From 27fb9ea4330b79ad34878b4a30ebb312dc23b758 Mon Sep 17 00:00:00 2001
From: John Murret <john.murret@hashicorp.com>
Date: Fri, 18 Mar 2022 14:41:35 -0600
Subject: [PATCH] fixing acceptance test to recognize that long lived tokens
 will not exist and we ahve to update the role.

---
 .../terminating_gateway_namespaces_test.go    |  8 ++---
 .../terminating_gateway_test.go               | 30 +++++++++----------
 .../terminating-gateways-serviceaccount.yaml  |  4 +--
 .../terminating-gateways-serviceaccount.bats  |  4 +--
 4 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/acceptance/tests/terminating-gateway/terminating_gateway_namespaces_test.go b/acceptance/tests/terminating-gateway/terminating_gateway_namespaces_test.go
index 76510b9a76..2225746b6f 100644
--- a/acceptance/tests/terminating-gateway/terminating_gateway_namespaces_test.go
+++ b/acceptance/tests/terminating-gateway/terminating_gateway_namespaces_test.go
@@ -97,11 +97,11 @@ func TestTerminatingGatewaySingleNamespace(t *testing.T) {
 			// Register the external service.
 			registerExternalService(t, consulClient, testNamespace)
 
-			// If ACLs are enabled we need to update the token of the terminating gateway
+			// If ACLs are enabled we need to update the role of the terminating gateway
 			// with service:write permissions to the static-server service
 			// so that it can can request Connect certificates for it.
 			if c.secure {
-				updateTerminatingGatewayToken(t, consulClient, fmt.Sprintf(staticServerPolicyRulesNamespace, testNamespace))
+				updateTerminatingGatewayRole(t, consulClient, fmt.Sprintf(staticServerPolicyRulesNamespace, testNamespace))
 			}
 
 			// Create the config entry for the terminating gateway.
@@ -205,11 +205,11 @@ func TestTerminatingGatewayNamespaceMirroring(t *testing.T) {
 			// Register the external service
 			registerExternalService(t, consulClient, testNamespace)
 
-			// If ACLs are enabled we need to update the token of the terminating gateway
+			// If ACLs are enabled we need to update the role of the terminating gateway
 			// with service:write permissions to the static-server service
 			// so that it can can request Connect certificates for it.
 			if c.secure {
-				updateTerminatingGatewayToken(t, consulClient, fmt.Sprintf(staticServerPolicyRulesNamespace, testNamespace))
+				updateTerminatingGatewayRole(t, consulClient, fmt.Sprintf(staticServerPolicyRulesNamespace, testNamespace))
 			}
 
 			// Create the config entry for the terminating gateway
diff --git a/acceptance/tests/terminating-gateway/terminating_gateway_test.go b/acceptance/tests/terminating-gateway/terminating_gateway_test.go
index e8b6fa194c..f87614f3e0 100644
--- a/acceptance/tests/terminating-gateway/terminating_gateway_test.go
+++ b/acceptance/tests/terminating-gateway/terminating_gateway_test.go
@@ -69,11 +69,11 @@ func TestTerminatingGateway(t *testing.T) {
 			// Register the external service
 			registerExternalService(t, consulClient, "")
 
-			// If ACLs are enabled we need to update the token of the terminating gateway
+			// If ACLs are enabled we need to update the role of the terminating gateway
 			// with service:write permissions to the static-server service
 			// so that it can can request Connect certificates for it.
 			if c.secure {
-				updateTerminatingGatewayToken(t, consulClient, staticServerPolicyRules)
+				updateTerminatingGatewayRole(t, consulClient, staticServerPolicyRules)
 			}
 
 			// Create the config entry for the terminating gateway.
@@ -133,32 +133,32 @@ func registerExternalService(t *testing.T, consulClient *api.Client, namespace s
 	require.NoError(t, err)
 }
 
-func updateTerminatingGatewayToken(t *testing.T, consulClient *api.Client, rules string) {
+func updateTerminatingGatewayRole(t *testing.T, consulClient *api.Client, rules string) {
 	t.Helper()
 
-	// Create a write policy for the static-server.
+	logger.Log(t, "creating a write policy for the static-server")
 	_, _, err := consulClient.ACL().PolicyCreate(&api.ACLPolicy{
 		Name:  "static-server-write-policy",
 		Rules: rules,
 	}, nil)
 	require.NoError(t, err)
 
-	// Get the terminating gateway token.
-	tokens, _, err := consulClient.ACL().TokenList(nil)
+	logger.Log(t, "getting the terminating gateway role")
+	roles, _, err := consulClient.ACL().RoleList(nil)
 	require.NoError(t, err)
-	var termGwTokenID string
-	for _, token := range tokens {
-		if strings.Contains(token.Description, "token created via login: {\"component\":\"terminating-gateway\"}") {
-			termGwTokenID = token.AccessorID
+	terminatingGatewayRoleID := ""
+	for _, role := range roles {
+		if strings.Contains(role.Name, "terminating-gateway") {
+			terminatingGatewayRoleID = role.ID
 			break
 		}
 	}
-	termGwToken, _, err := consulClient.ACL().TokenRead(termGwTokenID, nil)
-	require.NoError(t, err)
 
-	// Add policy to the token and update it
-	termGwToken.Policies = append(termGwToken.Policies, &api.ACLTokenPolicyLink{Name: "static-server-write-policy"})
-	_, _, err = consulClient.ACL().TokenUpdate(termGwToken, nil)
+	logger.Log(t, "update role with policy")
+	termGwRole, _, err := consulClient.ACL().RoleRead(terminatingGatewayRoleID, nil)
+	require.NoError(t, err)
+	termGwRole.Policies = append(termGwRole.Policies, &api.ACLTokenPolicyLink{Name: "static-server-write-policy"})
+	_, _, err = consulClient.ACL().RoleUpdate(termGwRole, nil)
 	require.NoError(t, err)
 }
 
diff --git a/charts/consul/templates/terminating-gateways-serviceaccount.yaml b/charts/consul/templates/terminating-gateways-serviceaccount.yaml
index 211fb5c72f..38a79f361c 100644
--- a/charts/consul/templates/terminating-gateways-serviceaccount.yaml
+++ b/charts/consul/templates/terminating-gateways-serviceaccount.yaml
@@ -6,7 +6,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name:  {{ template "consul.fullname" $root }}-{{ .name }}
+  name:  {{ template "consul.fullname" $root }}-{{ .name }}-terminating-gateway
   namespace: {{ $root.Release.Namespace }}
   labels:
     app: {{ template "consul.name" $root }}
@@ -14,7 +14,7 @@ metadata:
     heritage: {{ $root.Release.Service }}
     release: {{ $root.Release.Name }}
     component: terminating-gateway
-    terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
+    terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}-terminating-gateway
   {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }}
   annotations:
     {{- if $defaults.serviceAccount.annotations }}
diff --git a/charts/consul/test/unit/terminating-gateways-serviceaccount.bats b/charts/consul/test/unit/terminating-gateways-serviceaccount.bats
index 3052907b54..e1ef573abf 100644
--- a/charts/consul/test/unit/terminating-gateways-serviceaccount.bats
+++ b/charts/consul/test/unit/terminating-gateways-serviceaccount.bats
@@ -57,10 +57,10 @@ load _helpers
       yq -s -r '.' | tee /dev/stderr)
 
   local actual=$(echo $object | yq -r '.[0].metadata.name' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-consul-gateway1" ]
+  [ "${actual}" = "RELEASE-NAME-consul-gateway1-terminating-gateway" ]
 
   local actual=$(echo $object | yq -r '.[1].metadata.name' | tee /dev/stderr)
-  [ "${actual}" = "RELEASE-NAME-consul-gateway2" ]
+  [ "${actual}" = "RELEASE-NAME-consul-gateway2-terminating-gateway" ]
 
   local actual=$(echo "$object" |
       yq -r '.[2] | length > 0' | tee /dev/stderr)