Use wanAddress.source to help determine address

templates/mesh-gateway-clusterrole.yaml

@@ -9,7 +9,7 @@ metadata:
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
     component: mesh-gateway
-{{- if or .Values.global.bootstrapACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "LoadBalancerAddress") }}
+{{- if or .Values.global.bootstrapACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "Service") }}
 rules:
 {{- if .Values.global.enablePodSecurityPolicies }}
   - apiGroups: ["policy"]
@@ -28,7 +28,7 @@ rules:
     verbs:
       - get
 {{- end }}
-{{- if eq .Values.meshGateway.wanAddress.source "LoadBalancerAddress" }}
+{{- if eq .Values.meshGateway.wanAddress.source "Service" }}
   - apiGroups: [""]
     resources:
       - services

templates/mesh-gateway-deployment.yaml

@@ -116,21 +116,35 @@ spec:
                   -token-sink-file=/consul/service/acl-token
                 {{ end }}
 
-                {{- if eq .Values.meshGateway.wanAddress.source "NodeIP" }}
+                {{- $source := .Values.meshGateway.wanAddress.source }}
+                {{- $serviceType := .Values.meshGateway.service.type }}
+                {{- if and (eq $source "Service") (not .Values.meshGateway.service.enabled) }}{{ fail "if meshGateway.wanAddress.source=Service then meshGateway.service.enabled must be set to true" }}{{ end }}
+                {{- if or (eq $source "NodeIP") (and (eq $source "Service") (eq $serviceType "NodePort")) }}
                 WAN_ADDR="${HOST_IP}"
-                {{- else if eq .Values.meshGateway.wanAddress.source "NodeName" }}
+                {{- else if eq $source "NodeName" }}
                 WAN_ADDR="${NODE_NAME}"
-                {{- else if eq .Values.meshGateway.wanAddress.source "LoadBalancerAddress" }}
-                {{- if not .Values.meshGateway.service.enabled }}{{ fail "if meshGateway.wanAddress.source=LoadBalancerAddress then meshGateway.service.enabled must be set to true" }}{{ end -}}
-                {{- if ne .Values.meshGateway.service.type "LoadBalancer" }}{{ fail "if meshGateway.wanAddress.source=LoadBalancerAddress then meshGateway.service.type must be set to LoadBalancer" }}{{ end }}
-                consul-k8s load-balancer-address \
+                {{- else if and (eq $source "Service") (or (eq $serviceType "ClusterIP") (eq $serviceType "LoadBalancer")) }}
+                consul-k8s service-address \
                   -k8s-namespace={{ .Release.Namespace }} \
                   -name={{ template "consul.fullname" . }}-mesh-gateway \
                   -output-file=address.txt
                 WAN_ADDR="$(cat address.txt)"
-                {{- else if eq .Values.meshGateway.wanAddress.source "Static" }}
+                {{- else if eq $source "Static" }}
                 {{- if eq .Values.meshGateway.wanAddress.static "" }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }}
                 WAN_ADDR="{{ .Values.meshGateway.wanAddress.static }}"
+                {{- else }}
+                {{- fail "currently set meshGateway values wanAddress.source and service.type are not supported" }}
+                {{- end }}
+
+                {{- if eq $source "Service" }}
+                {{- if eq $serviceType "NodePort" }}
+                {{- if not .Values.meshGateway.service.nodePort }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }}
+                WAN_PORT="{{ .Values.meshGateway.service.nodePort }}"
+                {{- else }}
+                WAN_PORT="{{ .Values.meshGateway.service.port }}"
+                {{- end }}
+                {{- else }}
+                WAN_PORT="{{ .Values.meshGateway.wanAddress.port }}"
                 {{- end }}
 
                 cat > /consul/service/service.hcl << EOF
@@ -155,11 +169,11 @@ spec:
                     }
                     wan {
                       address = "${WAN_ADDR}"
-                      port = {{ .Values.meshGateway.wanAddress.port }}
+                      port = ${WAN_PORT}
                     }
                     wan_ipv4 {
                       address = "${WAN_ADDR}"
-                      port = {{ .Values.meshGateway.wanAddress.port }}
+                      port = ${WAN_PORT}
                     }
                   }
                   checks = [

test/unit/mesh-gateway-clusterrole.bats

@@ -49,13 +49,15 @@ load _helpers
   [ "${actual}" = "secrets" ]
 }
 
-@test "meshGateway/ClusterRole: rules for meshGateway.wanAddress.source=LoadBalancerAddress" {
+@test "meshGateway/ClusterRole: rules for meshGateway.wanAddress.source=Service" {
   cd `chart_dir`
   local actual=$(helm template \
       -x templates/mesh-gateway-clusterrole.yaml  \
       --set 'meshGateway.enabled=true' \
       --set 'connectInject.enabled=true' \
-      --set 'meshGateway.wanAddress.source=LoadBalancerAddress' \
+      --set 'meshGateway.service.enabled=true' \
+      --set 'meshGateway.service.type=LoadBalancer' \
+      --set 'meshGateway.wanAddress.source=Service' \
       . | tee /dev/stderr |
       yq -r '.rules[0].resources[0]' | tee /dev/stderr)
   [ "${actual}" = "services" ]
@@ -82,7 +84,9 @@ load _helpers
       --set 'client.grpc=true' \
       --set 'global.bootstrapACLs=true' \
       --set 'global.enablePodSecurityPolicies=true' \
-      --set 'meshGateway.wanAddress.source=LoadBalancerAddress' \
+      --set 'meshGateway.service.enabled=true' \
+      --set 'meshGateway.service.type=LoadBalancer' \
+      --set 'meshGateway.wanAddress.source=Service' \
       . | tee /dev/stderr |
       yq -r '.rules | length' | tee /dev/stderr)
   [ "${actual}" = "3" ]