Update CHANGELOG and set httpsOnly to true by default

CHANGELOG.md

@@ -25,12 +25,11 @@ BUG FIXES:
     when the Consul client on the same node was restarted. This fix adds a new
     sidecar that ensures the service instance is always registered. [[GH-314](https://github.com/hashicorp/consul-helm/pull/314)]
 
-  * Optionally allow enabling TLS for servers and clients [[GH-313](https://github.com/hashicorp/consul-helm/pull/313/files#)].
+  * Optionally allow enabling TLS [[GH-313](https://github.com/hashicorp/consul-helm/pull/313/files#)].
+    If `global.tls.enabled` is set to `true`, the Helm chart will generate CA and necessary certificates and
+    enable TLS for servers, clients, Connect Inject, Sync Catalog, and ACL bootstrapping.
 
-    Note that consul-k8s components don't currently work with HTTPS
-    enabled and HTTP disabled. For this reason, we don't disable HTTP by
-    default when TLS is enabled. This will be changed once consul-k8s supports HTTPS.
-    Also note that this feature is only supported if both servers and clients are running
+    Note that this feature is only supported if both servers and clients are running
     on Kubernetes. We will have better support for other deployment architectures,
     as well as bringing your own CA, in the future.
 

templates/server-acl-init-job.yaml

@@ -57,12 +57,14 @@ spec:
             - "-ec"
             - |
               consul-k8s server-acl-init \
+                -server-label-selector=component=server,app={{ template "consul.name" . }},release={{ .Release.Name }} \
+                -resource-prefix={{ template "consul.fullname" . }} \
+                -k8s-namespace={{ .Release.Namespace }} \
                 {{- if .Values.global.tls.enabled }}
                 -use-https \
                 -consul-ca-cert=/consul/tls/ca/tls.crt \
                 -consul-tls-server-name=server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }} \
                 {{- end }}
-                -k8s-namespace={{ .Release.Namespace }} \
                 {{- if .Values.syncCatalog.enabled }}
                 -create-sync-token=true \
                 {{- end }}

test/unit/client-podsecuritypolicy.bats

@@ -115,7 +115,7 @@ load _helpers
       --set 'global.tls.enabled=true' \
       . | tee /dev/stderr |
       yq -c '.spec.hostPorts' | tee /dev/stderr)
-  [ "${actual}" = '[{"min":8500,"max":8500},{"min":8501,"max":8501},{"min":8502,"max":8502}]' ]
+  [ "${actual}" = '[{"min":8501,"max":8501},{"min":8502,"max":8502}]' ]
 }
 
 @test "client/PodSecurityPolicy: hostPort 8500 is not allowed when global.tls.enabled=true and global.tls.httpsOnly=true" {

test/unit/server-acl-init-job.bats

@@ -211,7 +211,6 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
-
 #--------------------------------------------------------------------
 # global.tls.enabled
 
@@ -231,6 +230,6 @@ load _helpers
   actual=$(echo $command | jq -r '. | any(contains("-consul-ca-cert=/consul/tls/ca/tls.crt"))' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
-    actual=$(echo $command | jq -r '. | any(contains(" -consul-tls-server-name=server.dc1.consul"))' | tee /dev/stderr)
+    actual=$(echo $command | jq -r '. | any(contains("-consul-tls-server-name=server.dc1.consul"))' | tee /dev/stderr)
     [ "${actual}" = "true" ]
 }

values.yaml

@@ -101,10 +101,7 @@ global:
 
     # If httpsOnly is true, Consul will disable the HTTP port on both
     # clients and servers and only accept HTTPS connections.
-    #
-    # Note: if you are using the syncCatalog or connectInject features below,
-    # do not set httpsOnly to true. This limitation will be addressed in the future.
-    httpsOnly: false
+    httpsOnly: true
 
 # Server, when enabled, configures a server cluster to run. This should
 # be disabled if you plan on connecting to a Consul cluster external to