Code review updates

hashicorp · Mar 20, 2020 · 4582459 · 4582459
1 parent c6b3056
commit 4582459
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 4 deletions.
diff --git a/templates/mesh-gateway-clusterrole.yaml b/templates/mesh-gateway-clusterrole.yaml
@@ -9,7 +9,7 @@ metadata:
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: mesh-gateway
-{{- if or .Values.global.bootstrapACLs .Values.global.enablePodSecurityPolicies }}
+{{- if or .Values.global.bootstrapACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "LoadBalancerAddress") }}
 rules:
 {{- if .Values.global.enablePodSecurityPolicies }}
   - apiGroups: ["policy"]
@@ -28,6 +28,15 @@ rules:
     verbs:
       - get
 {{- end }}
+{{- if eq .Values.meshGateway.wanAddress.source "LoadBalancerAddress" }}
+  - apiGroups: [""]
+    resources:
+      - services
+    resourceNames:
+      - {{ template "consul.fullname" . }}-mesh-gateway
+    verbs:
+      - get
+  {{- end }}
 {{- else }}
 rules: []
 {{- end }}

diff --git a/test/unit/mesh-gateway-clusterrole.bats b/test/unit/mesh-gateway-clusterrole.bats
@@ -49,7 +49,19 @@ load _helpers
   [ "${actual}" = "secrets" ]
 }
 
-@test "meshGateway/ClusterRole: rules is empty if no ACLs or PSPs" {
+@test "meshGateway/ClusterRole: rules for meshGateway.wanAddress.source=LoadBalancerAddress" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/mesh-gateway-clusterrole.yaml  \
+      --set 'meshGateway.enabled=true' \
+      --set 'connectInject.enabled=true' \
+      --set 'meshGateway.wanAddress.source=LoadBalancerAddress' \
+      . | tee /dev/stderr |
+      yq -r '.rules[0].resources[0]' | tee /dev/stderr)
+  [ "${actual}" = "services" ]
+}
+
+@test "meshGateway/ClusterRole: rules is empty if no ACLs, PSPs or mesh gateways" {
   cd `chart_dir`
   local actual=$(helm template \
       -x templates/mesh-gateway-clusterrole.yaml  \
@@ -61,7 +73,7 @@ load _helpers
   [ "${actual}" = "[]" ]
 }
 
-@test "meshGateway/ClusterRole: rules for both ACLs and PSPs" {
+@test "meshGateway/ClusterRole: rules for ACLs, PSPs and mesh gateways" {
   cd `chart_dir`
   local actual=$(helm template \
       -x templates/mesh-gateway-clusterrole.yaml  \
@@ -70,7 +82,8 @@ load _helpers
       --set 'client.grpc=true' \
       --set 'global.bootstrapACLs=true' \
       --set 'global.enablePodSecurityPolicies=true' \
+      --set 'meshGateway.wanAddress.source=LoadBalancerAddress' \
       . | tee /dev/stderr |
       yq -r '.rules | length' | tee /dev/stderr)
-  [ "${actual}" = "2" ]
+  [ "${actual}" = "3" ]
 }