525bbc5aef3b08c3245639362bdb544ad64 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 9 Sep 2021 15:37:48 -0400
Subject: [PATCH 02/58] Add description of key autogen

---
 charts/consul/values.yaml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
index 6cefddb413..f5d8aa745f 100644
--- a/charts/consul/values.yaml
+++ b/charts/consul/values.yaml
@@ -122,7 +122,10 @@ global:
   # secretKey are not set, gossip encryption will not be enabled. The secret must
   # be in the same namespace that Consul is installed into.
   #
-  # The secret can be created by running:
+  # The secret can be generated automatically by setting autogenerate to true. This will create an encryption key
+  # for you at the given secretName and secretKey.
+  #
+  # If you prefer to create your own key, you may do so by running with autogenerate set to false:
   #
   # ```shell
   # $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen)
@@ -135,6 +138,7 @@ global:
   #   gossipEncryption:
   #     secretName: consul-gossip-encryption-key
   #     secretKey: key
+  #     autogenerate: true
   # ```
   gossipEncryption:
     # secretName is the name of the Kubernetes secret that holds the gossip
@@ -144,7 +148,7 @@ global:
     # encryption key.
     secretKey: ""
     # autogenerate a gossip encryption key at the given secretName and secretKey.
-    autogenerate: false
+    autogenerate: true
 
   # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries.
   # These values are given as `-recursor` flags to Consul servers and clients.

From dafd4b23fe6de71fc9c80aa07adbb0d7a413afea Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 9 Sep 2021 15:38:05 -0400
Subject: [PATCH 03/58] Add initial autogen-encryption-job yaml

---
 .../templates/autogen-encryption-job.yaml     | 65 +++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 charts/consul/templates/autogen-encryption-job.yaml

diff --git a/charts/consul/templates/autogen-encryption-job.yaml b/charts/consul/templates/autogen-encryption-job.yaml
new file mode 100644
index 0000000000..7866080498
--- /dev/null
+++ b/charts/consul/templates/autogen-encryption-job.yaml
@@ -0,0 +1,65 @@
+{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
+{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }}
+# autogenerate encryption key for gossip protocol and save in Kubernetes secrets
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "consul.fullname" . }}-autogen-encryption
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy":  hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      name: {{ template "consul.fullname" . }}-autogen-encryption
+      labels:
+        app: {{ template "consul.name" . }}
+        chart: {{ template "consul.chart" . }}
+        release: {{ .Release.Name }}
+        component: autogen-encryption
+# NOTE: unsure if I should delete this annotation
+      annotations:
+        "consul.hashicorp.com/connect-inject": "false"
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ template "consul.fullname" . }}-autogen-encryption
+      {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
+# NOTE: are there any volumes I will need? 
+      {{- end }}
+      containers:
+        - name: autogen-encryption
+          image: "{{ .Values.global.imageK8S }}"
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          workingDir: /tmp
+          command:
+            - "/bin/sh"
+            - "-ec"
+# NOTE: this should generate the key using Consul and then use curl to add it to K8s
+            - |
+              key=$(consul keygen) # TODO: get consul into this container
+              echo $key > key.txt
+# TODO: yeet this into k8s with curl
+          {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
+# NOTE: are there any volumeMounts I will need? 
+          {{- end }}
+# NOTE: no idea what resources I will need from the node. This is just copied from ./tls-init-job.yaml
+          resources:
+            requests:
+              memory: "50Mi"
+              cpu: "50m"
+            limits:
+              memory: "50Mi"
+              cpu: "50m"
+{{- end }}
+{{- end }}

From 34c6b1ee997312f960572cf654b04d4e3262816a Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 9 Sep 2021 15:45:17 -0400
Subject: [PATCH 04/58] Fix run condition on autogen

---
 charts/consul/templates/autogen-encryption-job.yaml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/charts/consul/templates/autogen-encryption-job.yaml b/charts/consul/templates/autogen-encryption-job.yaml
index 7866080498..ab2ace1990 100644
--- a/charts/consul/templates/autogen-encryption-job.yaml
+++ b/charts/consul/templates/autogen-encryption-job.yaml
@@ -1,5 +1,4 @@
-{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
-{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }}
+{{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey .Values.global.gossipEncryption.autogenerate) }}
 # autogenerate encryption key for gossip protocol and save in Kubernetes secrets
 apiVersion: batch/v1
 kind: Job
@@ -62,4 +61,3 @@ spec:
               memory: "50Mi"
               cpu: "50m"
 {{- end }}
-{{- end }}

From bce6ed7a6eeb6d48c997afb26072f5238c3535da Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Tue, 14 Sep 2021 14:15:29 -0400
Subject: [PATCH 05/58] autogen is false by default

---
 charts/consul/values.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
index f5d8aa745f..b7a996e4a8 100644
--- a/charts/consul/values.yaml
+++ b/charts/consul/values.yaml
@@ -148,7 +148,8 @@ global:
     # encryption key.
     secretKey: ""
     # autogenerate a gossip encryption key at the given secretName and secretKey.
-    autogenerate: true
+    autogenerate: false
+    # If user supplies autogen true and name or key are empty make our own names
 
   # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries.
   # These values are given as `-recursor` flags to Consul servers and clients.

From f1d4bccb720c54a2ad155b882be32c21ac04b11f Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Tue, 14 Sep 2021 14:16:39 -0400
Subject: [PATCH 06/58] Set secretName/Key correctly, flesh out curling k8s a
 bit

---
 .../templates/autogen-encryption-job.yaml     | 38 ++++++++++++-------
 1 file changed, 24 insertions(+), 14 deletions(-)

diff --git a/charts/consul/templates/autogen-encryption-job.yaml b/charts/consul/templates/autogen-encryption-job.yaml
index ab2ace1990..7e7639c0e3 100644
--- a/charts/consul/templates/autogen-encryption-job.yaml
+++ b/charts/consul/templates/autogen-encryption-job.yaml
@@ -1,4 +1,4 @@
-{{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey .Values.global.gossipEncryption.autogenerate) }}
+{{- if .Values.global.gossipEncryption.autogenerate }}
 # autogenerate encryption key for gossip protocol and save in Kubernetes secrets
 apiVersion: batch/v1
 kind: Job
@@ -23,18 +23,14 @@ spec:
         chart: {{ template "consul.chart" . }}
         release: {{ .Release.Name }}
         component: autogen-encryption
-# NOTE: unsure if I should delete this annotation
       annotations:
         "consul.hashicorp.com/connect-inject": "false"
     spec:
       restartPolicy: Never
       serviceAccountName: {{ template "consul.fullname" . }}-autogen-encryption
-      {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
-# NOTE: are there any volumes I will need? 
-      {{- end }}
       containers:
         - name: autogen-encryption
-          image: "{{ .Values.global.imageK8S }}"
+          image: "{{ .Values.global.image }}"
           env:
             - name: NAMESPACE
               valueFrom:
@@ -44,15 +40,29 @@ spec:
           command:
             - "/bin/sh"
             - "-ec"
-# NOTE: this should generate the key using Consul and then use curl to add it to K8s
             - |
-              key=$(consul keygen) # TODO: get consul into this container
-              echo $key > key.txt
-# TODO: yeet this into k8s with curl
-          {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
-# NOTE: are there any volumeMounts I will need? 
-          {{- end }}
-# NOTE: no idea what resources I will need from the node. This is just copied from ./tls-init-job.yaml
+              $(consul keygen) > key.txt
+              {{- if .Values.global.gossipEncryption.secretName }}
+              secretName={{ .Values.global.gossipEncryption.secretName }}
+              {{- else }}
+              secretName={{ template "consul.fullname" . }}-gossip-encryption-key
+              {{- end }}
+              {{- if .Values.global.gossipEncryption.secretKey }}
+              secretKey={{ .Values.global.gossipEncryption.secretKey }}
+              {{- else }}
+              secretKey=key
+              {{- end }}
+              # Check if secret already exists
+              curl -s -X GET --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/${secretName}/data/${secretKey}
+              # If secret does not exist, create it
+              curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
+                -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
+                -H "Content-Type: application/json" \
+                -H "Accept: application/json" \
+                # TODO put the key in a secret
+                -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"${secretName}\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": {  }}" > /dev/null
           resources:
             requests:
               memory: "50Mi"

From 7ac9c936b600067f9fef521cb2a7d59fc64ea563 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Tue, 14 Sep 2021 15:19:29 -0400
Subject: [PATCH 07/58] Add some basic bats tests

---
 .../test/unit/autogen-encryption-job.bats     | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 charts/consul/test/unit/autogen-encryption-job.bats

diff --git a/charts/consul/test/unit/autogen-encryption-job.bats b/charts/consul/test/unit/autogen-encryption-job.bats
new file mode 100644
index 0000000000..0c1d73e1f0
--- /dev/null
+++ b/charts/consul/test/unit/autogen-encryption-job.bats
@@ -0,0 +1,33 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "autogenEncryption/Job: disabled by default" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/autogen-encryption-job.yaml  \
+      .
+}
+
+@test "autogenEncryption/Job: enabled with global.gossipEncryption.autogenerate=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/autogen-encryption-job.yaml  \
+      --set 'global.gossipEncryption.autogenerate=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "autogenEncryption/Job: disabled when global.gossipEncryption.autogenerate=false" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/autogen-encryption-job.yaml  \
+      --set 'global.gossipEncryption.autogenerate=false' \
+      .
+}
+
+# TODO test when user sets secretKey
+# TODO test when user sets secretName
+# TODO test when user sets secretKey and secretName
+# TODO test when user does not set either

From c864232283910481c534a1a4760d23fd862fda8e Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Tue, 14 Sep 2021 16:21:36 -0400
Subject: [PATCH 08/58] Add tests for user set values for secretName and
 secretKey

---
 .../test/unit/autogen-encryption-job.bats     | 48 +++++++++++++++++--
 1 file changed, 44 insertions(+), 4 deletions(-)

diff --git a/charts/consul/test/unit/autogen-encryption-job.bats b/charts/consul/test/unit/autogen-encryption-job.bats
index 0c1d73e1f0..7f5dac2d43 100644
--- a/charts/consul/test/unit/autogen-encryption-job.bats
+++ b/charts/consul/test/unit/autogen-encryption-job.bats
@@ -27,7 +27,47 @@ load _helpers
       .
 }
 
-# TODO test when user sets secretKey
-# TODO test when user sets secretName
-# TODO test when user sets secretKey and secretName
-# TODO test when user does not set either
+@test "autogenEncryption/Job: secretName and secretKey set by user are respected" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/autogen-encryption-job.yaml \
+      --set 'global.gossipEncryption.autogenerate=true' \
+      --set 'global.gossipEncryption.secretName=userName' \
+      --set 'global.gossipEncryption.secretKey=userKey' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | any(contains("secretName=userName\nsecretKey=userKey"))' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "autogenEncryption/Job: secretKey set by user is respected while secretName is generated" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/autogen-encryption-job.yaml \
+      --set 'global.gossipEncryption.autogenerate=true' \
+      --set 'global.gossipEncryption.secretKey=userKey' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | any(contains("secretName=RELEASE-NAME-consul-gossip-encryption-key\nsecretKey=userKey"))' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "autogenEncryption/Job: secretName set by user is respected while secretKey is generated" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/autogen-encryption-job.yaml \
+      --set 'global.gossipEncryption.autogenerate=true' \
+      --set 'global.gossipEncryption.secretName=userName' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | any(contains("secretName=userName\nsecretKey=key"))' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "autogenEncryption/Job: secretName and secretKey are generated if not provided" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/autogen-encryption-job.yaml \
+      --set 'global.gossipEncryption.autogenerate=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | any(contains("secretName=RELEASE-NAME-consul-gossip-encryption-key\nsecretKey=key"))' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+

From 78b6af9fcd3c1710e3ceb046f163990de71d64f7 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Wed, 15 Sep 2021 17:44:13 -0400
Subject: [PATCH 09/58] Beef up comment for gossip encryption

---
 charts/consul/values.yaml | 32 ++++++++++----------------------
 1 file changed, 10 insertions(+), 22 deletions(-)

diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
index b7a996e4a8..c9ea5f46d6 100644
--- a/charts/consul/values.yaml
+++ b/charts/consul/values.yaml
@@ -117,39 +117,27 @@ global:
   # created by this chart. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/.
   enablePodSecurityPolicies: false
 
-  # Configures which Kubernetes secret to retrieve Consul's
-  # gossip encryption key from (see `-encrypt` (https://consul.io/docs/agent/options#_encrypt)). If secretName or
-  # secretKey are not set, gossip encryption will not be enabled. The secret must
-  # be in the same namespace that Consul is installed into.
-  #
-  # The secret can be generated automatically by setting autogenerate to true. This will create an encryption key
-  # for you at the given secretName and secretKey.
-  #
-  # If you prefer to create your own key, you may do so by running with autogenerate set to false:
+  # Configures Consul's gossip encryption key, set as a Kubernetes secret
+  # (see `-encrypt` (https://consul.io/docs/agent/options#_encrypt)).
+  # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually.
+  # To automatically generate and set a gossip encryption key, set autoGenerate to true. The values for secretName
+  # and secretKey may be left empty. If values are supplied for these keys, they will be respected.
+  # To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate
+  # the gossip key referencing these values.
   #
   # ```shell
-  # $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen)
+  # $ kubectl create secret generic <secretName> --from-literal=<key>=$(consul keygen)
   # ```
   #
-  # To reference, use:
-  #
-  # ```yaml
-  # global:
-  #   gossipEncryption:
-  #     secretName: consul-gossip-encryption-key
-  #     secretKey: key
-  #     autogenerate: true
-  # ```
   gossipEncryption:
+    # automatically generate a gossip encryption key and load it as a Kubernetes secret
+    autoGenerate: false
     # secretName is the name of the Kubernetes secret that holds the gossip
     # encryption key. The secret must be in the same namespace that Consul is installed into.
     secretName: ""
     # secretKey is the key within the Kubernetes secret that holds the gossip
     # encryption key.
     secretKey: ""
-    # autogenerate a gossip encryption key at the given secretName and secretKey.
-    autogenerate: false
-    # If user supplies autogen true and name or key are empty make our own names
 
   # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries.
   # These values are given as `-recursor` flags to Consul servers and clients.

From 27d45ee1ee91718efaaac7c4390a3a2e5ce992ab Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 16 Sep 2021 13:16:53 -0400
Subject: [PATCH 10/58] Add notes

---
 charts/consul/templates/autogen-encryption-job.yaml | 4 ++--
 charts/consul/templates/server-statefulset.yaml     | 3 +++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/charts/consul/templates/autogen-encryption-job.yaml b/charts/consul/templates/autogen-encryption-job.yaml
index 7e7639c0e3..b649e981a4 100644
--- a/charts/consul/templates/autogen-encryption-job.yaml
+++ b/charts/consul/templates/autogen-encryption-job.yaml
@@ -1,5 +1,5 @@
-{{- if .Values.global.gossipEncryption.autogenerate }}
-# autogenerate encryption key for gossip protocol and save in Kubernetes secrets
+{{- if .Values.global.gossipEncryption.autoGenerate }}
+# automatically generate encryption key for gossip protocol and save in Kubernetes secrets
 apiVersion: batch/v1
 kind: Job
 metadata:
diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml
index 09668f2859..82c17cee9a 100644
--- a/charts/consul/templates/server-statefulset.yaml
+++ b/charts/consul/templates/server-statefulset.yaml
@@ -156,6 +156,9 @@ spec:
                   fieldPath: metadata.namespace
             - name: CONSUL_DISABLE_PERM_MGMT
               value: "true"
+# TODO: properly reference the gossip encryption key here
+# if autoencrypt is true OR secretName and secretKey are non null, load the gossip key
+            {{- if .Values.global.gossipEncryption.autoGenerate }}
             {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
             - name: GOSSIP_KEY
               valueFrom:

From e51616f4ca5f39540c425b61147dd27e8195aba0 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 16 Sep 2021 13:26:41 -0400
Subject: [PATCH 11/58] Update values.yaml to include autoGenerate

---
 charts/consul/values.yaml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
index c9ea5f46d6..daa06ce42b 100644
--- a/charts/consul/values.yaml
+++ b/charts/consul/values.yaml
@@ -125,10 +125,9 @@ global:
   # To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate
   # the gossip key referencing these values.
   #
-  # ```shell
-  # $ kubectl create secret generic <secretName> --from-literal=<key>=$(consul keygen)
   # ```
-  #
+  # $ kubectl create secret generic <secretName> --from-literal=<secretKey>=$(consul keygen)
+  # ```
   gossipEncryption:
     # automatically generate a gossip encryption key and load it as a Kubernetes secret
     autoGenerate: false

From 7133cbe6b670e82d4296e67ec01b96502ffff0bd Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 17 Sep 2021 13:54:40 -0400
Subject: [PATCH 12/58] Add gossip-encryption-autogen-job.yaml

---
 .../gossip-encryption-autogen-job.yaml        | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 charts/consul/templates/gossip-encryption-autogen-job.yaml

diff --git a/charts/consul/templates/gossip-encryption-autogen-job.yaml b/charts/consul/templates/gossip-encryption-autogen-job.yaml
new file mode 100644
index 0000000000..d3e77bc7d4
--- /dev/null
+++ b/charts/consul/templates/gossip-encryption-autogen-job.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.global.gossipEncryption.autoGenerate }}
+# automatically generate encryption key for gossip protocol and save it in Kubernetes secret
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogen
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": 1
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      name: {{ template "consul.fullname" . }}-gossip-encryption-autogen
+

From 0bcb7bf94cfd3594a0bb4e0183d401b01b664d16 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 17 Sep 2021 14:02:55 -0400
Subject: [PATCH 13/58] Port over autogen-encryption-job to
 gossip-encryption-autogen-job

---
 .../templates/autogen-encryption-job.yaml     | 73 -------------------
 .../gossip-encryption-autogen-job.yaml        | 56 +++++++++++++-
 2 files changed, 54 insertions(+), 75 deletions(-)
 delete mode 100644 charts/consul/templates/autogen-encryption-job.yaml

diff --git a/charts/consul/templates/autogen-encryption-job.yaml b/charts/consul/templates/autogen-encryption-job.yaml
deleted file mode 100644
index b649e981a4..0000000000
--- a/charts/consul/templates/autogen-encryption-job.yaml
+++ /dev/null
@@ -1,73 +0,0 @@
-{{- if .Values.global.gossipEncryption.autoGenerate }}
-# automatically generate encryption key for gossip protocol and save in Kubernetes secrets
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ template "consul.fullname" . }}-autogen-encryption
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: {{ template "consul.name" . }}
-    chart: {{ template "consul.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": "1"
-    "helm.sh/hook-delete-policy":  hook-succeeded,before-hook-creation
-spec:
-  template:
-    metadata:
-      name: {{ template "consul.fullname" . }}-autogen-encryption
-      labels:
-        app: {{ template "consul.name" . }}
-        chart: {{ template "consul.chart" . }}
-        release: {{ .Release.Name }}
-        component: autogen-encryption
-      annotations:
-        "consul.hashicorp.com/connect-inject": "false"
-    spec:
-      restartPolicy: Never
-      serviceAccountName: {{ template "consul.fullname" . }}-autogen-encryption
-      containers:
-        - name: autogen-encryption
-          image: "{{ .Values.global.image }}"
-          env:
-            - name: NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          workingDir: /tmp
-          command:
-            - "/bin/sh"
-            - "-ec"
-            - |
-              $(consul keygen) > key.txt
-              {{- if .Values.global.gossipEncryption.secretName }}
-              secretName={{ .Values.global.gossipEncryption.secretName }}
-              {{- else }}
-              secretName={{ template "consul.fullname" . }}-gossip-encryption-key
-              {{- end }}
-              {{- if .Values.global.gossipEncryption.secretKey }}
-              secretKey={{ .Values.global.gossipEncryption.secretKey }}
-              {{- else }}
-              secretKey=key
-              {{- end }}
-              # Check if secret already exists
-              curl -s -X GET --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/${secretName}/data/${secretKey}
-              # If secret does not exist, create it
-              curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
-                -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
-                -H "Content-Type: application/json" \
-                -H "Accept: application/json" \
-                # TODO put the key in a secret
-                -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"${secretName}\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": {  }}" > /dev/null
-          resources:
-            requests:
-              memory: "50Mi"
-              cpu: "50m"
-            limits:
-              memory: "50Mi"
-              cpu: "50m"
-{{- end }}
diff --git a/charts/consul/templates/gossip-encryption-autogen-job.yaml b/charts/consul/templates/gossip-encryption-autogen-job.yaml
index d3e77bc7d4..e504a31b29 100644
--- a/charts/consul/templates/gossip-encryption-autogen-job.yaml
+++ b/charts/consul/templates/gossip-encryption-autogen-job.yaml
@@ -11,11 +11,63 @@ metadata:
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
   annotations:
-    "helm.sh/hook": pre-install
+    "helm.sh/hook": pre-install,pre-upgrade
     "helm.sh/hook-weight": 1
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 spec:
   template:
     metadata:
       name: {{ template "consul.fullname" . }}-gossip-encryption-autogen
-
+      labels:
+        app: {{ template "consul.name" . }}
+        chart: {{ template "consul.chart" . }}
+        release: {{ .Release.Name }}
+        component: autogen-encryption
+      annotations:
+        "consul.hashicorp.com/connect-inject": "false"
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ template "consul.fullname" . }}-autogen-encryption
+      containers:
+        - name: autogen-encryption
+          image: "{{ .Values.global.image }}"
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          workingDir: /tmp
+          command:
+            - "/bin/sh"
+            - "-ec"
+            - |
+              $(consul keygen) > key.txt
+              {{- if .Values.global.gossipEncryption.secretName }}
+              secretName={{ .Values.global.gossipEncryption.secretName }}
+              {{- else }}
+              secretName={{ template "consul.fullname" . }}-gossip-encryption-key
+              {{- end }}
+              {{- if .Values.global.gossipEncryption.secretKey }}
+              secretKey={{ .Values.global.gossipEncryption.secretKey }}
+              {{- else }}
+              secretKey=key
+              {{- end }}
+              # Check if secret already exists
+              curl -s -X GET --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/${secretName}/data/${secretKey}
+              # If secret does not exist, create it
+              curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
+                -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
+                -H "Content-Type: application/json" \
+                -H "Accept: application/json" \
+                # TODO put the key in a secret
+                -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"${secretName}\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": {  }}" > /dev/null
+          resources:
+            requests:
+              memory: "50Mi"
+              cpu: "50m"
+            limits:
+              memory: "50Mi"
+              cpu: "50m"
+{{- end }}

From 7392443e513a5f7e950f9f5290b1bcba12910331 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 17 Sep 2021 14:03:37 -0400
Subject: [PATCH 14/58] Rename autogen-encryption-job.bats to
 gossip-encryption-autogen-job.bats

---
 ...gen-encryption-job.bats => gossip-encryption-autogen-job.bats} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename charts/consul/test/unit/{autogen-encryption-job.bats => gossip-encryption-autogen-job.bats} (100%)

diff --git a/charts/consul/test/unit/autogen-encryption-job.bats b/charts/consul/test/unit/gossip-encryption-autogen-job.bats
similarity index 100%
rename from charts/consul/test/unit/autogen-encryption-job.bats
rename to charts/consul/test/unit/gossip-encryption-autogen-job.bats

From 886c0617a4e52a5d121801e1cf7a116740e35a8f Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Mon, 20 Sep 2021 14:00:48 -0400
Subject: [PATCH 15/58] Remove change made to statefulset

---
 charts/consul/templates/server-statefulset.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml
index 82c17cee9a..8e5f9271b0 100644
--- a/charts/consul/templates/server-statefulset.yaml
+++ b/charts/consul/templates/server-statefulset.yaml
@@ -159,7 +159,6 @@ spec:
 # TODO: properly reference the gossip encryption key here
 # if autoencrypt is true OR secretName and secretKey are non null, load the gossip key
             {{- if .Values.global.gossipEncryption.autoGenerate }}
-            {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
             - name: GOSSIP_KEY
               valueFrom:
                 secretKeyRef:

From fbb9adf83048f5c3994b3a8ac5660aef833719e8 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Mon, 20 Sep 2021 14:01:06 -0400
Subject: [PATCH 16/58] Add check that secretName and secretKey are not set

---
 .../gossip-encryption-autogen-job.yaml        |  4 ++
 .../unit/gossip-encryption-autogen-job.bats   | 60 ++++++-------------
 2 files changed, 23 insertions(+), 41 deletions(-)

diff --git a/charts/consul/templates/gossip-encryption-autogen-job.yaml b/charts/consul/templates/gossip-encryption-autogen-job.yaml
index e504a31b29..092a7b0669 100644
--- a/charts/consul/templates/gossip-encryption-autogen-job.yaml
+++ b/charts/consul/templates/gossip-encryption-autogen-job.yaml
@@ -1,4 +1,8 @@
 {{- if .Values.global.gossipEncryption.autoGenerate }}
+{{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
+  {{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }}
+{{ end }}
+---
 # automatically generate encryption key for gossip protocol and save it in Kubernetes secret
 apiVersion: batch/v1
 kind: Job
diff --git a/charts/consul/test/unit/gossip-encryption-autogen-job.bats b/charts/consul/test/unit/gossip-encryption-autogen-job.bats
index 7f5dac2d43..54e75e55a0 100644
--- a/charts/consul/test/unit/gossip-encryption-autogen-job.bats
+++ b/charts/consul/test/unit/gossip-encryption-autogen-job.bats
@@ -5,67 +5,45 @@ load _helpers
 @test "autogenEncryption/Job: disabled by default" {
   cd `chart_dir`
   assert_empty helm template \
-      -s templates/autogen-encryption-job.yaml  \
+      -s templates/gossip-encryption-autogen-job.yaml  \
       .
 }
 
-@test "autogenEncryption/Job: enabled with global.gossipEncryption.autogenerate=true" {
+@test "autogenEncryption/Job: enabled with global.gossipEncryption.autoGenerate=true" {
   cd `chart_dir`
   local actual=$(helm template \
-      -s templates/autogen-encryption-job.yaml  \
-      --set 'global.gossipEncryption.autogenerate=true' \
+      -s templates/gossip-encryption-autogen-job.yaml  \
+      --set 'global.gossipEncryption.autoGenerate=true' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
 
-@test "autogenEncryption/Job: disabled when global.gossipEncryption.autogenerate=false" {
+@test "autogenEncryption/Job: disabled when global.gossipEncryption.autoGenerate=false" {
   cd `chart_dir`
   assert_empty helm template \
-      -s templates/autogen-encryption-job.yaml  \
-      --set 'global.gossipEncryption.autogenerate=false' \
+      -s templates/gossip-encryption-autogen-job.yaml  \
+      --set 'global.gossipEncryption.autoGenerate=false' \
       .
 }
 
-@test "autogenEncryption/Job: secretName and secretKey set by user are respected" {
+# TODO find out why this test is failing
+@test "autogenEncryption/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretName and global.gossipEncryption.secretKey are set" {
   cd `chart_dir`
-  local actual=$(helm template \
-      -s templates/autogen-encryption-job.yaml \
-      --set 'global.gossipEncryption.autogenerate=true' \
-      --set 'global.gossipEncryption.secretName=userName' \
-      --set 'global.gossipEncryption.secretKey=userKey' \
-      . | tee /dev/stderr |
-      yq '.spec.template.spec.containers[0].command | any(contains("secretName=userName\nsecretKey=userKey"))' | tee /dev/stderr)
-  [ "${actual}" = "true" ]
-}
-
-@test "autogenEncryption/Job: secretKey set by user is respected while secretName is generated" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -s templates/autogen-encryption-job.yaml \
-      --set 'global.gossipEncryption.autogenerate=true' \
-      --set 'global.gossipEncryption.secretKey=userKey' \
-      . | tee /dev/stderr |
-      yq '.spec.template.spec.containers[0].command | any(contains("secretName=RELEASE-NAME-consul-gossip-encryption-key\nsecretKey=userKey"))' | tee /dev/stderr)
-  [ "${actual}" = "true" ]
-}
-
-@test "autogenEncryption/Job: secretName set by user is respected while secretKey is generated" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -s templates/autogen-encryption-job.yaml \
-      --set 'global.gossipEncryption.autogenerate=true' \
-      --set 'global.gossipEncryption.secretName=userName' \
-      . | tee /dev/stderr |
-      yq '.spec.template.spec.containers[0].command | any(contains("secretName=userName\nsecretKey=key"))' | tee /dev/stderr)
-  [ "${actual}" = "true" ]
+  run helm template \
+      -s templates/gossip-encryption-autogen-job.yaml  \
+      --set 'global.gossipEncryption.=true' \
+      --set 'global.gossipEncryption.secretName=name' \
+      --set 'global.gossipEncryption.secretKey=key' . 
+  [ "$status" -eq 1 ] # Test fails here
+  [[ "$output" =~ "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." ]]
 }
 
-@test "autogenEncryption/Job: secretName and secretKey are generated if not provided" {
+@test "autogenEncryption/Job: secretName and secretKey are generated" {
   cd `chart_dir`
   local actual=$(helm template \
-      -s templates/autogen-encryption-job.yaml \
-      --set 'global.gossipEncryption.autogenerate=true' \
+      -s templates/gossip-encryption-autogen-job.yaml \
+      --set 'global.gossipEncryption.autoGenerate=true' \
       . | tee /dev/stderr |
       yq '.spec.template.spec.containers[0].command | any(contains("secretName=RELEASE-NAME-consul-gossip-encryption-key\nsecretKey=key"))' | tee /dev/stderr)
   [ "${actual}" = "true" ]

From f77814dcc3e14aa1d020339bc0b5c12dae11f5be Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Mon, 20 Sep 2021 14:26:56 -0400
Subject: [PATCH 17/58] Fix test failures

---
 .../unit/gossip-encryption-autogen-job.bats   | 31 ++++++++++++++++---
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/charts/consul/test/unit/gossip-encryption-autogen-job.bats b/charts/consul/test/unit/gossip-encryption-autogen-job.bats
index 54e75e55a0..25fd9140e4 100644
--- a/charts/consul/test/unit/gossip-encryption-autogen-job.bats
+++ b/charts/consul/test/unit/gossip-encryption-autogen-job.bats
@@ -27,18 +27,41 @@ load _helpers
       .
 }
 
-# TODO find out why this test is failing
 @test "autogenEncryption/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretName and global.gossipEncryption.secretKey are set" {
   cd `chart_dir`
   run helm template \
       -s templates/gossip-encryption-autogen-job.yaml  \
-      --set 'global.gossipEncryption.=true' \
+      --set 'global.gossipEncryption.autoGenerate=true' \
+      --set 'global.gossipEncryption.secretName=name' \
+      --set 'global.gossipEncryption.secretKey=key' \
+      . 
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." ]]
+}
+
+@test "autogenEncryption/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretName are set" {
+  cd `chart_dir`
+  run helm template \
+      -s templates/gossip-encryption-autogen-job.yaml  \
+      --set 'global.gossipEncryption.autoGenerate=true' \
       --set 'global.gossipEncryption.secretName=name' \
-      --set 'global.gossipEncryption.secretKey=key' . 
-  [ "$status" -eq 1 ] # Test fails here
+      . 
+  [ "$status" -eq 1 ]
   [[ "$output" =~ "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." ]]
 }
 
+@test "autogenEncryption/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretKey are set" {
+  cd `chart_dir`
+  run helm template \
+      -s templates/gossip-encryption-autogen-job.yaml  \
+      --set 'global.gossipEncryption.autoGenerate=true' \
+      --set 'global.gossipEncryption.secretKey=key' \
+      . 
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." ]]
+}
+
+
 @test "autogenEncryption/Job: secretName and secretKey are generated" {
   cd `chart_dir`
   local actual=$(helm template \

From 2a6ea410b19c0eccc2f3c38f3cfeb20f4cdefb2d Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Mon, 20 Sep 2021 16:03:59 -0400
Subject: [PATCH 18/58] Set GOSSIP_KEY properly in server statefulset

---
 charts/consul/templates/server-statefulset.yaml | 11 +++++++----
 charts/consul/test/unit/server-statefulset.bats | 10 ++++++++++
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml
index 8e5f9271b0..29d85f2c31 100644
--- a/charts/consul/templates/server-statefulset.yaml
+++ b/charts/consul/templates/server-statefulset.yaml
@@ -156,14 +156,17 @@ spec:
                   fieldPath: metadata.namespace
             - name: CONSUL_DISABLE_PERM_MGMT
               value: "true"
-# TODO: properly reference the gossip encryption key here
-# if autoencrypt is true OR secretName and secretKey are non null, load the gossip key
-            {{- if .Values.global.gossipEncryption.autoGenerate }}
+            {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
             - name: GOSSIP_KEY
               valueFrom:
                 secretKeyRef:
+                {{- if .Values.global.gossipEncryption.autoGenerate }}
+                  name: {{ template "consul.fullname" . }}-gossip-encryption-key
+                  key: key
+                {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
                   name: {{ .Values.global.gossipEncryption.secretName }}
                   key: {{ .Values.global.gossipEncryption.secretKey }}
+                {{- end }}
             {{- end }}
             {{- if .Values.global.tls.enabled }}
             - name: CONSUL_HTTP_ADDR
@@ -225,7 +228,7 @@ spec:
                 -datacenter={{ .Values.global.datacenter }} \
                 -data-dir=/consul/data \
                 -domain={{ .Values.global.domain }} \
-                {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
+                {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
                 -encrypt="${GOSSIP_KEY}" \
                 {{- end }}
                 {{- if .Values.server.connect }}
diff --git a/charts/consul/test/unit/server-statefulset.bats b/charts/consul/test/unit/server-statefulset.bats
index 78dd6a873e..a95ec327b5 100755
--- a/charts/consul/test/unit/server-statefulset.bats
+++ b/charts/consul/test/unit/server-statefulset.bats
@@ -842,6 +842,16 @@ load _helpers
   [ "${actual}" = "" ]
 }
 
+@test "server/StatefulSet: gossip encryption autogeneration properly sets secretName and secretKey" {
+  cd `chart_dir`
+  local actual=$(helm template \
+    -s templates/server-statefulset.yaml  \
+    --set 'global.gossipEncryption.autoGenerate=true' \
+    . | tee /dev/stderr |
+    yq '.spec.template.spec.containers[] | select(.name=="consul") | .env[] | select(.name == "GOSSIP_KEY") | .valueFrom.secretKeyRef | [.name=="RELEASE-NAME-consul-gossip-encryption-key", .key="key"] | all' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
 @test "server/StatefulSet: gossip encryption disabled in server StatefulSet when secretName is missing" {
   cd `chart_dir`
   local actual=$(helm template \

From 40e7a4db7588e4271d4b4c675e565c7f2b466166 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Mon, 20 Sep 2021 16:04:20 -0400
Subject: [PATCH 19/58] Remove setting secretName and secretKey for autogen

---
 .../gossip-encryption-autogen-job.yaml        | 29 +++++++------------
 1 file changed, 10 insertions(+), 19 deletions(-)

diff --git a/charts/consul/templates/gossip-encryption-autogen-job.yaml b/charts/consul/templates/gossip-encryption-autogen-job.yaml
index 092a7b0669..28743b7750 100644
--- a/charts/consul/templates/gossip-encryption-autogen-job.yaml
+++ b/charts/consul/templates/gossip-encryption-autogen-job.yaml
@@ -46,27 +46,18 @@ spec:
             - "-ec"
             - |
               $(consul keygen) > key.txt
-              {{- if .Values.global.gossipEncryption.secretName }}
-              secretName={{ .Values.global.gossipEncryption.secretName }}
-              {{- else }}
               secretName={{ template "consul.fullname" . }}-gossip-encryption-key
-              {{- end }}
-              {{- if .Values.global.gossipEncryption.secretKey }}
-              secretKey={{ .Values.global.gossipEncryption.secretKey }}
-              {{- else }}
               secretKey=key
-              {{- end }}
-              # Check if secret already exists
-              curl -s -X GET --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/${secretName}/data/${secretKey}
-              # If secret does not exist, create it
-              curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
-                -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
-                -H "Content-Type: application/json" \
-                -H "Accept: application/json" \
-                # TODO put the key in a secret
-                -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"${secretName}\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": {  }}" > /dev/null
+              secret_exists=$(curl -s -X GET --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/${secretName}/data/${secretKey})
+              echo $secret_exists
+              # curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+              #   https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
+              #   -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
+              #   -H "Content-Type: application/json" \
+              #   -H "Accept: application/json" \
+              #   # TODO put the key in a secret
+              #   -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"${secretName}\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": {  }}" > /dev/null
           resources:
             requests:
               memory: "50Mi"

From 0a4c0d66f053ca8d12c059ea2fd23e405a56aadf Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Mon, 20 Sep 2021 16:51:34 -0400
Subject: [PATCH 20/58] Check if secret exists via 200 resp

---
 .../gossip-encryption-autogen-job.yaml        | 20 ++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/charts/consul/templates/gossip-encryption-autogen-job.yaml b/charts/consul/templates/gossip-encryption-autogen-job.yaml
index 28743b7750..70abbade63 100644
--- a/charts/consul/templates/gossip-encryption-autogen-job.yaml
+++ b/charts/consul/templates/gossip-encryption-autogen-job.yaml
@@ -48,16 +48,18 @@ spec:
               $(consul keygen) > key.txt
               secretName={{ template "consul.fullname" . }}-gossip-encryption-key
               secretKey=key
-              secret_exists=$(curl -s -X GET --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/${secretName}/data/${secretKey})
+              secret_exists=$(curl -i -s -X GET --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/${secretName}/data/${secretKey} \
+                | grep -q "200 OK" 
+                )
               echo $secret_exists
-              # curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-              #   https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
-              #   -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
-              #   -H "Content-Type: application/json" \
-              #   -H "Accept: application/json" \
-              #   # TODO put the key in a secret
-              #   -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"${secretName}\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": {  }}" > /dev/null
+              curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
+                -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
+                -H "Content-Type: application/json" \
+                -H "Accept: application/json" \
+                # TODO put the key in a secret
+                -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"${secretName}\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": {  }}" > /dev/null
           resources:
             requests:
               memory: "50Mi"

From 424dba0e02aafdbf6a67975f55101d5bb90cf572 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Tue, 21 Sep 2021 10:48:14 -0400
Subject: [PATCH 21/58] Add gossip autogen to client daemonset

---
 charts/consul/templates/client-daemonset.yaml |  9 +++++++--
 charts/consul/test/unit/client-daemonset.bats | 10 ++++++++++
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/charts/consul/templates/client-daemonset.yaml b/charts/consul/templates/client-daemonset.yaml
index 58eb73ca9e..1977b7d6e4 100644
--- a/charts/consul/templates/client-daemonset.yaml
+++ b/charts/consul/templates/client-daemonset.yaml
@@ -168,12 +168,17 @@ spec:
                   fieldPath: status.podIP
             - name: CONSUL_DISABLE_PERM_MGMT
               value: "true"
-            {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
+            {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
             - name: GOSSIP_KEY
               valueFrom:
                 secretKeyRef:
+                {{- if .Values.global.gossipEncryption.autoGenerate }}
+                  name: {{ template "consul.fullname" . }}-gossip-encryption-key
+                  key: key
+                {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
                   name: {{ .Values.global.gossipEncryption.secretName }}
                   key: {{ .Values.global.gossipEncryption.secretKey }}
+                {{- end }}
             {{- end }}
             {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey .Values.server.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }}
             - name: CONSUL_LICENSE_PATH
@@ -252,7 +257,7 @@ spec:
                 {{- end }}
                 -datacenter={{ .Values.global.datacenter }} \
                 -data-dir=/consul/data \
-                {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
+                {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
                 -encrypt="${GOSSIP_KEY}" \
                 {{- end }}
                 {{- if .Values.client.join }}
diff --git a/charts/consul/test/unit/client-daemonset.bats b/charts/consul/test/unit/client-daemonset.bats
index d9bd845765..cef48f7c81 100755
--- a/charts/consul/test/unit/client-daemonset.bats
+++ b/charts/consul/test/unit/client-daemonset.bats
@@ -606,6 +606,16 @@ load _helpers
   [ "${actual}" = "" ]
 }
 
+@test "client/DaemonSet: gossip encryption autogeneration properly sets secretName and secretKey" {
+  cd `chart_dir`
+  local actual=$(helm template \
+    -s templates/client-daemonset.yaml  \
+    --set 'global.gossipEncryption.autoGenerate=true' \
+    . | tee /dev/stderr |
+    yq '.spec.template.spec.containers[] | select(.name=="consul") | .env[] | select(.name == "GOSSIP_KEY") | .valueFrom.secretKeyRef | [.name=="RELEASE-NAME-consul-gossip-encryption-key", .key="key"] | all' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
 @test "client/DaemonSet: gossip encryption disabled in client DaemonSet when secretName is missing" {
   cd `chart_dir`
   local actual=$(helm template \

From 623d477adf3579e0cb9f3d39c6daeb7899d7b761 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Wed, 22 Sep 2021 12:30:19 -0400
Subject: [PATCH 22/58] Send the key to secrets

---
 .../gossip-encryption-autogen-job.yaml        | 36 +++++++++++--------
 1 file changed, 21 insertions(+), 15 deletions(-)

diff --git a/charts/consul/templates/gossip-encryption-autogen-job.yaml b/charts/consul/templates/gossip-encryption-autogen-job.yaml
index 70abbade63..da856b5f4e 100644
--- a/charts/consul/templates/gossip-encryption-autogen-job.yaml
+++ b/charts/consul/templates/gossip-encryption-autogen-job.yaml
@@ -16,7 +16,7 @@ metadata:
     release: {{ .Release.Name }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": 1
+    "helm.sh/hook-weight": "1"
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 spec:
   template:
@@ -26,14 +26,14 @@ spec:
         app: {{ template "consul.name" . }}
         chart: {{ template "consul.chart" . }}
         release: {{ .Release.Name }}
-        component: autogen-encryption
+        component: gossip-encryption-autogen
       annotations:
         "consul.hashicorp.com/connect-inject": "false"
     spec:
       restartPolicy: Never
-      serviceAccountName: {{ template "consul.fullname" . }}-autogen-encryption
+      serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogen
       containers:
-        - name: autogen-encryption
+        - name: gossip-encryption-autogen
           image: "{{ .Values.global.image }}"
           env:
             - name: NAMESPACE
@@ -45,21 +45,27 @@ spec:
             - "/bin/sh"
             - "-ec"
             - |
-              $(consul keygen) > key.txt
               secretName={{ template "consul.fullname" . }}-gossip-encryption-key
               secretKey=key
-              secret_exists=$(curl -i -s -X GET --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/${secretName}/data/${secretKey} \
-                | grep -q "200 OK" 
-                )
-              echo $secret_exists
-              curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
+              # Check if secret already exists
+              currentGossipSecret=$(curl -s -X GET --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/${secretName} \
                 -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
                 -H "Content-Type: application/json" \
-                -H "Accept: application/json" \
-                # TODO put the key in a secret
-                -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"${secretName}\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": {  }}" > /dev/null
+                -H "Accept: application/json")
+              doesCurrentSecretNameExist=$(echo $currentGossipSecret | jq '.code==200')
+              if [ "$doesCurrentSecretNameExist" = "true" ]; then
+                doesCurrentSecretKeyExist=$(echo $currentGossipSecret | jq '.data.key')
+              fi
+              if [ "$doesCurrentSecretNameExist" = "false" ] || [ "$doesCurrentSecretKeyExist" != "null" ]; then
+                keyValue=$(consul keygen)
+                curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+                  https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
+                  -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
+                  -H "Content-Type: application/json" \
+                  -H "Accept: application/json" \
+                  -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"${secretName}\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": { \"${secretKey}\": \"${keyValue}\" }}" > /dev/null
+              fi
           resources:
             requests:
               memory: "50Mi"

From ccc94c97ddf2e422628feb460bae6191ecae4199 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Wed, 22 Sep 2021 13:49:03 -0400
Subject: [PATCH 23/58] Base64 encrypt consul key

---
 charts/consul/templates/gossip-encryption-autogen-job.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/consul/templates/gossip-encryption-autogen-job.yaml b/charts/consul/templates/gossip-encryption-autogen-job.yaml
index da856b5f4e..31cb92f2a8 100644
--- a/charts/consul/templates/gossip-encryption-autogen-job.yaml
+++ b/charts/consul/templates/gossip-encryption-autogen-job.yaml
@@ -58,7 +58,7 @@ spec:
                 doesCurrentSecretKeyExist=$(echo $currentGossipSecret | jq '.data.key')
               fi
               if [ "$doesCurrentSecretNameExist" = "false" ] || [ "$doesCurrentSecretKeyExist" != "null" ]; then
-                keyValue=$(consul keygen)
+                keyValue=$(consul keygen | base64)
                 curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
                   https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
                   -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \

From 23421de39eec30f5260ef35c037d38f563529b3c Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Wed, 22 Sep 2021 13:49:26 -0400
Subject: [PATCH 24/58] Add podsecuritypolicy, role, rolebinding, and SA

---
 ...-encryption-autogen-podsecuritypolicy.yaml | 39 +++++++++++++++++++
 .../gossip-encryption-autogen-role.yaml       | 33 ++++++++++++++++
 ...gossip-encryption-autogen-rolebinding.yaml | 22 +++++++++++
 ...sip-encryption-autogen-serviceaccount.yaml | 21 ++++++++++
 4 files changed, 115 insertions(+)
 create mode 100644 charts/consul/templates/gossip-encryption-autogen-podsecuritypolicy.yaml
 create mode 100644 charts/consul/templates/gossip-encryption-autogen-role.yaml
 create mode 100644 charts/consul/templates/gossip-encryption-autogen-rolebinding.yaml
 create mode 100644 charts/consul/templates/gossip-encryption-autogen-serviceaccount.yaml

diff --git a/charts/consul/templates/gossip-encryption-autogen-podsecuritypolicy.yaml b/charts/consul/templates/gossip-encryption-autogen-podsecuritypolicy.yaml
new file mode 100644
index 0000000000..8f3738a078
--- /dev/null
+++ b/charts/consul/templates/gossip-encryption-autogen-podsecuritypolicy.yaml
@@ -0,0 +1,39 @@
+{{- if .Values.global.gossipEncryption.autoGenerate }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogen
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  # This is redundant with non-root + disallow privilege escalation,
+  # but we can provide it for defense in depth.
+  requiredDropCapabilities:
+    - ALL
+  # Allow core volume types.
+  volumes:
+    - 'secret'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false
+{{- end }}
diff --git a/charts/consul/templates/gossip-encryption-autogen-role.yaml b/charts/consul/templates/gossip-encryption-autogen-role.yaml
new file mode 100644
index 0000000000..13e9ad1261
--- /dev/null
+++ b/charts/consul/templates/gossip-encryption-autogen-role.yaml
@@ -0,0 +1,33 @@
+{{- if .Values.global.gossipEncryption.autoGenerate }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogen
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+- apiGroups: [""]
+  resources:
+    - secrets
+  verbs:
+    - create
+    - update
+    - get
+    - list
+{{- if .Values.global.enablePodSecurityPolicies }}
+- apiGroups: ["policy"]
+  resources:
+  - podsecuritypolicies
+  verbs:
+    - use
+  resourceNames:
+    - {{ template "consul.fullname" . }}-gossip-encryption-autogen
+{{- end }}
+{{- end }}
diff --git a/charts/consul/templates/gossip-encryption-autogen-rolebinding.yaml b/charts/consul/templates/gossip-encryption-autogen-rolebinding.yaml
new file mode 100644
index 0000000000..a408bdf77c
--- /dev/null
+++ b/charts/consul/templates/gossip-encryption-autogen-rolebinding.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.global.gossipEncryption.autoGenerate }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogen
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogen
+subjects:
+- kind: ServiceAccount
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogen
+{{- end }}
diff --git a/charts/consul/templates/gossip-encryption-autogen-serviceaccount.yaml b/charts/consul/templates/gossip-encryption-autogen-serviceaccount.yaml
new file mode 100644
index 0000000000..84252cd55a
--- /dev/null
+++ b/charts/consul/templates/gossip-encryption-autogen-serviceaccount.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.global.gossipEncryption.autoGenerate }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogen
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- with .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range . }}
+  - name: {{ .name }}
+{{- end }}
+{{- end }}
+{{- end }}

From 03c5994148efefde7719111587d07dc3f16c79b0 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Wed, 22 Sep 2021 13:57:33 -0400
Subject: [PATCH 25/58] Rename -gossip-encryption-autogen to
 -gossip-encryption-autogenerate

---
 charts/consul/templates/gossip-encryption-autogen-job.yaml  | 6 +++---
 .../gossip-encryption-autogen-podsecuritypolicy.yaml        | 2 +-
 charts/consul/templates/gossip-encryption-autogen-role.yaml | 4 ++--
 .../templates/gossip-encryption-autogen-rolebinding.yaml    | 6 +++---
 .../templates/gossip-encryption-autogen-serviceaccount.yaml | 2 +-
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/charts/consul/templates/gossip-encryption-autogen-job.yaml b/charts/consul/templates/gossip-encryption-autogen-job.yaml
index 31cb92f2a8..c4ebfc3056 100644
--- a/charts/consul/templates/gossip-encryption-autogen-job.yaml
+++ b/charts/consul/templates/gossip-encryption-autogen-job.yaml
@@ -7,7 +7,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: {{ template "consul.fullname" . }}-gossip-encryption-autogen
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
   namespace: {{ .Release.Namespace }}
   labels:
     app: {{ template "consul.name" . }}
@@ -21,7 +21,7 @@ metadata:
 spec:
   template:
     metadata:
-      name: {{ template "consul.fullname" . }}-gossip-encryption-autogen
+      name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
       labels:
         app: {{ template "consul.name" . }}
         chart: {{ template "consul.chart" . }}
@@ -31,7 +31,7 @@ spec:
         "consul.hashicorp.com/connect-inject": "false"
     spec:
       restartPolicy: Never
-      serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogen
+      serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
       containers:
         - name: gossip-encryption-autogen
           image: "{{ .Values.global.image }}"
diff --git a/charts/consul/templates/gossip-encryption-autogen-podsecuritypolicy.yaml b/charts/consul/templates/gossip-encryption-autogen-podsecuritypolicy.yaml
index 8f3738a078..6121fbbe30 100644
--- a/charts/consul/templates/gossip-encryption-autogen-podsecuritypolicy.yaml
+++ b/charts/consul/templates/gossip-encryption-autogen-podsecuritypolicy.yaml
@@ -3,7 +3,7 @@
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
-  name: {{ template "consul.fullname" . }}-gossip-encryption-autogen
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
   namespace: {{ .Release.Namespace }}
   labels:
     app: {{ template "consul.name" . }}
diff --git a/charts/consul/templates/gossip-encryption-autogen-role.yaml b/charts/consul/templates/gossip-encryption-autogen-role.yaml
index 13e9ad1261..d1881ef32f 100644
--- a/charts/consul/templates/gossip-encryption-autogen-role.yaml
+++ b/charts/consul/templates/gossip-encryption-autogen-role.yaml
@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ template "consul.fullname" . }}-gossip-encryption-autogen
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
   namespace: {{ .Release.Namespace }}
   labels:
     app: {{ template "consul.name" . }}
@@ -28,6 +28,6 @@ rules:
   verbs:
     - use
   resourceNames:
-    - {{ template "consul.fullname" . }}-gossip-encryption-autogen
+    - {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
 {{- end }}
 {{- end }}
diff --git a/charts/consul/templates/gossip-encryption-autogen-rolebinding.yaml b/charts/consul/templates/gossip-encryption-autogen-rolebinding.yaml
index a408bdf77c..caef0d221e 100644
--- a/charts/consul/templates/gossip-encryption-autogen-rolebinding.yaml
+++ b/charts/consul/templates/gossip-encryption-autogen-rolebinding.yaml
@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ template "consul.fullname" . }}-gossip-encryption-autogen
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
   namespace: {{ .Release.Namespace }}
   labels:
     app: {{ template "consul.name" . }}
@@ -15,8 +15,8 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ template "consul.fullname" . }}-gossip-encryption-autogen
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
 subjects:
 - kind: ServiceAccount
-  name: {{ template "consul.fullname" . }}-gossip-encryption-autogen
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
 {{- end }}
diff --git a/charts/consul/templates/gossip-encryption-autogen-serviceaccount.yaml b/charts/consul/templates/gossip-encryption-autogen-serviceaccount.yaml
index 84252cd55a..a711f9a4c1 100644
--- a/charts/consul/templates/gossip-encryption-autogen-serviceaccount.yaml
+++ b/charts/consul/templates/gossip-encryption-autogen-serviceaccount.yaml
@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ template "consul.fullname" . }}-gossip-encryption-autogen
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
   namespace: {{ .Release.Namespace }}
   labels:
     app: {{ template "consul.name" . }}

From 29bca86344f6d00e3b428d3414e8c7485f236a41 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 23 Sep 2021 10:50:36 -0400
Subject: [PATCH 26/58] Rename *-autogen-* to *-autogeneration-*

---
 ...autogen-job.yaml => gossip-encryption-autogeneration-job.yaml} | 0
 ...ml => gossip-encryption-autogeneration-podsecuritypolicy.yaml} | 0
 ...togen-role.yaml => gossip-encryption-autogeneration-role.yaml} | 0
 ...ing.yaml => gossip-encryption-autogeneration-rolebinding.yaml} | 0
 ....yaml => gossip-encryption-autogeneration-serviceaccount.yaml} | 0
 5 files changed, 0 insertions(+), 0 deletions(-)
 rename charts/consul/templates/{gossip-encryption-autogen-job.yaml => gossip-encryption-autogeneration-job.yaml} (100%)
 rename charts/consul/templates/{gossip-encryption-autogen-podsecuritypolicy.yaml => gossip-encryption-autogeneration-podsecuritypolicy.yaml} (100%)
 rename charts/consul/templates/{gossip-encryption-autogen-role.yaml => gossip-encryption-autogeneration-role.yaml} (100%)
 rename charts/consul/templates/{gossip-encryption-autogen-rolebinding.yaml => gossip-encryption-autogeneration-rolebinding.yaml} (100%)
 rename charts/consul/templates/{gossip-encryption-autogen-serviceaccount.yaml => gossip-encryption-autogeneration-serviceaccount.yaml} (100%)

diff --git a/charts/consul/templates/gossip-encryption-autogen-job.yaml b/charts/consul/templates/gossip-encryption-autogeneration-job.yaml
similarity index 100%
rename from charts/consul/templates/gossip-encryption-autogen-job.yaml
rename to charts/consul/templates/gossip-encryption-autogeneration-job.yaml
diff --git a/charts/consul/templates/gossip-encryption-autogen-podsecuritypolicy.yaml b/charts/consul/templates/gossip-encryption-autogeneration-podsecuritypolicy.yaml
similarity index 100%
rename from charts/consul/templates/gossip-encryption-autogen-podsecuritypolicy.yaml
rename to charts/consul/templates/gossip-encryption-autogeneration-podsecuritypolicy.yaml
diff --git a/charts/consul/templates/gossip-encryption-autogen-role.yaml b/charts/consul/templates/gossip-encryption-autogeneration-role.yaml
similarity index 100%
rename from charts/consul/templates/gossip-encryption-autogen-role.yaml
rename to charts/consul/templates/gossip-encryption-autogeneration-role.yaml
diff --git a/charts/consul/templates/gossip-encryption-autogen-rolebinding.yaml b/charts/consul/templates/gossip-encryption-autogeneration-rolebinding.yaml
similarity index 100%
rename from charts/consul/templates/gossip-encryption-autogen-rolebinding.yaml
rename to charts/consul/templates/gossip-encryption-autogeneration-rolebinding.yaml
diff --git a/charts/consul/templates/gossip-encryption-autogen-serviceaccount.yaml b/charts/consul/templates/gossip-encryption-autogeneration-serviceaccount.yaml
similarity index 100%
rename from charts/consul/templates/gossip-encryption-autogen-serviceaccount.yaml
rename to charts/consul/templates/gossip-encryption-autogeneration-serviceaccount.yaml

From b0643c018100629a1951faef9ffdf62d962a7a67 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 23 Sep 2021 11:02:04 -0400
Subject: [PATCH 27/58] Remove text about respecting user set secretName and
 secretKey for autogen

---
 charts/consul/values.yaml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
index daa06ce42b..58baee7a8f 100644
--- a/charts/consul/values.yaml
+++ b/charts/consul/values.yaml
@@ -120,10 +120,9 @@ global:
   # Configures Consul's gossip encryption key, set as a Kubernetes secret
   # (see `-encrypt` (https://consul.io/docs/agent/options#_encrypt)).
   # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually.
-  # To automatically generate and set a gossip encryption key, set autoGenerate to true. The values for secretName
-  # and secretKey may be left empty. If values are supplied for these keys, they will be respected.
+  # To automatically generate and set a gossip encryption key, set autoGenerate to true. 
   # To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate
-  # the gossip key referencing these values.
+  # a Kubernetes secret referencing these values.
   #
   # ```
   # $ kubectl create secret generic <secretName> --from-literal=<secretKey>=$(consul keygen)

From 3cd99af4f91c2500b87e2cfb4e2246f0f9574379 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 23 Sep 2021 13:23:43 -0400
Subject: [PATCH 28/58] Rename gossip-encryption-autogen to
 gossip-encryption-autogeneration

---
 ...autogen-job.bats => gossip-encryption-autogeneration-job.bats} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename charts/consul/test/unit/{gossip-encryption-autogen-job.bats => gossip-encryption-autogeneration-job.bats} (100%)

diff --git a/charts/consul/test/unit/gossip-encryption-autogen-job.bats b/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats
similarity index 100%
rename from charts/consul/test/unit/gossip-encryption-autogen-job.bats
rename to charts/consul/test/unit/gossip-encryption-autogeneration-job.bats

From ab1181c78b08abda169320f371a2e9f342f3882b Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 23 Sep 2021 14:13:49 -0400
Subject: [PATCH 29/58] Add some great tests!

---
 .../gossip-encryption-autogeneration-job.bats | 14 +++---
 ...encryption-autogeneration-podsecurity.bats | 28 +++++++++++
 ...gossip-encryption-autogeneration-role.bats | 28 +++++++++++
 ...encryption-autogeneration-rolebinding.bats | 29 +++++++++++
 ...ryption-autogeneration-serviceaccount.bats | 50 +++++++++++++++++++
 5 files changed, 142 insertions(+), 7 deletions(-)
 create mode 100644 charts/consul/test/unit/gossip-encryption-autogeneration-podsecurity.bats
 create mode 100644 charts/consul/test/unit/gossip-encryption-autogeneration-role.bats
 create mode 100644 charts/consul/test/unit/gossip-encryption-autogeneration-rolebinding.bats
 create mode 100644 charts/consul/test/unit/gossip-encryption-autogeneration-serviceaccount.bats

diff --git a/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats b/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats
index 25fd9140e4..958bb0600f 100644
--- a/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats
+++ b/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats
@@ -2,14 +2,14 @@
 
 load _helpers
 
-@test "autogenEncryption/Job: disabled by default" {
+@test "gossipEncryptionAutogeneration/Job: disabled by default" {
   cd `chart_dir`
   assert_empty helm template \
       -s templates/gossip-encryption-autogen-job.yaml  \
       .
 }
 
-@test "autogenEncryption/Job: enabled with global.gossipEncryption.autoGenerate=true" {
+@test "gossipEncryptionAutogeneration/Job: enabled with global.gossipEncryption.autoGenerate=true" {
   cd `chart_dir`
   local actual=$(helm template \
       -s templates/gossip-encryption-autogen-job.yaml  \
@@ -19,7 +19,7 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
-@test "autogenEncryption/Job: disabled when global.gossipEncryption.autoGenerate=false" {
+@test "gossipEncryptionAutogeneration/Job: disabled when global.gossipEncryption.autoGenerate=false" {
   cd `chart_dir`
   assert_empty helm template \
       -s templates/gossip-encryption-autogen-job.yaml  \
@@ -27,7 +27,7 @@ load _helpers
       .
 }
 
-@test "autogenEncryption/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretName and global.gossipEncryption.secretKey are set" {
+@test "gossipEncryptionAutogeneration/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretName and global.gossipEncryption.secretKey are set" {
   cd `chart_dir`
   run helm template \
       -s templates/gossip-encryption-autogen-job.yaml  \
@@ -39,7 +39,7 @@ load _helpers
   [[ "$output" =~ "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." ]]
 }
 
-@test "autogenEncryption/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretName are set" {
+@test "gossipEncryptionAutogeneration/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretName are set" {
   cd `chart_dir`
   run helm template \
       -s templates/gossip-encryption-autogen-job.yaml  \
@@ -50,7 +50,7 @@ load _helpers
   [[ "$output" =~ "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." ]]
 }
 
-@test "autogenEncryption/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretKey are set" {
+@test "gossipEncryptionAutogeneration/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretKey are set" {
   cd `chart_dir`
   run helm template \
       -s templates/gossip-encryption-autogen-job.yaml  \
@@ -62,7 +62,7 @@ load _helpers
 }
 
 
-@test "autogenEncryption/Job: secretName and secretKey are generated" {
+@test "gossipEncryptionAutogeneration/Job: secretName and secretKey are generated" {
   cd `chart_dir`
   local actual=$(helm template \
       -s templates/gossip-encryption-autogen-job.yaml \
diff --git a/charts/consul/test/unit/gossip-encryption-autogeneration-podsecurity.bats b/charts/consul/test/unit/gossip-encryption-autogeneration-podsecurity.bats
new file mode 100644
index 0000000000..0709751d3c
--- /dev/null
+++ b/charts/consul/test/unit/gossip-encryption-autogeneration-podsecurity.bats
@@ -0,0 +1,28 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "gossipEncryptionAutogeneration/PodSecurityPolicy: disabled by default" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/gossip-encryption-autogeneration-podsecuritypolicy.yaml  \
+      .
+}
+
+@test "gossipEncryptionAutogeneration/PodSecurityPolicy: disabled with global.gossipEncryption.autoGenerate=false" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/gossip-encryption-autogeneration-podsecuritypolicy.yaml  \
+      --set 'global.gossipEncryption.autoGenerate=false' \
+      .
+}
+
+@test "gossipEncryptionAutogeneration/PodSecurityPolicy: enabled with global.gossipEncryption.autoGenerate=test" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/gossip-encryption-autogeneration-podsecuritypolicy.yaml  \
+      --set 'global.gossipEncryption.autoGenerate=true' \
+      . | tee /dev/stderr |
+      yq -s 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
\ No newline at end of file
diff --git a/charts/consul/test/unit/gossip-encryption-autogeneration-role.bats b/charts/consul/test/unit/gossip-encryption-autogeneration-role.bats
new file mode 100644
index 0000000000..7052bb7ba5
--- /dev/null
+++ b/charts/consul/test/unit/gossip-encryption-autogeneration-role.bats
@@ -0,0 +1,28 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "gossipEncryptionAutogeneration/Role: disabled by default" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/gossip-encryption-autogeneration-role.yaml  \
+      .
+}
+
+@test "gossipEncryptionAutogeneration/Role: disabled with global.gossipEncryption.autoGenerate=false" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/gossip-encryption-autogeneration-role.yaml  \
+      --set 'global.gossipEncryption.autoGenerate=false' \
+      .
+}
+
+@test "gossipEncryptionAutogeneration/Role: enabled when global.gossipEncryption.autoGenerate=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/gossip-encryption-autogeneration-role.yaml  \
+      --set 'global.gossipEncryption.autoGenerate=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
diff --git a/charts/consul/test/unit/gossip-encryption-autogeneration-rolebinding.bats b/charts/consul/test/unit/gossip-encryption-autogeneration-rolebinding.bats
new file mode 100644
index 0000000000..a3b79a3174
--- /dev/null
+++ b/charts/consul/test/unit/gossip-encryption-autogeneration-rolebinding.bats
@@ -0,0 +1,29 @@
+
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "gossipEncryptionAutogeneration/RoleBinding: disabled by default" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/gossip-encryption-autogeneration-rolebinding.yaml  \
+      .
+}
+
+@test "gossipEncryptionAutogeneration/RoleBinding: disabled with global.gossipEncryption.autoGenerate=false" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/gossip-encryption-autogeneration-rolebinding.yaml  \
+      --set 'global.gossipEncryption.autoGenerate=false' \
+      .
+}
+
+@test "gossipEncryptionAutogeneration/RoleBinding: enabled with global.gossipEncryption.autoGenerate=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/gossip-encryption-autogeneration-rolebinding.yaml  \
+      --set 'global.gossipEncryption.autoGenerate=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
\ No newline at end of file
diff --git a/charts/consul/test/unit/gossip-encryption-autogeneration-serviceaccount.bats b/charts/consul/test/unit/gossip-encryption-autogeneration-serviceaccount.bats
new file mode 100644
index 0000000000..aa86571c33
--- /dev/null
+++ b/charts/consul/test/unit/gossip-encryption-autogeneration-serviceaccount.bats
@@ -0,0 +1,50 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "gossipEncryptionAutogeneration/ServiceAccount: disabled by default" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/gossip-encryption-autogeneration-serviceaccount.yaml  \
+      .
+}
+
+@test "gossipEncryptionAutogeneration/ServiceAccount: disabled with global.gossipEncryption.autoGenerate=false" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/gossip-encryption-autogeneration-serviceaccount.yaml  \
+      --set 'global.gossipEncryption.autoGenerate=false' \
+      .
+}
+
+@test "gossipEncryptionAutogeneration/ServiceAccount: enabled with global.gossipEncryption.autoGenerate=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/gossip-encryption-autogeneration-serviceaccount.yaml  \
+      --set 'global.gossipEncryption.autoGenerate=true' \
+      . | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+#--------------------------------------------------------------------
+# global.imagePullSecrets
+
+@test "gossipEncryptionAutogeneration/ServiceAccount: can set image pull secrets" {
+  cd `chart_dir`
+  local object=$(helm template \
+      -s templates/gossip-encryption-autogeneration-serviceaccount.yaml  \
+      --set 'global.gossipEncryption.autoGenerate=true' \
+      --set 'global.imagePullSecrets[0].name=my-secret' \
+      --set 'global.imagePullSecrets[1].name=my-secret2' \
+      . | tee /dev/stderr)
+
+  local actual=$(echo "$object" |
+      yq -r '.imagePullSecrets[0].name' | tee /dev/stderr)
+  [ "${actual}" = "my-secret" ]
+
+  local actual=$(echo "$object" |
+      yq -r '.imagePullSecrets[1].name' | tee /dev/stderr)
+  [ "${actual}" = "my-secret2" ]
+}
+

From a65551c8ee2120b892bc8376cab1330837c172ec Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 23 Sep 2021 14:18:35 -0400
Subject: [PATCH 30/58] Update changelog

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 744c065350..043e71c188 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,8 @@
 IMPROVEMENTS:
 * Control Plane
   * Upgrade Docker image Alpine version from 3.13 to 3.14. [[GH-737](https://github.com/hashicorp/consul-k8s/pull/737)]
+* Helm Chart
+  * Add automatic generation of gossip encryption with `global.gossipEncryption.autoGenerate=true` [[GH-738](https://github.com/hashicorp/consul-k8s/pull/738)]
 
 ## 0.34.1 (September 17, 2021)
 

From 2b2fd1df9704e41ea280484640e3e9f7c0fe76b6 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 24 Sep 2021 10:45:30 -0400
Subject: [PATCH 31/58] Fix filename reference in job bats file

---
 .../unit/gossip-encryption-autogeneration-job.bats | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats b/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats
index 958bb0600f..76be0c7fc5 100644
--- a/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats
+++ b/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats
@@ -5,14 +5,14 @@ load _helpers
 @test "gossipEncryptionAutogeneration/Job: disabled by default" {
   cd `chart_dir`
   assert_empty helm template \
-      -s templates/gossip-encryption-autogen-job.yaml  \
+      -s templates/gossip-encryption-autogeneration-job.yaml  \
       .
 }
 
 @test "gossipEncryptionAutogeneration/Job: enabled with global.gossipEncryption.autoGenerate=true" {
   cd `chart_dir`
   local actual=$(helm template \
-      -s templates/gossip-encryption-autogen-job.yaml  \
+      -s templates/gossip-encryption-autogeneration-job.yaml  \
       --set 'global.gossipEncryption.autoGenerate=true' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
@@ -22,7 +22,7 @@ load _helpers
 @test "gossipEncryptionAutogeneration/Job: disabled when global.gossipEncryption.autoGenerate=false" {
   cd `chart_dir`
   assert_empty helm template \
-      -s templates/gossip-encryption-autogen-job.yaml  \
+      -s templates/gossip-encryption-autogeneration-job.yaml  \
       --set 'global.gossipEncryption.autoGenerate=false' \
       .
 }
@@ -30,7 +30,7 @@ load _helpers
 @test "gossipEncryptionAutogeneration/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretName and global.gossipEncryption.secretKey are set" {
   cd `chart_dir`
   run helm template \
-      -s templates/gossip-encryption-autogen-job.yaml  \
+      -s templates/gossip-encryption-autogeneration-job.yaml  \
       --set 'global.gossipEncryption.autoGenerate=true' \
       --set 'global.gossipEncryption.secretName=name' \
       --set 'global.gossipEncryption.secretKey=key' \
@@ -42,7 +42,7 @@ load _helpers
 @test "gossipEncryptionAutogeneration/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretName are set" {
   cd `chart_dir`
   run helm template \
-      -s templates/gossip-encryption-autogen-job.yaml  \
+      -s templates/gossip-encryption-autogeneration-job.yaml  \
       --set 'global.gossipEncryption.autoGenerate=true' \
       --set 'global.gossipEncryption.secretName=name' \
       . 
@@ -53,7 +53,7 @@ load _helpers
 @test "gossipEncryptionAutogeneration/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretKey are set" {
   cd `chart_dir`
   run helm template \
-      -s templates/gossip-encryption-autogen-job.yaml  \
+      -s templates/gossip-encryption-autogeneration-job.yaml  \
       --set 'global.gossipEncryption.autoGenerate=true' \
       --set 'global.gossipEncryption.secretKey=key' \
       . 
@@ -65,7 +65,7 @@ load _helpers
 @test "gossipEncryptionAutogeneration/Job: secretName and secretKey are generated" {
   cd `chart_dir`
   local actual=$(helm template \
-      -s templates/gossip-encryption-autogen-job.yaml \
+      -s templates/gossip-encryption-autogeneration-job.yaml \
       --set 'global.gossipEncryption.autoGenerate=true' \
       . | tee /dev/stderr |
       yq '.spec.template.spec.containers[0].command | any(contains("secretName=RELEASE-NAME-consul-gossip-encryption-key\nsecretKey=key"))' | tee /dev/stderr)

From 7bf6e51738d56f66551573289eb1c98d710a68a2 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 24 Sep 2021 10:59:14 -0400
Subject: [PATCH 32/58] Update
 charts/consul/templates/gossip-encryption-autogeneration-job.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
---
 .../consul/templates/gossip-encryption-autogeneration-job.yaml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/consul/templates/gossip-encryption-autogeneration-job.yaml b/charts/consul/templates/gossip-encryption-autogeneration-job.yaml
index c4ebfc3056..e85002c305 100644
--- a/charts/consul/templates/gossip-encryption-autogeneration-job.yaml
+++ b/charts/consul/templates/gossip-encryption-autogeneration-job.yaml
@@ -26,7 +26,7 @@ spec:
         app: {{ template "consul.name" . }}
         chart: {{ template "consul.chart" . }}
         release: {{ .Release.Name }}
-        component: gossip-encryption-autogen
+        component: gossip-encryption-autogeneneration
       annotations:
         "consul.hashicorp.com/connect-inject": "false"
     spec:

From 003096acc0a24480d6c935f2b14f84dc64f71eed Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 24 Sep 2021 10:59:59 -0400
Subject: [PATCH 33/58] Update
 charts/consul/test/unit/gossip-encryption-autogeneration-job.bats

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
---
 .../consul/test/unit/gossip-encryption-autogeneration-job.bats  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats b/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats
index 76be0c7fc5..bb200e201c 100644
--- a/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats
+++ b/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats
@@ -39,7 +39,7 @@ load _helpers
   [[ "$output" =~ "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." ]]
 }
 
-@test "gossipEncryptionAutogeneration/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretName are set" {
+@test "gossipEncryptionAutogeneration/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretName is set" {
   cd `chart_dir`
   run helm template \
       -s templates/gossip-encryption-autogeneration-job.yaml  \

From ad03ca6a56b57fce50207e5bfadd0444d3b50702 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 24 Sep 2021 13:44:14 -0400
Subject: [PATCH 34/58] Don't do the pre-check, but don't replace the current
 secret

---
 .../gossip-encryption-autogeneration-job.yaml | 26 +++++++------------
 1 file changed, 9 insertions(+), 17 deletions(-)

diff --git a/charts/consul/templates/gossip-encryption-autogeneration-job.yaml b/charts/consul/templates/gossip-encryption-autogeneration-job.yaml
index e85002c305..8b966341a4 100644
--- a/charts/consul/templates/gossip-encryption-autogeneration-job.yaml
+++ b/charts/consul/templates/gossip-encryption-autogeneration-job.yaml
@@ -41,31 +41,23 @@ spec:
                 fieldRef:
                   fieldPath: metadata.namespace
           workingDir: /tmp
+          # We're using POST requests below to create secrets via Kubernetes API.
+          # Note that in the subsequent runs of the job, POST requests will
+          # return a 409 because these secrets would already exist;
+          # we are ignoring these response codes.
           command:
             - "/bin/sh"
             - "-ec"
             - |
               secretName={{ template "consul.fullname" . }}-gossip-encryption-key
               secretKey=key
-              # Check if secret already exists
-              currentGossipSecret=$(curl -s -X GET --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/${secretName} \
+              keyValue=$(consul keygen | base64)
+              curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
                 -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
                 -H "Content-Type: application/json" \
-                -H "Accept: application/json")
-              doesCurrentSecretNameExist=$(echo $currentGossipSecret | jq '.code==200')
-              if [ "$doesCurrentSecretNameExist" = "true" ]; then
-                doesCurrentSecretKeyExist=$(echo $currentGossipSecret | jq '.data.key')
-              fi
-              if [ "$doesCurrentSecretNameExist" = "false" ] || [ "$doesCurrentSecretKeyExist" != "null" ]; then
-                keyValue=$(consul keygen | base64)
-                curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-                  https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
-                  -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
-                  -H "Content-Type: application/json" \
-                  -H "Accept: application/json" \
-                  -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"${secretName}\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": { \"${secretKey}\": \"${keyValue}\" }}" > /dev/null
-              fi
+                -H "Accept: application/json" \
+                -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"${secretName}\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": { \"${secretKey}\": \"${keyValue}\" }}" > /dev/null
           resources:
             requests:
               memory: "50Mi"

From cc90ccb6f0c61e90562fe21dc85f78fccee93144 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 24 Sep 2021 13:49:11 -0400
Subject: [PATCH 35/58] Update
 charts/consul/test/unit/gossip-encryption-autogeneration-job.bats

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
---
 .../consul/test/unit/gossip-encryption-autogeneration-job.bats  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats b/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats
index bb200e201c..e2b47d43b2 100644
--- a/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats
+++ b/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats
@@ -50,7 +50,7 @@ load _helpers
   [[ "$output" =~ "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." ]]
 }
 
-@test "gossipEncryptionAutogeneration/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretKey are set" {
+@test "gossipEncryptionAutogeneration/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretKey is set" {
   cd `chart_dir`
   run helm template \
       -s templates/gossip-encryption-autogeneration-job.yaml  \

From 3d0dcd8844b850be8aeed63a9c7d5fab2bc009fd Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 24 Sep 2021 13:50:05 -0400
Subject: [PATCH 36/58] Only give role create and get perms

---
 .../consul/templates/gossip-encryption-autogeneration-role.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/charts/consul/templates/gossip-encryption-autogeneration-role.yaml b/charts/consul/templates/gossip-encryption-autogeneration-role.yaml
index d1881ef32f..ee5afac0ba 100644
--- a/charts/consul/templates/gossip-encryption-autogeneration-role.yaml
+++ b/charts/consul/templates/gossip-encryption-autogeneration-role.yaml
@@ -18,9 +18,7 @@ rules:
     - secrets
   verbs:
     - create
-    - update
     - get
-    - list
 {{- if .Values.global.enablePodSecurityPolicies }}
 - apiGroups: ["policy"]
   resources:

From 33d24aa8c517e916db6390bd83c302adb2293f4a Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 24 Sep 2021 13:55:09 -0400
Subject: [PATCH 37/58] Update
 charts/consul/test/unit/gossip-encryption-autogeneration-podsecurity.bats

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
---
 .../test/unit/gossip-encryption-autogeneration-podsecurity.bats | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/consul/test/unit/gossip-encryption-autogeneration-podsecurity.bats b/charts/consul/test/unit/gossip-encryption-autogeneration-podsecurity.bats
index 0709751d3c..d592315e5a 100644
--- a/charts/consul/test/unit/gossip-encryption-autogeneration-podsecurity.bats
+++ b/charts/consul/test/unit/gossip-encryption-autogeneration-podsecurity.bats
@@ -17,7 +17,7 @@ load _helpers
       .
 }
 
-@test "gossipEncryptionAutogeneration/PodSecurityPolicy: enabled with global.gossipEncryption.autoGenerate=test" {
+@test "gossipEncryptionAutogeneration/PodSecurityPolicy: enabled with global.gossipEncryption.autoGenerate=true" {
   cd `chart_dir`
   local actual=$(helm template \
       -s templates/gossip-encryption-autogeneration-podsecuritypolicy.yaml  \

From ab54f2904d734eca4d0de41f3a9b7b203fe65d66 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 24 Sep 2021 13:55:56 -0400
Subject: [PATCH 38/58] Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
---
 charts/consul/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
index 58baee7a8f..450178aef4 100644
--- a/charts/consul/values.yaml
+++ b/charts/consul/values.yaml
@@ -128,7 +128,7 @@ global:
   # $ kubectl create secret generic <secretName> --from-literal=<secretKey>=$(consul keygen)
   # ```
   gossipEncryption:
-    # automatically generate a gossip encryption key and load it as a Kubernetes secret
+    # Automatically generate a gossip encryption key and save it to a Kubernetes secret.
     autoGenerate: false
     # secretName is the name of the Kubernetes secret that holds the gossip
     # encryption key. The secret must be in the same namespace that Consul is installed into.

From 0849dc23637577e2930cf604806ebe90de9e4f3a Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 24 Sep 2021 13:57:46 -0400
Subject: [PATCH 39/58] Return kubectl command to what it was

---
 charts/consul/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
index 450178aef4..e16016a178 100644
--- a/charts/consul/values.yaml
+++ b/charts/consul/values.yaml
@@ -125,7 +125,7 @@ global:
   # a Kubernetes secret referencing these values.
   #
   # ```
-  # $ kubectl create secret generic <secretName> --from-literal=<secretKey>=$(consul keygen)
+  # $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen)
   # ```
   gossipEncryption:
     # Automatically generate a gossip encryption key and save it to a Kubernetes secret.

From d222cc328b797fe6390d79e55c4d30fcfd233d79 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 24 Sep 2021 15:48:07 -0400
Subject: [PATCH 40/58] Test that GOSSIP_KEY gets passed in on the encrypt flag

---
 charts/consul/test/unit/client-daemonset.bats | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/charts/consul/test/unit/client-daemonset.bats b/charts/consul/test/unit/client-daemonset.bats
index cef48f7c81..e802f62d78 100755
--- a/charts/consul/test/unit/client-daemonset.bats
+++ b/charts/consul/test/unit/client-daemonset.bats
@@ -616,6 +616,16 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
+@test "client/DaemonSet: gossip encryption key is passed in via the -encrypt flag" {
+  cd `chart_dir`
+  local actual=$(helm template \
+    -s templates/client-daemonset.yaml  \
+    --set 'global.gossipEncryption.autoGenerate=true' \
+    . | tee /dev/stderr |
+    yq '.spec.template.spec.containers[] | select(.name=="consul") | .command | any(contains("-encrypt=\"${GOSSIP_KEY}\""))' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
 @test "client/DaemonSet: gossip encryption disabled in client DaemonSet when secretName is missing" {
   cd `chart_dir`
   local actual=$(helm template \

From 6a7708baa2673d38b48c7bde2fb7840c86713e1a Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 24 Sep 2021 15:55:14 -0400
Subject: [PATCH 41/58] Autogen job does not run as root

---
 .../templates/gossip-encryption-autogeneration-job.yaml      | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/charts/consul/templates/gossip-encryption-autogeneration-job.yaml b/charts/consul/templates/gossip-encryption-autogeneration-job.yaml
index 8b966341a4..f8612d9e4a 100644
--- a/charts/consul/templates/gossip-encryption-autogeneration-job.yaml
+++ b/charts/consul/templates/gossip-encryption-autogeneration-job.yaml
@@ -32,6 +32,11 @@ spec:
     spec:
       restartPolicy: Never
       serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+      securityContext:
+        runAsNonRoot: true
+        runAsGroup: 1000 
+        runAsUser: 100 
+        fsGroup: 1000
       containers:
         - name: gossip-encryption-autogen
           image: "{{ .Values.global.image }}"

From 5e634ccfef3b3ec1a876c090d5726b6894c5e2e8 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Wed, 29 Sep 2021 18:36:11 -0400
Subject: [PATCH 42/58] Add check that gossip encryption is getting set

---
 .../test/acceptance/tests/basic/basic_test.go | 47 ++++++++++++++-----
 1 file changed, 36 insertions(+), 11 deletions(-)

diff --git a/charts/consul/test/acceptance/tests/basic/basic_test.go b/charts/consul/test/acceptance/tests/basic/basic_test.go
index cc3cdc9877..c69e91921a 100644
--- a/charts/consul/test/acceptance/tests/basic/basic_test.go
+++ b/charts/consul/test/acceptance/tests/basic/basic_test.go
@@ -1,6 +1,7 @@
 package basic
 
 import (
+	"context"
 	"fmt"
 	"strconv"
 	"testing"
@@ -10,6 +11,7 @@ import (
 	"github.com/hashicorp/consul-k8s/charts/consul/test/acceptance/framework/logger"
 	"github.com/hashicorp/consul/api"
 	"github.com/stretchr/testify/require"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // Test that the basic installation, i.e. just
@@ -20,18 +22,18 @@ func TestBasicInstallation(t *testing.T) {
 		secure      bool
 		autoEncrypt bool
 	}{
-		{
-			false,
-			false,
-		},
+		// {
+		// 	false,
+		// 	false,
+		// },
 		{
 			true,
 			false,
 		},
-		{
-			true,
-			true,
-		},
+		// {
+		// 	true,
+		// 	true,
+		// },
 	}
 
 	for _, c := range cases {
@@ -39,9 +41,10 @@ func TestBasicInstallation(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			releaseName := helpers.RandomName()
 			helmValues := map[string]string{
-				"global.acls.manageSystemACLs": strconv.FormatBool(c.secure),
-				"global.tls.enabled":           strconv.FormatBool(c.secure),
-				"global.tls.enableAutoEncrypt": strconv.FormatBool(c.autoEncrypt),
+				"global.acls.manageSystemACLs":         strconv.FormatBool(c.secure),
+				"global.tls.enabled":                   strconv.FormatBool(c.secure),
+				"global.gossipEncryption.autoGenerate": strconv.FormatBool(c.secure),
+				"global.tls.enableAutoEncrypt":         strconv.FormatBool(c.autoEncrypt),
 			}
 			consulCluster := consul.NewHelmCluster(t, helmValues, suite.Environment().DefaultContext(t), suite.Config(), releaseName)
 
@@ -63,6 +66,28 @@ func TestBasicInstallation(t *testing.T) {
 			kv, _, err := client.KV().Get(randomKey, nil)
 			require.NoError(t, err)
 			require.Equal(t, kv.Value, randomValue)
+
+			// Check that autogenerated gossip encryption key is being used
+			if c.secure {
+				secretName := releaseName + "-consul-gossip-encryption-key"
+				logger.Logf(t, "Release Name: %+v\n", releaseName)
+				secretKey := "key"
+
+				keyring, err := client.Operator().KeyringList(nil)
+				require.NoError(t, err)
+
+				testContext := suite.Environment().DefaultContext(t)
+				secret, err := testContext.KubernetesClient(t).CoreV1().Secrets(testContext.KubectlOptions(t).Namespace).Get(context.Background(), secretName, v1.GetOptions{})
+				logger.Logf(t, "Secret: %+v\n", secret.String())
+				require.NoError(t, err)
+				gossipEncryptionKey := string(secret.Data[secretKey])
+				logger.Logf(t, "Gossip Encryption Key from Secrets: %+v\n", gossipEncryptionKey)
+
+				require.Len(t, keyring, 2)
+				logger.Logf(t, "Keyring: %+v\n", keyring[0].Keys)
+				_, ok := keyring[0].Keys[gossipEncryptionKey]
+				require.True(t, ok)
+			}
 		})
 	}
 }

From b4a1ea4a1b58d5b1b0be03a7349326c4c50eab63 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 30 Sep 2021 10:47:47 -0400
Subject: [PATCH 43/58] Fix test for gossip encryption in acceptance tests

---
 .../test/acceptance/tests/basic/basic_test.go | 26 ++++++++-----------
 1 file changed, 11 insertions(+), 15 deletions(-)

diff --git a/charts/consul/test/acceptance/tests/basic/basic_test.go b/charts/consul/test/acceptance/tests/basic/basic_test.go
index c69e91921a..6d64776924 100644
--- a/charts/consul/test/acceptance/tests/basic/basic_test.go
+++ b/charts/consul/test/acceptance/tests/basic/basic_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"strconv"
+	"strings"
 	"testing"
 
 	"github.com/hashicorp/consul-k8s/charts/consul/test/acceptance/framework/consul"
@@ -22,18 +23,18 @@ func TestBasicInstallation(t *testing.T) {
 		secure      bool
 		autoEncrypt bool
 	}{
-		// {
-		// 	false,
-		// 	false,
-		// },
+		{
+			false,
+			false,
+		},
 		{
 			true,
 			false,
 		},
-		// {
-		// 	true,
-		// 	true,
-		// },
+		{
+			true,
+			true,
+		},
 	}
 
 	for _, c := range cases {
@@ -70,7 +71,6 @@ func TestBasicInstallation(t *testing.T) {
 			// Check that autogenerated gossip encryption key is being used
 			if c.secure {
 				secretName := releaseName + "-consul-gossip-encryption-key"
-				logger.Logf(t, "Release Name: %+v\n", releaseName)
 				secretKey := "key"
 
 				keyring, err := client.Operator().KeyringList(nil)
@@ -78,15 +78,11 @@ func TestBasicInstallation(t *testing.T) {
 
 				testContext := suite.Environment().DefaultContext(t)
 				secret, err := testContext.KubernetesClient(t).CoreV1().Secrets(testContext.KubectlOptions(t).Namespace).Get(context.Background(), secretName, v1.GetOptions{})
-				logger.Logf(t, "Secret: %+v\n", secret.String())
 				require.NoError(t, err)
-				gossipEncryptionKey := string(secret.Data[secretKey])
-				logger.Logf(t, "Gossip Encryption Key from Secrets: %+v\n", gossipEncryptionKey)
+				gossipEncryptionKey := strings.TrimSpace(string(secret.Data[secretKey]))
 
 				require.Len(t, keyring, 2)
-				logger.Logf(t, "Keyring: %+v\n", keyring[0].Keys)
-				_, ok := keyring[0].Keys[gossipEncryptionKey]
-				require.True(t, ok)
+				require.Contains(t, keyring[0].Keys, gossipEncryptionKey)
 			}
 		})
 	}

From 1b12bc6b7fa5e6a799bd90e5769bba8e625ed55f Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 30 Sep 2021 12:31:47 -0400
Subject: [PATCH 44/58] Update
 charts/consul/test/acceptance/tests/basic/basic_test.go

Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
---
 charts/consul/test/acceptance/tests/basic/basic_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/consul/test/acceptance/tests/basic/basic_test.go b/charts/consul/test/acceptance/tests/basic/basic_test.go
index 6d64776924..90a32e344a 100644
--- a/charts/consul/test/acceptance/tests/basic/basic_test.go
+++ b/charts/consul/test/acceptance/tests/basic/basic_test.go
@@ -70,7 +70,7 @@ func TestBasicInstallation(t *testing.T) {
 
 			// Check that autogenerated gossip encryption key is being used
 			if c.secure {
-				secretName := releaseName + "-consul-gossip-encryption-key"
+				secretName := fmt.Sprintf("%s-consul-gossip-encryption-key", releaseName)
 				secretKey := "key"
 
 				keyring, err := client.Operator().KeyringList(nil)

From 423f95852020e03f66834a3744e85ff19140df98 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 30 Sep 2021 13:47:42 -0400
Subject: [PATCH 45/58] Rename s/autogeneration/autogenerate/ for
 gossip-encryption-autogeneration-*

---
 ...eneration-job.yaml => gossip-encryption-autogenerate-job.yaml} | 0
 ...yaml => gossip-encryption-autogenerate-podsecuritypolicy.yaml} | 0
 ...eration-role.yaml => gossip-encryption-autogenerate-role.yaml} | 0
 ...nding.yaml => gossip-encryption-autogenerate-rolebinding.yaml} | 0
 ...nt.yaml => gossip-encryption-autogenerate-serviceaccount.yaml} | 0
 ...eneration-job.bats => gossip-encryption-autogenerate-job.bats} | 0
 ...urity.bats => gossip-encryption-autogenerate-podsecurity.bats} | 0
 ...eration-role.bats => gossip-encryption-autogenerate-role.bats} | 0
 ...nding.bats => gossip-encryption-autogenerate-rolebinding.bats} | 0
 ...nt.bats => gossip-encryption-autogenerate-serviceaccount.bats} | 0
 10 files changed, 0 insertions(+), 0 deletions(-)
 rename charts/consul/templates/{gossip-encryption-autogeneration-job.yaml => gossip-encryption-autogenerate-job.yaml} (100%)
 rename charts/consul/templates/{gossip-encryption-autogeneration-podsecuritypolicy.yaml => gossip-encryption-autogenerate-podsecuritypolicy.yaml} (100%)
 rename charts/consul/templates/{gossip-encryption-autogeneration-role.yaml => gossip-encryption-autogenerate-role.yaml} (100%)
 rename charts/consul/templates/{gossip-encryption-autogeneration-rolebinding.yaml => gossip-encryption-autogenerate-rolebinding.yaml} (100%)
 rename charts/consul/templates/{gossip-encryption-autogeneration-serviceaccount.yaml => gossip-encryption-autogenerate-serviceaccount.yaml} (100%)
 rename charts/consul/test/unit/{gossip-encryption-autogeneration-job.bats => gossip-encryption-autogenerate-job.bats} (100%)
 rename charts/consul/test/unit/{gossip-encryption-autogeneration-podsecurity.bats => gossip-encryption-autogenerate-podsecurity.bats} (100%)
 rename charts/consul/test/unit/{gossip-encryption-autogeneration-role.bats => gossip-encryption-autogenerate-role.bats} (100%)
 rename charts/consul/test/unit/{gossip-encryption-autogeneration-rolebinding.bats => gossip-encryption-autogenerate-rolebinding.bats} (100%)
 rename charts/consul/test/unit/{gossip-encryption-autogeneration-serviceaccount.bats => gossip-encryption-autogenerate-serviceaccount.bats} (100%)

diff --git a/charts/consul/templates/gossip-encryption-autogeneration-job.yaml b/charts/consul/templates/gossip-encryption-autogenerate-job.yaml
similarity index 100%
rename from charts/consul/templates/gossip-encryption-autogeneration-job.yaml
rename to charts/consul/templates/gossip-encryption-autogenerate-job.yaml
diff --git a/charts/consul/templates/gossip-encryption-autogeneration-podsecuritypolicy.yaml b/charts/consul/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml
similarity index 100%
rename from charts/consul/templates/gossip-encryption-autogeneration-podsecuritypolicy.yaml
rename to charts/consul/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml
diff --git a/charts/consul/templates/gossip-encryption-autogeneration-role.yaml b/charts/consul/templates/gossip-encryption-autogenerate-role.yaml
similarity index 100%
rename from charts/consul/templates/gossip-encryption-autogeneration-role.yaml
rename to charts/consul/templates/gossip-encryption-autogenerate-role.yaml
diff --git a/charts/consul/templates/gossip-encryption-autogeneration-rolebinding.yaml b/charts/consul/templates/gossip-encryption-autogenerate-rolebinding.yaml
similarity index 100%
rename from charts/consul/templates/gossip-encryption-autogeneration-rolebinding.yaml
rename to charts/consul/templates/gossip-encryption-autogenerate-rolebinding.yaml
diff --git a/charts/consul/templates/gossip-encryption-autogeneration-serviceaccount.yaml b/charts/consul/templates/gossip-encryption-autogenerate-serviceaccount.yaml
similarity index 100%
rename from charts/consul/templates/gossip-encryption-autogeneration-serviceaccount.yaml
rename to charts/consul/templates/gossip-encryption-autogenerate-serviceaccount.yaml
diff --git a/charts/consul/test/unit/gossip-encryption-autogeneration-job.bats b/charts/consul/test/unit/gossip-encryption-autogenerate-job.bats
similarity index 100%
rename from charts/consul/test/unit/gossip-encryption-autogeneration-job.bats
rename to charts/consul/test/unit/gossip-encryption-autogenerate-job.bats
diff --git a/charts/consul/test/unit/gossip-encryption-autogeneration-podsecurity.bats b/charts/consul/test/unit/gossip-encryption-autogenerate-podsecurity.bats
similarity index 100%
rename from charts/consul/test/unit/gossip-encryption-autogeneration-podsecurity.bats
rename to charts/consul/test/unit/gossip-encryption-autogenerate-podsecurity.bats
diff --git a/charts/consul/test/unit/gossip-encryption-autogeneration-role.bats b/charts/consul/test/unit/gossip-encryption-autogenerate-role.bats
similarity index 100%
rename from charts/consul/test/unit/gossip-encryption-autogeneration-role.bats
rename to charts/consul/test/unit/gossip-encryption-autogenerate-role.bats
diff --git a/charts/consul/test/unit/gossip-encryption-autogeneration-rolebinding.bats b/charts/consul/test/unit/gossip-encryption-autogenerate-rolebinding.bats
similarity index 100%
rename from charts/consul/test/unit/gossip-encryption-autogeneration-rolebinding.bats
rename to charts/consul/test/unit/gossip-encryption-autogenerate-rolebinding.bats
diff --git a/charts/consul/test/unit/gossip-encryption-autogeneration-serviceaccount.bats b/charts/consul/test/unit/gossip-encryption-autogenerate-serviceaccount.bats
similarity index 100%
rename from charts/consul/test/unit/gossip-encryption-autogeneration-serviceaccount.bats
rename to charts/consul/test/unit/gossip-encryption-autogenerate-serviceaccount.bats

From b611841b2ae7f9f58b5b8652e5d7fd66a36de1f2 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 30 Sep 2021 14:09:04 -0400
Subject: [PATCH 46/58] Use correct filename in bats

---
 .../gossip-encryption-autogenerate-job.bats   | 28 +++++++++----------
 ...p-encryption-autogenerate-podsecurity.bats | 14 +++++-----
 .../gossip-encryption-autogenerate-role.bats  | 12 ++++----
 ...p-encryption-autogenerate-rolebinding.bats | 14 +++++-----
 ...ncryption-autogenerate-serviceaccount.bats | 16 +++++------
 5 files changed, 42 insertions(+), 42 deletions(-)

diff --git a/charts/consul/test/unit/gossip-encryption-autogenerate-job.bats b/charts/consul/test/unit/gossip-encryption-autogenerate-job.bats
index e2b47d43b2..b41c6967f2 100644
--- a/charts/consul/test/unit/gossip-encryption-autogenerate-job.bats
+++ b/charts/consul/test/unit/gossip-encryption-autogenerate-job.bats
@@ -2,35 +2,35 @@
 
 load _helpers
 
-@test "gossipEncryptionAutogeneration/Job: disabled by default" {
+@test "gossipEncryptionAutogenerate/Job: disabled by default" {
   cd `chart_dir`
   assert_empty helm template \
-      -s templates/gossip-encryption-autogeneration-job.yaml  \
+      -s templates/gossip-encryption-autogenerate-job.yaml  \
       .
 }
 
-@test "gossipEncryptionAutogeneration/Job: enabled with global.gossipEncryption.autoGenerate=true" {
+@test "gossipEncryptionAutogenerate/Job: enabled with global.gossipEncryption.autoGenerate=true" {
   cd `chart_dir`
   local actual=$(helm template \
-      -s templates/gossip-encryption-autogeneration-job.yaml  \
+      -s templates/gossip-encryption-autogenerate-job.yaml  \
       --set 'global.gossipEncryption.autoGenerate=true' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
 
-@test "gossipEncryptionAutogeneration/Job: disabled when global.gossipEncryption.autoGenerate=false" {
+@test "gossipEncryptionAutogenerate/Job: disabled when global.gossipEncryption.autoGenerate=false" {
   cd `chart_dir`
   assert_empty helm template \
-      -s templates/gossip-encryption-autogeneration-job.yaml  \
+      -s templates/gossip-encryption-autogenerate-job.yaml  \
       --set 'global.gossipEncryption.autoGenerate=false' \
       .
 }
 
-@test "gossipEncryptionAutogeneration/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretName and global.gossipEncryption.secretKey are set" {
+@test "gossipEncryptionAutogenerate/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretName and global.gossipEncryption.secretKey are set" {
   cd `chart_dir`
   run helm template \
-      -s templates/gossip-encryption-autogeneration-job.yaml  \
+      -s templates/gossip-encryption-autogenerate-job.yaml  \
       --set 'global.gossipEncryption.autoGenerate=true' \
       --set 'global.gossipEncryption.secretName=name' \
       --set 'global.gossipEncryption.secretKey=key' \
@@ -39,10 +39,10 @@ load _helpers
   [[ "$output" =~ "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." ]]
 }
 
-@test "gossipEncryptionAutogeneration/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretName is set" {
+@test "gossipEncryptionAutogenerate/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretName is set" {
   cd `chart_dir`
   run helm template \
-      -s templates/gossip-encryption-autogeneration-job.yaml  \
+      -s templates/gossip-encryption-autogenerate-job.yaml  \
       --set 'global.gossipEncryption.autoGenerate=true' \
       --set 'global.gossipEncryption.secretName=name' \
       . 
@@ -50,10 +50,10 @@ load _helpers
   [[ "$output" =~ "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." ]]
 }
 
-@test "gossipEncryptionAutogeneration/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretKey is set" {
+@test "gossipEncryptionAutogenerate/Job: fails if global.gossipEncryption.autoGenerate=true and global.gossipEncryption.secretKey is set" {
   cd `chart_dir`
   run helm template \
-      -s templates/gossip-encryption-autogeneration-job.yaml  \
+      -s templates/gossip-encryption-autogenerate-job.yaml  \
       --set 'global.gossipEncryption.autoGenerate=true' \
       --set 'global.gossipEncryption.secretKey=key' \
       . 
@@ -62,10 +62,10 @@ load _helpers
 }
 
 
-@test "gossipEncryptionAutogeneration/Job: secretName and secretKey are generated" {
+@test "gossipEncryptionAutogenerate/Job: secretName and secretKey are generated" {
   cd `chart_dir`
   local actual=$(helm template \
-      -s templates/gossip-encryption-autogeneration-job.yaml \
+      -s templates/gossip-encryption-autogenerate-job.yaml \
       --set 'global.gossipEncryption.autoGenerate=true' \
       . | tee /dev/stderr |
       yq '.spec.template.spec.containers[0].command | any(contains("secretName=RELEASE-NAME-consul-gossip-encryption-key\nsecretKey=key"))' | tee /dev/stderr)
diff --git a/charts/consul/test/unit/gossip-encryption-autogenerate-podsecurity.bats b/charts/consul/test/unit/gossip-encryption-autogenerate-podsecurity.bats
index d592315e5a..810147bed3 100644
--- a/charts/consul/test/unit/gossip-encryption-autogenerate-podsecurity.bats
+++ b/charts/consul/test/unit/gossip-encryption-autogenerate-podsecurity.bats
@@ -2,27 +2,27 @@
 
 load _helpers
 
-@test "gossipEncryptionAutogeneration/PodSecurityPolicy: disabled by default" {
+@test "gossipEncryptionAutogenerate/PodSecurityPolicy: disabled by default" {
   cd `chart_dir`
   assert_empty helm template \
-      -s templates/gossip-encryption-autogeneration-podsecuritypolicy.yaml  \
+      -s templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml  \
       .
 }
 
-@test "gossipEncryptionAutogeneration/PodSecurityPolicy: disabled with global.gossipEncryption.autoGenerate=false" {
+@test "gossipEncryptionAutogenerate/PodSecurityPolicy: disabled with global.gossipEncryption.autoGenerate=false" {
   cd `chart_dir`
   assert_empty helm template \
-      -s templates/gossip-encryption-autogeneration-podsecuritypolicy.yaml  \
+      -s templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml  \
       --set 'global.gossipEncryption.autoGenerate=false' \
       .
 }
 
-@test "gossipEncryptionAutogeneration/PodSecurityPolicy: enabled with global.gossipEncryption.autoGenerate=true" {
+@test "gossipEncryptionAutogenerate/PodSecurityPolicy: enabled with global.gossipEncryption.autoGenerate=true" {
   cd `chart_dir`
   local actual=$(helm template \
-      -s templates/gossip-encryption-autogeneration-podsecuritypolicy.yaml  \
+      -s templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml  \
       --set 'global.gossipEncryption.autoGenerate=true' \
       . | tee /dev/stderr |
       yq -s 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
-}
\ No newline at end of file
+}
diff --git a/charts/consul/test/unit/gossip-encryption-autogenerate-role.bats b/charts/consul/test/unit/gossip-encryption-autogenerate-role.bats
index 7052bb7ba5..7707a872f0 100644
--- a/charts/consul/test/unit/gossip-encryption-autogenerate-role.bats
+++ b/charts/consul/test/unit/gossip-encryption-autogenerate-role.bats
@@ -2,25 +2,25 @@
 
 load _helpers
 
-@test "gossipEncryptionAutogeneration/Role: disabled by default" {
+@test "gossipEncryptionAutogenerate/Role: disabled by default" {
   cd `chart_dir`
   assert_empty helm template \
-      -s templates/gossip-encryption-autogeneration-role.yaml  \
+      -s templates/gossip-encryption-autogenerate-role.yaml  \
       .
 }
 
-@test "gossipEncryptionAutogeneration/Role: disabled with global.gossipEncryption.autoGenerate=false" {
+@test "gossipEncryptionAutogenerate/Role: disabled with global.gossipEncryption.autoGenerate=false" {
   cd `chart_dir`
   assert_empty helm template \
-      -s templates/gossip-encryption-autogeneration-role.yaml  \
+      -s templates/gossip-encryption-autogenerate-role.yaml  \
       --set 'global.gossipEncryption.autoGenerate=false' \
       .
 }
 
-@test "gossipEncryptionAutogeneration/Role: enabled when global.gossipEncryption.autoGenerate=true" {
+@test "gossipEncryptionAutogenerate/Role: enabled when global.gossipEncryption.autoGenerate=true" {
   cd `chart_dir`
   local actual=$(helm template \
-      -s templates/gossip-encryption-autogeneration-role.yaml  \
+      -s templates/gossip-encryption-autogenerate-role.yaml  \
       --set 'global.gossipEncryption.autoGenerate=true' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
diff --git a/charts/consul/test/unit/gossip-encryption-autogenerate-rolebinding.bats b/charts/consul/test/unit/gossip-encryption-autogenerate-rolebinding.bats
index a3b79a3174..9847beaa24 100644
--- a/charts/consul/test/unit/gossip-encryption-autogenerate-rolebinding.bats
+++ b/charts/consul/test/unit/gossip-encryption-autogenerate-rolebinding.bats
@@ -3,27 +3,27 @@
 
 load _helpers
 
-@test "gossipEncryptionAutogeneration/RoleBinding: disabled by default" {
+@test "gossipEncryptionAutogenerate/RoleBinding: disabled by default" {
   cd `chart_dir`
   assert_empty helm template \
-      -s templates/gossip-encryption-autogeneration-rolebinding.yaml  \
+      -s templates/gossip-encryption-autogenerate-rolebinding.yaml  \
       .
 }
 
-@test "gossipEncryptionAutogeneration/RoleBinding: disabled with global.gossipEncryption.autoGenerate=false" {
+@test "gossipEncryptionAutogenerate/RoleBinding: disabled with global.gossipEncryption.autoGenerate=false" {
   cd `chart_dir`
   assert_empty helm template \
-      -s templates/gossip-encryption-autogeneration-rolebinding.yaml  \
+      -s templates/gossip-encryption-autogenerate-rolebinding.yaml  \
       --set 'global.gossipEncryption.autoGenerate=false' \
       .
 }
 
-@test "gossipEncryptionAutogeneration/RoleBinding: enabled with global.gossipEncryption.autoGenerate=true" {
+@test "gossipEncryptionAutogenerate/RoleBinding: enabled with global.gossipEncryption.autoGenerate=true" {
   cd `chart_dir`
   local actual=$(helm template \
-      -s templates/gossip-encryption-autogeneration-rolebinding.yaml  \
+      -s templates/gossip-encryption-autogenerate-rolebinding.yaml  \
       --set 'global.gossipEncryption.autoGenerate=true' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
-}
\ No newline at end of file
+}
diff --git a/charts/consul/test/unit/gossip-encryption-autogenerate-serviceaccount.bats b/charts/consul/test/unit/gossip-encryption-autogenerate-serviceaccount.bats
index aa86571c33..782d1b1ad6 100644
--- a/charts/consul/test/unit/gossip-encryption-autogenerate-serviceaccount.bats
+++ b/charts/consul/test/unit/gossip-encryption-autogenerate-serviceaccount.bats
@@ -2,25 +2,25 @@
 
 load _helpers
 
-@test "gossipEncryptionAutogeneration/ServiceAccount: disabled by default" {
+@test "gossipEncryptionAutogenerate/ServiceAccount: disabled by default" {
   cd `chart_dir`
   assert_empty helm template \
-      -s templates/gossip-encryption-autogeneration-serviceaccount.yaml  \
+      -s templates/gossip-encryption-autogenerate-serviceaccount.yaml  \
       .
 }
 
-@test "gossipEncryptionAutogeneration/ServiceAccount: disabled with global.gossipEncryption.autoGenerate=false" {
+@test "gossipEncryptionAutogenerate/ServiceAccount: disabled with global.gossipEncryption.autoGenerate=false" {
   cd `chart_dir`
   assert_empty helm template \
-      -s templates/gossip-encryption-autogeneration-serviceaccount.yaml  \
+      -s templates/gossip-encryption-autogenerate-serviceaccount.yaml  \
       --set 'global.gossipEncryption.autoGenerate=false' \
       .
 }
 
-@test "gossipEncryptionAutogeneration/ServiceAccount: enabled with global.gossipEncryption.autoGenerate=true" {
+@test "gossipEncryptionAutogenerate/ServiceAccount: enabled with global.gossipEncryption.autoGenerate=true" {
   cd `chart_dir`
   local actual=$(helm template \
-      -s templates/gossip-encryption-autogeneration-serviceaccount.yaml  \
+      -s templates/gossip-encryption-autogenerate-serviceaccount.yaml  \
       --set 'global.gossipEncryption.autoGenerate=true' \
       . | tee /dev/stderr |
       yq 'length > 0' | tee /dev/stderr)
@@ -30,10 +30,10 @@ load _helpers
 #--------------------------------------------------------------------
 # global.imagePullSecrets
 
-@test "gossipEncryptionAutogeneration/ServiceAccount: can set image pull secrets" {
+@test "gossipEncryptionAutogenerate/ServiceAccount: can set image pull secrets" {
   cd `chart_dir`
   local object=$(helm template \
-      -s templates/gossip-encryption-autogeneration-serviceaccount.yaml  \
+      -s templates/gossip-encryption-autogenerate-serviceaccount.yaml  \
       --set 'global.gossipEncryption.autoGenerate=true' \
       --set 'global.imagePullSecrets[0].name=my-secret' \
       --set 'global.imagePullSecrets[1].name=my-secret2' \

From 9192f9e8dbcc7fa9d406a55bcc59b64524ca2815 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 30 Sep 2021 14:11:28 -0400
Subject: [PATCH 47/58] Rename podsecuritypolicy test to be correct

---
 ...bats => gossip-encryption-autogenerate-podsecuritypolicy.bats} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename charts/consul/test/unit/{gossip-encryption-autogenerate-podsecurity.bats => gossip-encryption-autogenerate-podsecuritypolicy.bats} (100%)

diff --git a/charts/consul/test/unit/gossip-encryption-autogenerate-podsecurity.bats b/charts/consul/test/unit/gossip-encryption-autogenerate-podsecuritypolicy.bats
similarity index 100%
rename from charts/consul/test/unit/gossip-encryption-autogenerate-podsecurity.bats
rename to charts/consul/test/unit/gossip-encryption-autogenerate-podsecuritypolicy.bats

From 7fcb7572bac822b68645a966f5897322c6acb0af Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 30 Sep 2021 15:06:07 -0400
Subject: [PATCH 48/58] Change v1 to metaV1

---
 charts/consul/test/acceptance/tests/basic/basic_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/consul/test/acceptance/tests/basic/basic_test.go b/charts/consul/test/acceptance/tests/basic/basic_test.go
index 90a32e344a..311c0602d0 100644
--- a/charts/consul/test/acceptance/tests/basic/basic_test.go
+++ b/charts/consul/test/acceptance/tests/basic/basic_test.go
@@ -12,7 +12,7 @@ import (
 	"github.com/hashicorp/consul-k8s/charts/consul/test/acceptance/framework/logger"
 	"github.com/hashicorp/consul/api"
 	"github.com/stretchr/testify/require"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // Test that the basic installation, i.e. just
@@ -77,7 +77,7 @@ func TestBasicInstallation(t *testing.T) {
 				require.NoError(t, err)
 
 				testContext := suite.Environment().DefaultContext(t)
-				secret, err := testContext.KubernetesClient(t).CoreV1().Secrets(testContext.KubectlOptions(t).Namespace).Get(context.Background(), secretName, v1.GetOptions{})
+				secret, err := testContext.KubernetesClient(t).CoreV1().Secrets(testContext.KubectlOptions(t).Namespace).Get(context.Background(), secretName, metaV1.GetOptions{})
 				require.NoError(t, err)
 				gossipEncryptionKey := strings.TrimSpace(string(secret.Data[secretKey]))
 

From 3e6e476eb0b9ca80281a2da70fdb745ec4837897 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 30 Sep 2021 15:14:00 -0400
Subject: [PATCH 49/58] Update
 charts/consul/test/acceptance/tests/basic/basic_test.go

Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
---
 charts/consul/test/acceptance/tests/basic/basic_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/consul/test/acceptance/tests/basic/basic_test.go b/charts/consul/test/acceptance/tests/basic/basic_test.go
index 311c0602d0..c725fdf9e3 100644
--- a/charts/consul/test/acceptance/tests/basic/basic_test.go
+++ b/charts/consul/test/acceptance/tests/basic/basic_test.go
@@ -12,7 +12,7 @@ import (
 	"github.com/hashicorp/consul-k8s/charts/consul/test/acceptance/framework/logger"
 	"github.com/hashicorp/consul/api"
 	"github.com/stretchr/testify/require"
-	metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // Test that the basic installation, i.e. just

From 7cd21826f829531a35649b4d8d59c72d0f76a042 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 30 Sep 2021 15:55:54 -0400
Subject: [PATCH 50/58] Test the other keyring value

---
 charts/consul/test/acceptance/tests/basic/basic_test.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/charts/consul/test/acceptance/tests/basic/basic_test.go b/charts/consul/test/acceptance/tests/basic/basic_test.go
index 311c0602d0..845bf40e30 100644
--- a/charts/consul/test/acceptance/tests/basic/basic_test.go
+++ b/charts/consul/test/acceptance/tests/basic/basic_test.go
@@ -83,6 +83,7 @@ func TestBasicInstallation(t *testing.T) {
 
 				require.Len(t, keyring, 2)
 				require.Contains(t, keyring[0].Keys, gossipEncryptionKey)
+				require.Contains(t, keyring[1].Keys, gossipEncryptionKey)
 			}
 		})
 	}

From 5656890420840c8981f9d2ced224d0bea714e56d Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 30 Sep 2021 16:54:16 -0400
Subject: [PATCH 51/58] Remove arbitrary test

---
 .../test/unit/gossip-encryption-autogenerate-job.bats | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/charts/consul/test/unit/gossip-encryption-autogenerate-job.bats b/charts/consul/test/unit/gossip-encryption-autogenerate-job.bats
index b41c6967f2..b78b9c231d 100644
--- a/charts/consul/test/unit/gossip-encryption-autogenerate-job.bats
+++ b/charts/consul/test/unit/gossip-encryption-autogenerate-job.bats
@@ -61,14 +61,3 @@ load _helpers
   [[ "$output" =~ "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." ]]
 }
 
-
-@test "gossipEncryptionAutogenerate/Job: secretName and secretKey are generated" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -s templates/gossip-encryption-autogenerate-job.yaml \
-      --set 'global.gossipEncryption.autoGenerate=true' \
-      . | tee /dev/stderr |
-      yq '.spec.template.spec.containers[0].command | any(contains("secretName=RELEASE-NAME-consul-gossip-encryption-key\nsecretKey=key"))' | tee /dev/stderr)
-  [ "${actual}" = "true" ]
-}
-

From 58163fcaa0815e204e5c8081d507325e7361f5f1 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 30 Sep 2021 16:55:38 -0400
Subject: [PATCH 52/58] Remove document separator

---
 charts/consul/templates/gossip-encryption-autogenerate-job.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/charts/consul/templates/gossip-encryption-autogenerate-job.yaml b/charts/consul/templates/gossip-encryption-autogenerate-job.yaml
index f8612d9e4a..8a50954e62 100644
--- a/charts/consul/templates/gossip-encryption-autogenerate-job.yaml
+++ b/charts/consul/templates/gossip-encryption-autogenerate-job.yaml
@@ -2,7 +2,6 @@
 {{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
   {{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }}
 {{ end }}
----
 # automatically generate encryption key for gossip protocol and save it in Kubernetes secret
 apiVersion: batch/v1
 kind: Job

From a0a6cec0b81c33ec4907973f4e0ef70f6fc3665f Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 30 Sep 2021 16:58:03 -0400
Subject: [PATCH 53/58] Remove temp dir from job

---
 charts/consul/templates/gossip-encryption-autogenerate-job.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/charts/consul/templates/gossip-encryption-autogenerate-job.yaml b/charts/consul/templates/gossip-encryption-autogenerate-job.yaml
index 8a50954e62..ae5c0674d1 100644
--- a/charts/consul/templates/gossip-encryption-autogenerate-job.yaml
+++ b/charts/consul/templates/gossip-encryption-autogenerate-job.yaml
@@ -44,7 +44,6 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
-          workingDir: /tmp
           # We're using POST requests below to create secrets via Kubernetes API.
           # Note that in the subsequent runs of the job, POST requests will
           # return a 409 because these secrets would already exist;

From f6fcaa52a84a09737895ada2a98d732342c09419 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Thu, 30 Sep 2021 16:59:06 -0400
Subject: [PATCH 54/58] Remove get perm from autogenerate role

---
 charts/consul/templates/gossip-encryption-autogenerate-role.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/charts/consul/templates/gossip-encryption-autogenerate-role.yaml b/charts/consul/templates/gossip-encryption-autogenerate-role.yaml
index ee5afac0ba..5f9d354f38 100644
--- a/charts/consul/templates/gossip-encryption-autogenerate-role.yaml
+++ b/charts/consul/templates/gossip-encryption-autogenerate-role.yaml
@@ -18,7 +18,6 @@ rules:
     - secrets
   verbs:
     - create
-    - get
 {{- if .Values.global.enablePodSecurityPolicies }}
 - apiGroups: ["policy"]
   resources:

From 4627225aff891ad9ff12f723347dc78f7959b1fa Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 1 Oct 2021 11:40:00 -0400
Subject: [PATCH 55/58] Add -encrypt flag test for client-daemonset

---
 charts/consul/test/unit/client-daemonset.bats   |  3 ++-
 charts/consul/test/unit/server-statefulset.bats | 12 ++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/charts/consul/test/unit/client-daemonset.bats b/charts/consul/test/unit/client-daemonset.bats
index ce91d380a1..cbbbc10ef9 100755
--- a/charts/consul/test/unit/client-daemonset.bats
+++ b/charts/consul/test/unit/client-daemonset.bats
@@ -622,7 +622,8 @@ load _helpers
     -s templates/client-daemonset.yaml  \
     --set 'global.gossipEncryption.autoGenerate=true' \
     . | tee /dev/stderr |
-    yq '.spec.template.spec.containers[] | select(.name=="consul") | .command | any(contains("-encrypt=\"${GOSSIP_KEY}\""))' | tee /dev/stderr)
+    yq '.spec.template.spec.containers[] | select(.name=="consul") | .command | any(contains("-encrypt=\"${GOSSIP_KEY}\""))' 
+    | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
 
diff --git a/charts/consul/test/unit/server-statefulset.bats b/charts/consul/test/unit/server-statefulset.bats
index 7acc3ec713..a7e48a3951 100755
--- a/charts/consul/test/unit/server-statefulset.bats
+++ b/charts/consul/test/unit/server-statefulset.bats
@@ -852,6 +852,18 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
+@test "server/StatefulSet: gossip encryption key is passed via the -encrypt flag" {
+  cd `chart_dir`
+  local actual=$(helm template \
+    -s templates/server-statefulset.yaml \
+    --set 'global.gossipEncryption.autoGenerate=true' \
+    . | tee /dev/stderr |
+    yq '.spec.template.spec.containers[] | select(.name=="consul") | .command | any(contains("-encrypt=\"${GOSSIP_KEY}\""))'
+    | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+
 @test "server/StatefulSet: gossip encryption disabled in server StatefulSet when secretName is missing" {
   cd `chart_dir`
   local actual=$(helm template \

From 2f40addc3bed8aaae7c82de1f8763be6e6c0a349 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 1 Oct 2021 11:47:17 -0400
Subject: [PATCH 56/58] Change autogen to a feature in the CHANGELOG

---
 CHANGELOG.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 58016dbd5d..0cd55a59cc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,10 +1,13 @@
 ## UNRELEASED
 
+FEATURES:
+* Helm Chart
+  * Add automatic generation of gossip encryption with `global.gossipEncryption.autoGenerate=true`. [[GH-738](https://github.com/hashicorp/consul-k8s/pull/738)]
+
 IMPROVEMENTS:
 * Control Plane
   * Upgrade Docker image Alpine version from 3.13 to 3.14. [[GH-737](https://github.com/hashicorp/consul-k8s/pull/737)]
 * Helm Chart
-  * Add automatic generation of gossip encryption with `global.gossipEncryption.autoGenerate=true` [[GH-738](https://github.com/hashicorp/consul-k8s/pull/738)]
   * Enable adding extra containers to server and client Pods.  [[GH-749](https://github.com/hashicorp/consul-k8s/pull/749)]
 
 ## 0.34.1 (September 17, 2021)

From 487288fd957f68d55cfd3976c774002724c0c541 Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 1 Oct 2021 12:52:30 -0400
Subject: [PATCH 57/58] Update comment on values.yaml

---
 charts/consul/values.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
index c5d5cb9736..a0d4472a74 100644
--- a/charts/consul/values.yaml
+++ b/charts/consul/values.yaml
@@ -120,7 +120,9 @@ global:
   # Configures Consul's gossip encryption key, set as a Kubernetes secret
   # (see `-encrypt` (https://consul.io/docs/agent/options#_encrypt)).
   # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually.
-  # To automatically generate and set a gossip encryption key, set autoGenerate to true. 
+  # The recommended method is to automatically generate the key.
+  # To automatically generate and set a gossip encryption key, set autoGenerate to true.
+  # Values for secretName and secretKey should not be set if autoGenerate is true.
   # To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate
   # a Kubernetes secret referencing these values.
   #

From b879bba25ce5ce22365c0bd87bf1b634169f2e9c Mon Sep 17 00:00:00 2001
From: Thomas Eckert <teckert@hashicorp.com>
Date: Fri, 1 Oct 2021 13:54:42 -0400
Subject: [PATCH 58/58] Update
 charts/consul/test/acceptance/tests/basic/basic_test.go

Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
---
 charts/consul/test/acceptance/tests/basic/basic_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/consul/test/acceptance/tests/basic/basic_test.go b/charts/consul/test/acceptance/tests/basic/basic_test.go
index b1f3f401f8..95861e5f98 100644
--- a/charts/consul/test/acceptance/tests/basic/basic_test.go
+++ b/charts/consul/test/acceptance/tests/basic/basic_test.go
@@ -77,7 +77,7 @@ func TestBasicInstallation(t *testing.T) {
 				require.NoError(t, err)
 
 				testContext := suite.Environment().DefaultContext(t)
-				secret, err := testContext.KubernetesClient(t).CoreV1().Secrets(testContext.KubectlOptions(t).Namespace).Get(context.Background(), secretName, metaV1.GetOptions{})
+				secret, err := testContext.KubernetesClient(t).CoreV1().Secrets(testContext.KubectlOptions(t).Namespace).Get(context.Background(), secretName, metav1.GetOptions{})
 				require.NoError(t, err)
 				gossipEncryptionKey := strings.TrimSpace(string(secret.Data[secretKey]))