From 2d13dbfabb4e65ebe342d93d100fbc18a18d28e1 Mon Sep 17 00:00:00 2001
From: Nathan Coleman <nathan.coleman@hashicorp.com>
Date: Thu, 17 Aug 2023 14:53:29 -0400
Subject: [PATCH 1/4] Add NET_BIND_SERVICE capability to Consul's restricted
 securityContext

---
 charts/consul/templates/_helpers.tpl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl
index 18f57b188c..5cefb9ec81 100644
--- a/charts/consul/templates/_helpers.tpl
+++ b/charts/consul/templates/_helpers.tpl
@@ -22,6 +22,8 @@ securityContext:
   capabilities:
     drop:
     - ALL
+    add:
+    - NET_BIND_SERVICE
   runAsNonRoot: true
   seccompProfile:
     type: RuntimeDefault

From 2e9f290f0edc2f9662d811f5654fdb55311ffcf4 Mon Sep 17 00:00:00 2001
From: Nathan Coleman <nathan.coleman@hashicorp.com>
Date: Mon, 21 Aug 2023 13:30:12 -0400
Subject: [PATCH 2/4] Add changelog entry

---
 .changelog/2787.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .changelog/2787.txt

diff --git a/.changelog/2787.txt b/.changelog/2787.txt
new file mode 100644
index 0000000000..67fc4ab476
--- /dev/null
+++ b/.changelog/2787.txt
@@ -0,0 +1,3 @@
+```release-note:security
+Add NET_BIND_SERVICE capability to restricted security context used for consul-dataplane
+```

From 9af56985f68794051df6f2121b133b141621ee3d Mon Sep 17 00:00:00 2001
From: Nathan Coleman <nathan.coleman@hashicorp.com>
Date: Mon, 21 Aug 2023 14:06:54 -0400
Subject: [PATCH 3/4] Update related bats tests

---
 charts/consul/test/unit/server-statefulset.bats | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/charts/consul/test/unit/server-statefulset.bats b/charts/consul/test/unit/server-statefulset.bats
index a60884d20c..0fc738e79e 100755
--- a/charts/consul/test/unit/server-statefulset.bats
+++ b/charts/consul/test/unit/server-statefulset.bats
@@ -856,7 +856,8 @@ load _helpers
   local expected=$(echo '{
     "allowPrivilegeEscalation": false,
     "capabilities": {
-      "drop": ["ALL"]
+      "drop": ["ALL"],
+      "add": ["NET_BIND_SERVICE"]
     },
     "runAsNonRoot": true,
     "seccompProfile": {
@@ -887,7 +888,8 @@ load _helpers
   local expected=$(echo '{
     "allowPrivilegeEscalation": false,
     "capabilities": {
-      "drop": ["ALL"]
+      "drop": ["ALL"],
+      "add": ["NET_BIND_SERVICE"]
     },
     "runAsNonRoot": true,
     "seccompProfile": {

From 9cac83323f81f8031c093a65f14489defe655ac3 Mon Sep 17 00:00:00 2001
From: Nathan Coleman <nathan.coleman@hashicorp.com>
Date: Tue, 22 Aug 2023 10:11:48 -0400
Subject: [PATCH 4/4] Change type of release note

---
 .changelog/2787.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.changelog/2787.txt b/.changelog/2787.txt
index 67fc4ab476..2fe921ef23 100644
--- a/.changelog/2787.txt
+++ b/.changelog/2787.txt
@@ -1,3 +1,3 @@
-```release-note:security
+```release-note:improvement
 Add NET_BIND_SERVICE capability to restricted security context used for consul-dataplane
 ```