From 6c5f713eb872fb23e6ae83f5d859a48f6e1b3860 Mon Sep 17 00:00:00 2001
From: Nathan Coleman <nathan.coleman@hashicorp.com>
Date: Mon, 24 Apr 2023 19:07:03 -0400
Subject: [PATCH] Use Vault serverca for CONSUL_CACERT when secrets backend
 enabled

---
 .../consul/templates/api-gateway-controller-deployment.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/charts/consul/templates/api-gateway-controller-deployment.yaml b/charts/consul/templates/api-gateway-controller-deployment.yaml
index d9cf161962..9432de32a5 100644
--- a/charts/consul/templates/api-gateway-controller-deployment.yaml
+++ b/charts/consul/templates/api-gateway-controller-deployment.yaml
@@ -62,10 +62,14 @@ spec:
           name: sds
           protocol: TCP
         env:
-        {{- if or (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled)) .Values.client.enabled }}
+        {{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }}
         {{- if .Values.global.tls.enabled }}
         - name: CONSUL_CACERT
+          {{- if and (not .Values.client.enabled) .Values.global.secretsBackend.vault.enabled }}
+          value: /vault/secrets/serverca.crt
+          {{- else }}
           value: /consul/tls/ca/tls.crt
+          {{- end }}
         {{- end }}
         {{- end }}
         - name: HOST_IP