From 12ea51bb067d1c267d9f094d668f9c8eebea3d7e Mon Sep 17 00:00:00 2001
From: Iryna Shustava <iryna@hashicorp.com>
Date: Fri, 20 Dec 2019 13:59:05 -0800
Subject: [PATCH] Update CHANGELOG and set httpsOnly to true by default

---
 CHANGELOG.md                            | 9 ++++-----
 templates/server-acl-init-job.yaml      | 4 +++-
 test/unit/client-podsecuritypolicy.bats | 2 +-
 test/unit/server-acl-init-job.bats      | 3 +--
 values.yaml                             | 5 +----
 5 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4dbd902e3..c44c213f8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -25,12 +25,11 @@ BUG FIXES:
     when the Consul client on the same node was restarted. This fix adds a new
     sidecar that ensures the service instance is always registered. [[GH-314](https://github.com/hashicorp/consul-helm/pull/314)]
 
-  * Optionally allow enabling TLS for servers and clients [[GH-313](https://github.com/hashicorp/consul-helm/pull/313/files#)].
+  * Optionally allow enabling TLS [[GH-313](https://github.com/hashicorp/consul-helm/pull/313/files#)].
+    If `global.tls.enabled` is set to `true`, the Helm chart will generate CA and necessary certificates and
+    enable TLS for servers, clients, Connect Inject, Sync Catalog, and ACL bootstrapping.
 
-    Note that consul-k8s components don't currently work with HTTPS
-    enabled and HTTP disabled. For this reason, we don't disable HTTP by
-    default when TLS is enabled. This will be changed once consul-k8s supports HTTPS.
-    Also note that this feature is only supported if both servers and clients are running
+    Note that this feature is only supported if both servers and clients are running
     on Kubernetes. We will have better support for other deployment architectures,
     as well as bringing your own CA, in the future.
 
diff --git a/templates/server-acl-init-job.yaml b/templates/server-acl-init-job.yaml
index 6a1f89a5c..adb7b918d 100644
--- a/templates/server-acl-init-job.yaml
+++ b/templates/server-acl-init-job.yaml
@@ -57,12 +57,14 @@ spec:
             - "-ec"
             - |
               consul-k8s server-acl-init \
+                -server-label-selector=component=server,app={{ template "consul.name" . }},release={{ .Release.Name }} \
+                -resource-prefix={{ template "consul.fullname" . }} \
+                -k8s-namespace={{ .Release.Namespace }} \
                 {{- if .Values.global.tls.enabled }}
                 -use-https \
                 -consul-ca-cert=/consul/tls/ca/tls.crt \
                 -consul-tls-server-name=server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }} \
                 {{- end }}
-                -k8s-namespace={{ .Release.Namespace }} \
                 {{- if .Values.syncCatalog.enabled }}
                 -create-sync-token=true \
                 {{- end }}
diff --git a/test/unit/client-podsecuritypolicy.bats b/test/unit/client-podsecuritypolicy.bats
index c8eeb7f7e..2622a45e4 100644
--- a/test/unit/client-podsecuritypolicy.bats
+++ b/test/unit/client-podsecuritypolicy.bats
@@ -115,7 +115,7 @@ load _helpers
       --set 'global.tls.enabled=true' \
       . | tee /dev/stderr |
       yq -c '.spec.hostPorts' | tee /dev/stderr)
-  [ "${actual}" = '[{"min":8500,"max":8500},{"min":8501,"max":8501},{"min":8502,"max":8502}]' ]
+  [ "${actual}" = '[{"min":8501,"max":8501},{"min":8502,"max":8502}]' ]
 }
 
 @test "client/PodSecurityPolicy: hostPort 8500 is not allowed when global.tls.enabled=true and global.tls.httpsOnly=true" {
diff --git a/test/unit/server-acl-init-job.bats b/test/unit/server-acl-init-job.bats
index 5d5067463..275362fbb 100644
--- a/test/unit/server-acl-init-job.bats
+++ b/test/unit/server-acl-init-job.bats
@@ -211,7 +211,6 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
-
 #--------------------------------------------------------------------
 # global.tls.enabled
 
@@ -231,6 +230,6 @@ load _helpers
   actual=$(echo $command | jq -r '. | any(contains("-consul-ca-cert=/consul/tls/ca/tls.crt"))' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
-    actual=$(echo $command | jq -r '. | any(contains(" -consul-tls-server-name=server.dc1.consul"))' | tee /dev/stderr)
+    actual=$(echo $command | jq -r '. | any(contains("-consul-tls-server-name=server.dc1.consul"))' | tee /dev/stderr)
     [ "${actual}" = "true" ]
 }
\ No newline at end of file
diff --git a/values.yaml b/values.yaml
index 7adf95ce0..c158e0e0c 100644
--- a/values.yaml
+++ b/values.yaml
@@ -101,10 +101,7 @@ global:
 
     # If httpsOnly is true, Consul will disable the HTTP port on both
     # clients and servers and only accept HTTPS connections.
-    #
-    # Note: if you are using the syncCatalog or connectInject features below,
-    # do not set httpsOnly to true. This limitation will be addressed in the future.
-    httpsOnly: false
+    httpsOnly: true
 
 # Server, when enabled, configures a server cluster to run. This should
 # be disabled if you plan on connecting to a Consul cluster external to