From d247baa7935e964c0b21aaf8821430a78e7140c7 Mon Sep 17 00:00:00 2001
From: Nathan Coleman <nathan.coleman@hashicorp.com>
Date: Thu, 3 Nov 2022 12:27:17 -0400
Subject: [PATCH] Consolidate controller ClusterRole mods for
 enablePodSecurityPolicies

---
 .../api-gateway-controller-clusterrole.yaml   | 38 ++++++++-----------
 .../api-gateway-controller-clusterrole.bats   | 12 ++++++
 2 files changed, 27 insertions(+), 23 deletions(-)

diff --git a/charts/consul/templates/api-gateway-controller-clusterrole.yaml b/charts/consul/templates/api-gateway-controller-clusterrole.yaml
index 0d71b61bef..eac2bd1f69 100644
--- a/charts/consul/templates/api-gateway-controller-clusterrole.yaml
+++ b/charts/consul/templates/api-gateway-controller-clusterrole.yaml
@@ -11,24 +11,6 @@ metadata:
     release: {{ .Release.Name }}
     component: api-gateway-controller
 rules:
-{{- if .Values.global.enablePodSecurityPolicies }}
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - roles
-  - rolebindings
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-- apiGroups:
-  - policy
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
-{{- end}}
 - apiGroups:
   - api-gateway.consul.hashicorp.com
   resources:
@@ -263,11 +245,21 @@ rules:
   - patch
   - update
 {{- if .Values.global.enablePodSecurityPolicies }}
-- apiGroups: ["policy"]
-  resources: ["podsecuritypolicies"]
-  resourceNames:
-    - {{ template "consul.fullname" . }}-api-gateway-controller
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  - rolebindings
   verbs:
-    - use
+  - create
+  - get
+  - list
+  - watch
 {{- end }}
 {{- end }}
diff --git a/charts/consul/test/unit/api-gateway-controller-clusterrole.bats b/charts/consul/test/unit/api-gateway-controller-clusterrole.bats
index b69b6ac966..a933a541cd 100644
--- a/charts/consul/test/unit/api-gateway-controller-clusterrole.bats
+++ b/charts/consul/test/unit/api-gateway-controller-clusterrole.bats
@@ -31,3 +31,15 @@ load _helpers
       yq '.rules[] | select((.resourceNames[0] == "release-name-consul-api-gateway-controller") and (.resources[0] == "podsecuritypolicies")) | length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+
+@test "apiGateway/ClusterRole: uses PodSecurityPolicy with apiGateway.enabled=true and global.enablePodSecurityPolicies=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/api-gateway-controller-clusterrole.yaml \
+      --set 'global.enablePodSecurityPolicies=true' \
+      --set 'apiGateway.enabled=true' \
+      --set 'apiGateway.image=foo' \
+      . | tee /dev/stderr |
+      yq '.rules[] | select((.resourceNames[0] == "release-name-consul-api-gateway-controller") and (.resources[0] == "podsecuritypolicies")) | length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}