From cc449e473b4fbf67880038fb864a84aa664770c1 Mon Sep 17 00:00:00 2001
From: Iryna Shustava <ishustava@users.noreply.github.com>
Date: Wed, 1 Dec 2021 11:17:25 -0700
Subject: [PATCH] Support Vault server running with TLS (#874)

* Change vault cluster in acceptance tests to only run with TLS. All tests will run against vault with TLS because that is the use case we think will be the most valuable for users to test
* Support adding Vault CA as a secret to pods that will be using vault agent. We need to add two annotations to pods:
      * vault.hashicorp.com/agent-extra-secret with the value of the vault CA secret name. The secret will be mounted to vault agent at /vault/custom path. See docs here
      * vault.hashicorp.com/ca-cert - with the path of the ca file inside the vault agent container. This should be /vault/custom/<secret key>
* Most pods will only need those annotations. The server pods also need the Vault CA secret to be mounted as a volume because it needs the CA to be on the file system for the vault connect CA provider.
---
 acceptance/tests/vault/vault_test.go            |  2 ++
 charts/consul/test/unit/server-statefulset.bats | 10 ++++++++++
 2 files changed, 12 insertions(+)

diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go
index f3aac683ec..eb2a088a3e 100644
--- a/acceptance/tests/vault/vault_test.go
+++ b/acceptance/tests/vault/vault_test.go
@@ -129,6 +129,8 @@ func TestVault(t *testing.T) {
 	_, err = vaultClient.Logical().Write("consul/data/secret/gossip", params)
 	require.NoError(t, err)
 
+	vaultCASecret := vault.CASecretName(vaultReleaseName)
+
 	// Bootstrap TLS creates the CA infrastructure required for ServerTLS and also creates the `consul-server` roles.
 	bootstrapTLS(t, vaultClient, consulReleaseName)
 
diff --git a/charts/consul/test/unit/server-statefulset.bats b/charts/consul/test/unit/server-statefulset.bats
index 1b4327352d..bafd7ab662 100755
--- a/charts/consul/test/unit/server-statefulset.bats
+++ b/charts/consul/test/unit/server-statefulset.bats
@@ -1036,6 +1036,16 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
+@test "server/StatefulSet: CA certificate is specified when TLS is enabled" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/server-statefulset.yaml  \
+      --set 'global.tls.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].readinessProbe.exec.command | join(" ") | contains("--cacert /consul/tls/ca/tls.crt")' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
 @test "server/StatefulSet: HTTP is disabled in agent when httpsOnly is enabled" {
   cd `chart_dir`
   local actual=$(helm template \