From 975434f6e8a692ce036511a03da34da7ceb6ce37 Mon Sep 17 00:00:00 2001
From: jm96441n <john.maguire@hashicorp.com>
Date: Fri, 19 Apr 2024 11:54:21 -0400
Subject: [PATCH 1/4] remove unnecessary permissions for terminating gateways

---
 .../consul/templates/terminating-gateways-role.yaml | 13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

diff --git a/charts/consul/templates/terminating-gateways-role.yaml b/charts/consul/templates/terminating-gateways-role.yaml
index 4ae280ca81..51e37664d3 100644
--- a/charts/consul/templates/terminating-gateways-role.yaml
+++ b/charts/consul/templates/terminating-gateways-role.yaml
@@ -16,25 +16,14 @@ metadata:
     release: {{ $root.Release.Name }}
     component: terminating-gateway
     terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
-{{- if (or $root.Values.global.acls.manageSystemACLs $root.Values.global.enablePodSecurityPolicies) }}
-rules:
 {{- if $root.Values.global.enablePodSecurityPolicies }}
+rules:
   - apiGroups: ["policy"]
     resources: ["podsecuritypolicies"]
     resourceNames:
       -  {{ template "consul.fullname" $root }}-{{ .name }}
     verbs:
       - use
-{{- end }}
-{{- if $root.Values.global.acls.manageSystemACLs }}
-  - apiGroups: [""]
-    resources:
-      - secrets
-    resourceNames:
-      -  {{ template "consul.fullname" $root }}-{{ .name }}-acl-token
-    verbs:
-      - get
-{{- end }}
 {{- else }}
 rules: []
 {{- end }}

From 4e61f68862154161bed82c7fda204b1896ef8a9d Mon Sep 17 00:00:00 2001
From: jm96441n <john.maguire@hashicorp.com>
Date: Fri, 19 Apr 2024 14:40:27 -0400
Subject: [PATCH 2/4] add changelog

---
 .changelog/3928.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .changelog/3928.txt

diff --git a/.changelog/3928.txt b/.changelog/3928.txt
new file mode 100644
index 0000000000..cfff98bf76
--- /dev/null
+++ b/.changelog/3928.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+terminating-gateways: Remove unnecessary permissions from terminating gateways role
+```

From 238e54815f2bf13611a41937c0931da0636687fa Mon Sep 17 00:00:00 2001
From: jm96441n <john.maguire@hashicorp.com>
Date: Mon, 22 Apr 2024 14:55:54 -0400
Subject: [PATCH 3/4] fix bats test

---
 .../test/unit/terminating-gateways-role.bats    | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/charts/consul/test/unit/terminating-gateways-role.bats b/charts/consul/test/unit/terminating-gateways-role.bats
index f109a2dd23..56287fb7c4 100644
--- a/charts/consul/test/unit/terminating-gateways-role.bats
+++ b/charts/consul/test/unit/terminating-gateways-role.bats
@@ -32,23 +32,6 @@ load _helpers
   [ "${actual}" = "podsecuritypolicies" ]
 }
 
-@test "terminatingGateways/Role: rules for global.acls.manageSystemACLs=true" {
-  cd `chart_dir`
-  local object=$(helm template \
-      -s templates/terminating-gateways-role.yaml  \
-      --set 'terminatingGateways.enabled=true' \
-      --set 'connectInject.enabled=true' \
-      --set 'global.acls.manageSystemACLs=true' \
-      . | tee /dev/stderr |
-      yq -s -r '.[0].rules[0]' | tee /dev/stderr)
-
-  local actual=$(echo $object | yq -r '.resources[0]' | tee /dev/stderr)
-  [ "${actual}" = "secrets" ]
-
-  local actual=$(echo $object | yq -r '.resourceNames[0]' | tee /dev/stderr)
-  [ "${actual}" = "release-name-consul-terminating-gateway-acl-token" ]
-}
-
 @test "terminatingGateways/Role: rules is empty if no ACLs, PSPs" {
   cd `chart_dir`
   local actual=$(helm template \

From 5ef72f347834e10e095f0591b9ceccb474979ce6 Mon Sep 17 00:00:00 2001
From: jm96441n <john.maguire@hashicorp.com>
Date: Mon, 22 Apr 2024 15:32:55 -0400
Subject: [PATCH 4/4] fix lengths of rules

---
 charts/consul/test/unit/terminating-gateways-role.bats | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/charts/consul/test/unit/terminating-gateways-role.bats b/charts/consul/test/unit/terminating-gateways-role.bats
index 56287fb7c4..5c0fb571a2 100644
--- a/charts/consul/test/unit/terminating-gateways-role.bats
+++ b/charts/consul/test/unit/terminating-gateways-role.bats
@@ -53,7 +53,7 @@ load _helpers
       --set 'global.enablePodSecurityPolicies=true' \
       . | tee /dev/stderr |
       yq -s -r '.[0].rules | length' | tee /dev/stderr)
-  [ "${actual}" = "2" ]
+  [ "${actual}" = "1" ]
 }
 
 @test "terminatingGateways/Role: rules for ACLs, PSPs with multiple gateways" {
@@ -76,10 +76,10 @@ load _helpers
   [ "${actual}" = "release-name-consul-gateway2" ]
 
   local actual=$(echo $object | yq '.[0].rules | length' | tee /dev/stderr)
-  [ "${actual}" = "2" ]
+  [ "${actual}" = "1" ]
 
   local actual=$(echo $object | yq '.[1].rules | length' | tee /dev/stderr)
-  [ "${actual}" = "2" ]
+  [ "${actual}" = "1" ]
 
   local actual=$(echo $object | yq '.[2] | length > 0' | tee /dev/stderr)
   [ "${actual}" = "false" ]