hashicorp · thisisnotashwin · Sep 21, 2022 · Jun 24, 2022 · Jul 7, 2022 · Jul 7, 2022
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -110,6 +110,7 @@ commands:
                   do
                     if ! gotestsum --no-summary=all --jsonfile=jsonfile-${pkg////-} -- $pkg -p 1 -timeout 2h -failfast \
                           << parameters.additional-flags >> \
+                          -enable-multi-cluster \
                           ${ENABLE_ENTERPRISE:+-enable-enterprise} \
                           -debug-directory="$TEST_RESULTS/debug" \
                           -consul-image=hashicorppreview/consul-enterprise:1.14-dev \

diff --git a/acceptance/tests/mesh-gateway/mesh_gateway_test.go b/acceptance/tests/mesh-gateway/mesh_gateway_test.go
@@ -28,6 +28,7 @@ func TestMeshGatewayDefault(t *testing.T) {
 
 	primaryHelmValues := map[string]string{
 		"global.datacenter":                        "dc1",
+		"global.image":                             "thisisnotashwin/consul@sha256:477091fe84cde79a68a37cc9cc69fb7a5ab35e647a0f5f2632451ace5ecc5e7c",
 		"global.tls.enabled":                       "true",
 		"global.tls.httpsOnly":                     "false",
 		"global.federation.enabled":                "true",
@@ -63,8 +64,8 @@ func TestMeshGatewayDefault(t *testing.T) {
 
 	// Create secondary cluster
 	secondaryHelmValues := map[string]string{
-		"global.datacenter": "dc2",
-
+		"global.datacenter":            "dc2",
+		"global.image":                 "thisisnotashwin/consul@sha256:477091fe84cde79a68a37cc9cc69fb7a5ab35e647a0f5f2632451ace5ecc5e7c",
 		"global.tls.enabled":           "true",
 		"global.tls.httpsOnly":         "false",
 		"global.tls.caCert.secretName": federationSecretName,
@@ -135,16 +136,10 @@ func TestMeshGatewayDefault(t *testing.T) {
 // with ACLs and TLS with and without auto-encrypt enabled.
 func TestMeshGatewaySecure(t *testing.T) {
 	cases := []struct {
-		name              string
-		enableAutoEncrypt string
+		name string
 	}{
 		{
-			"with ACLs and TLS without auto-encrypt",
-			"false",
-		},
-		{
-			"with ACLs and auto-encrypt",
-			"true",
+			"with ACLs and TLS",
 		},
 	}
 
@@ -157,9 +152,8 @@ func TestMeshGatewaySecure(t *testing.T) {
 			secondaryContext := env.Context(t, environment.SecondaryContextName)
 
 			primaryHelmValues := map[string]string{
-				"global.datacenter":            "dc1",
-				"global.tls.enabled":           "true",
-				"global.tls.enableAutoEncrypt": c.enableAutoEncrypt,
+				"global.datacenter":  "dc1",
+				"global.tls.enabled": "true",
 
 				"global.acls.manageSystemACLs":       "true",
 				"global.acls.createReplicationToken": "true",
@@ -214,7 +208,6 @@ func TestMeshGatewaySecure(t *testing.T) {
 
 				"global.tls.enabled":           "true",
 				"global.tls.httpsOnly":         "false",
-				"global.tls.enableAutoEncrypt": c.enableAutoEncrypt,
 				"global.tls.caCert.secretName": federationSecretName,
 				"global.tls.caCert.secretKey":  "caCert",
 				"global.tls.caKey.secretName":  federationSecretName,

diff --git a/acceptance/tests/partitions/partitions_connect_test.go b/acceptance/tests/partitions/partitions_connect_test.go
@@ -23,7 +23,7 @@ const staticServerName = "static-server"
 const staticServerNamespace = "ns1"
 const StaticClientNamespace = "ns2"
 
-// Test that Connect works in a default and ACLsAndAutoEncryptEnabled installations for X-Partition and in-partition networking.
+// Test that Connect works in a default and ACLsEnabled installations for X-Partition and in-partition networking.
 func TestPartitions_Connect(t *testing.T) {
 	env := suite.Environment()
 	cfg := suite.Config()
@@ -32,14 +32,18 @@ func TestPartitions_Connect(t *testing.T) {
 		t.Skipf("skipping this test because -enable-enterprise is not set")
 	}
 
+	if cfg.EnableTransparentProxy {
+		t.Skipf("skipping because no t-proxy support")
+	}
+
 	const defaultPartition = "default"
 	const secondaryPartition = "secondary"
 	const defaultNamespace = "default"
 	cases := []struct {
-		name                      string
-		destinationNamespace      string
-		mirrorK8S                 bool
-		ACLsAndAutoEncryptEnabled bool
+		name                 string
+		destinationNamespace string
+		mirrorK8S            bool
+		ACLsEnabled          bool
 	}{
 		{
 			"default destination namespace",
@@ -88,14 +92,13 @@ func TestPartitions_Connect(t *testing.T) {
 
 			commonHelmValues := map[string]string{
 				"global.adminPartitions.enabled": "true",
+				"global.image":                   "thisisnotashwin/consul@sha256:477091fe84cde79a68a37cc9cc69fb7a5ab35e647a0f5f2632451ace5ecc5e7c",
+				"global.enableConsulNamespaces":  "true",
 
-				"global.enableConsulNamespaces": "true",
-
-				"global.tls.enabled":           "true",
-				"global.tls.httpsOnly":         strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
-				"global.tls.enableAutoEncrypt": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
+				"global.tls.enabled":   "true",
+				"global.tls.httpsOnly": strconv.FormatBool(c.ACLsEnabled),
 
-				"global.acls.manageSystemACLs": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
+				"global.acls.manageSystemACLs": strconv.FormatBool(c.ACLsEnabled),
 
 				"connectInject.enabled": "true",
 				// When mirroringK8S is set, this setting is ignored.
@@ -141,15 +144,15 @@ func TestPartitions_Connect(t *testing.T) {
 			logger.Logf(t, "retrieving ca cert secret %s from the server cluster and applying to the client cluster", caCertSecretName)
 			k8s.CopySecret(t, serverClusterContext, clientClusterContext, caCertSecretName)
 
-			if !c.ACLsAndAutoEncryptEnabled {
+			if !c.ACLsEnabled {
 				// When auto-encrypt is disabled, we need both
 				// the CA cert and CA key to be available in the clients cluster to generate client certificates and keys.
 				logger.Logf(t, "retrieving ca key secret %s from the server cluster and applying to the client cluster", caKeySecretName)
 				k8s.CopySecret(t, serverClusterContext, clientClusterContext, caKeySecretName)
 			}
 
 			partitionToken := fmt.Sprintf("%s-consul-partitions-acl-token", releaseName)
-			if c.ACLsAndAutoEncryptEnabled {
+			if c.ACLsEnabled {
 				logger.Logf(t, "retrieving partition token secret %s from the server cluster and applying to the client cluster", partitionToken)
 				k8s.CopySecret(t, serverClusterContext, clientClusterContext, partitionToken)
 			}
@@ -177,7 +180,7 @@ func TestPartitions_Connect(t *testing.T) {
 				"client.join[0]":           partitionSvcAddress,
 			}
 
-			if c.ACLsAndAutoEncryptEnabled {
+			if c.ACLsEnabled {
 				// Setup partition token and auth method host if ACLs enabled.
 				clientHelmValues["global.acls.bootstrapToken.secretName"] = partitionToken
 				clientHelmValues["global.acls.bootstrapToken.secretKey"] = "token"
@@ -244,7 +247,7 @@ func TestPartitions_Connect(t *testing.T) {
 				k8s.RunKubectl(t, clientClusterContext.KubectlOptions(t), "delete", "ns", staticServerNamespace, StaticClientNamespace)
 			})
 
-			consulClient, _ := serverConsulCluster.SetupConsulClient(t, c.ACLsAndAutoEncryptEnabled)
+			consulClient, _ := serverConsulCluster.SetupConsulClient(t, c.ACLsEnabled)
 
 			serverQueryServerOpts := &api.QueryOptions{Namespace: staticServerNamespace, Partition: defaultPartition}
 			clientQueryServerOpts := &api.QueryOptions{Namespace: StaticClientNamespace, Partition: defaultPartition}
@@ -260,12 +263,12 @@ func TestPartitions_Connect(t *testing.T) {
 			}
 
 			// Check that the ACL token is deleted.
-			if c.ACLsAndAutoEncryptEnabled {
+			if c.ACLsEnabled {
 				// We need to register the cleanup function before we create the deployments
 				// because golang will execute them in reverse order i.e. the last registered
 				// cleanup function will be executed first.
 				t.Cleanup(func() {
-					if c.ACLsAndAutoEncryptEnabled {
+					if c.ACLsEnabled {
 						retry.Run(t, func(r *retry.R) {
 							tokens, _, err := consulClient.ACL().TokenList(serverQueryServerOpts)
 							require.NoError(r, err)
@@ -377,7 +380,7 @@ func TestPartitions_Connect(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, services, 1)
 
-				if c.ACLsAndAutoEncryptEnabled {
+				if c.ACLsEnabled {
 					logger.Log(t, "checking that the connection is not successful because there's no intention")
 					if cfg.EnableTransparentProxy {
 						k8s.CheckStaticServerConnectionFailing(t, serverClusterStaticClientOpts, StaticClientName, fmt.Sprintf("http://static-server.%s", staticServerNamespace))
@@ -538,7 +541,7 @@ func TestPartitions_Connect(t *testing.T) {
 					})
 				}
 
-				if c.ACLsAndAutoEncryptEnabled {
+				if c.ACLsEnabled {
 					logger.Log(t, "checking that the connection is not successful because there's no intention")
 					if cfg.EnableTransparentProxy {
 						if !c.mirrorK8S {

diff --git a/acceptance/tests/partitions/partitions_sync_test.go b/acceptance/tests/partitions/partitions_sync_test.go
@@ -19,7 +19,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// Test that Sync Catalog works in a default and ACLsAndAutoEncryptEnabled installations for partitions.
+// Test that Sync Catalog works in a default and ACLsEnabled installations for partitions.
 func TestPartitions_Sync(t *testing.T) {
 	env := suite.Environment()
 	cfg := suite.Config()
@@ -35,10 +35,10 @@ func TestPartitions_Sync(t *testing.T) {
 	const secondaryPartition = "secondary"
 	const defaultNamespace = "default"
 	cases := []struct {
-		name                      string
-		destinationNamespace      string
-		mirrorK8S                 bool
-		ACLsAndAutoEncryptEnabled bool
+		name                 string
+		destinationNamespace string
+		mirrorK8S            bool
+		ACLsEnabled          bool
 	}{
 		{
 			"default destination namespace",
@@ -87,14 +87,13 @@ func TestPartitions_Sync(t *testing.T) {
 
 			commonHelmValues := map[string]string{
 				"global.adminPartitions.enabled": "true",
+				"global.image":                   "thisisnotashwin/consul@sha256:477091fe84cde79a68a37cc9cc69fb7a5ab35e647a0f5f2632451ace5ecc5e7c",
+				"global.enableConsulNamespaces":  "true",
 
-				"global.enableConsulNamespaces": "true",
+				"global.tls.enabled":   "true",
+				"global.tls.httpsOnly": strconv.FormatBool(c.ACLsEnabled),
 
-				"global.tls.enabled":           "true",
-				"global.tls.httpsOnly":         strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
-				"global.tls.enableAutoEncrypt": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
-
-				"global.acls.manageSystemACLs": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
+				"global.acls.manageSystemACLs": strconv.FormatBool(c.ACLsEnabled),
 
 				"syncCatalog.enabled": "true",
 				// When mirroringK8S is set, this setting is ignored.
@@ -133,15 +132,15 @@ func TestPartitions_Sync(t *testing.T) {
 			logger.Logf(t, "retrieving ca cert secret %s from the server cluster and applying to the client cluster", caCertSecretName)
 			k8s.CopySecret(t, primaryClusterContext, secondaryClusterContext, caCertSecretName)
 
-			if !c.ACLsAndAutoEncryptEnabled {
+			if !c.ACLsEnabled {
 				// When auto-encrypt is disabled, we need both
 				// the CA cert and CA key to be available in the clients cluster to generate client certificates and keys.
 				logger.Logf(t, "retrieving ca key secret %s from the server cluster and applying to the client cluster", caKeySecretName)
 				k8s.CopySecret(t, primaryClusterContext, secondaryClusterContext, caKeySecretName)
 			}
 
 			partitionToken := fmt.Sprintf("%s-consul-partitions-acl-token", releaseName)
-			if c.ACLsAndAutoEncryptEnabled {
+			if c.ACLsEnabled {
 				logger.Logf(t, "retrieving partition token secret %s from the server cluster and applying to the client cluster", partitionToken)
 				k8s.CopySecret(t, primaryClusterContext, secondaryClusterContext, partitionToken)
 			}
@@ -169,7 +168,7 @@ func TestPartitions_Sync(t *testing.T) {
 				"client.join[0]":           partitionSvcAddress,
 			}
 
-			if c.ACLsAndAutoEncryptEnabled {
+			if c.ACLsEnabled {
 				// Setup partition token and auth method host if ACLs enabled.
 				clientHelmValues["global.acls.bootstrapToken.secretName"] = partitionToken
 				clientHelmValues["global.acls.bootstrapToken.secretKey"] = "token"
@@ -222,7 +221,7 @@ func TestPartitions_Sync(t *testing.T) {
 				k8s.RunKubectl(t, secondaryClusterContext.KubectlOptions(t), "delete", "ns", staticServerNamespace)
 			})
 
-			consulClient, _ := primaryConsulCluster.SetupConsulClient(t, c.ACLsAndAutoEncryptEnabled)
+			consulClient, _ := primaryConsulCluster.SetupConsulClient(t, c.ACLsEnabled)
 
 			defaultPartitionQueryOpts := &api.QueryOptions{Namespace: staticServerNamespace, Partition: defaultPartition}
 			secondaryPartitionQueryOpts := &api.QueryOptions{Namespace: staticServerNamespace, Partition: secondaryPartition}
@@ -233,12 +232,12 @@ func TestPartitions_Sync(t *testing.T) {
 			}
 
 			// Check that the ACL token is deleted.
-			if c.ACLsAndAutoEncryptEnabled {
+			if c.ACLsEnabled {
 				// We need to register the cleanup function before we create the deployments
 				// because golang will execute them in reverse order i.e. the last registered
 				// cleanup function will be executed first.
 				t.Cleanup(func() {
-					if c.ACLsAndAutoEncryptEnabled {
+					if c.ACLsEnabled {
 						retry.Run(t, func(r *retry.R) {
 							tokens, _, err := consulClient.ACL().TokenList(defaultPartitionQueryOpts)
 							require.NoError(r, err)

diff --git a/acceptance/tests/peering/peering_connect_namespaces_test.go b/acceptance/tests/peering/peering_connect_namespaces_test.go
@@ -34,6 +34,10 @@ func TestPeering_ConnectNamespaces(t *testing.T) {
 		t.Skipf("skipping this test because -enable-enterprise is not set")
 	}
 
+	if cfg.EnableTransparentProxy {
+		t.Skipf("skipping because no t-proxy support")
+	}
+
 	ver, err := version.NewVersion("1.13.0")
 	require.NoError(t, err)
 	if cfg.ConsulVersion != nil && cfg.ConsulVersion.LessThan(ver) {
@@ -44,10 +48,10 @@ func TestPeering_ConnectNamespaces(t *testing.T) {
 	const staticClientPeer = "client"
 	const defaultNamespace = "default"
 	cases := []struct {
-		name                      string
-		destinationNamespace      string
-		mirrorK8S                 bool
-		ACLsAndAutoEncryptEnabled bool
+		name                 string
+		destinationNamespace string
+		mirrorK8S            bool
+		ACLsEnabled          bool
 	}{
 		{
 			"default destination namespace",
@@ -95,12 +99,11 @@ func TestPeering_ConnectNamespaces(t *testing.T) {
 			commonHelmValues := map[string]string{
 				"global.peering.enabled":        "true",
 				"global.enableConsulNamespaces": "true",
+				"global.image":                  "thisisnotashwin/consul@sha256:477091fe84cde79a68a37cc9cc69fb7a5ab35e647a0f5f2632451ace5ecc5e7c",
+				"global.tls.enabled":            "true",
+				"global.tls.httpsOnly":          strconv.FormatBool(c.ACLsEnabled),
 
-				"global.tls.enabled":           "true",
-				"global.tls.httpsOnly":         strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
-				"global.tls.enableAutoEncrypt": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
-
-				"global.acls.manageSystemACLs": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
+				"global.acls.manageSystemACLs": strconv.FormatBool(c.ACLsEnabled),
 
 				"connectInject.enabled": "true",
 
@@ -213,8 +216,8 @@ func TestPeering_ConnectNamespaces(t *testing.T) {
 				k8s.RunKubectl(t, staticClientPeerClusterContext.KubectlOptions(t), "delete", "ns", staticClientNamespace)
 			})
 
-			staticServerPeerClient, _ := staticServerPeerCluster.SetupConsulClient(t, c.ACLsAndAutoEncryptEnabled)
-			staticClientPeerClient, _ := staticClientPeerCluster.SetupConsulClient(t, c.ACLsAndAutoEncryptEnabled)
+			staticServerPeerClient, _ := staticServerPeerCluster.SetupConsulClient(t, c.ACLsEnabled)
+			staticClientPeerClient, _ := staticClientPeerCluster.SetupConsulClient(t, c.ACLsEnabled)
 
 			serverQueryOpts := &api.QueryOptions{Namespace: staticServerNamespace}
 			clientQueryOpts := &api.QueryOptions{Namespace: staticClientNamespace}
@@ -296,7 +299,7 @@ func TestPeering_ConnectNamespaces(t *testing.T) {
 				})
 			}
 
-			if c.ACLsAndAutoEncryptEnabled {
+			if c.ACLsEnabled {
 				logger.Log(t, "checking that the connection is not successful because there's no allow intention")
 				if cfg.EnableTransparentProxy {
 					k8s.CheckStaticServerConnectionMultipleFailureMessages(t, staticClientOpts, staticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", fmt.Sprintf("curl: (7) Failed to connect to static-server.%s port 80: Connection refused", c.destinationNamespace)}, "", fmt.Sprintf("http://static-server.virtual.%s.%s.consul", c.destinationNamespace, staticServerPeer))

diff --git a/acceptance/tests/peering/peering_connect_test.go b/acceptance/tests/peering/peering_connect_test.go
@@ -31,11 +31,15 @@ func TestPeering_Connect(t *testing.T) {
 		t.Skipf("skipping this test because peering is not supported in version %v", cfg.ConsulVersion.String())
 	}
 
+	if cfg.EnableTransparentProxy {
+		t.Skipf("skipping because no t-proxy support")
+	}
+
 	const staticServerPeer = "server"
 	const staticClientPeer = "client"
 	cases := []struct {
-		name                      string
-		ACLsAndAutoEncryptEnabled bool
+		name        string
+		ACLsEnabled bool
 	}{
 		{
 			"default installation",
@@ -56,10 +60,9 @@ func TestPeering_Connect(t *testing.T) {
 				"global.peering.enabled": "true",
 
 				"global.tls.enabled":           "true",
-				"global.tls.httpsOnly":         strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
-				"global.tls.enableAutoEncrypt": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
-
-				"global.acls.manageSystemACLs": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
+				"global.tls.httpsOnly":         strconv.FormatBool(c.ACLsEnabled),
+				"global.image":                 "thisisnotashwin/consul@sha256:477091fe84cde79a68a37cc9cc69fb7a5ab35e647a0f5f2632451ace5ecc5e7c",
+				"global.acls.manageSystemACLs": strconv.FormatBool(c.ACLsEnabled),
 
 				"connectInject.enabled": "true",
 
@@ -168,8 +171,8 @@ func TestPeering_Connect(t *testing.T) {
 				k8s.RunKubectl(t, staticClientPeerClusterContext.KubectlOptions(t), "delete", "ns", staticClientNamespace)
 			})
 
-			staticServerPeerClient, _ := staticServerPeerCluster.SetupConsulClient(t, c.ACLsAndAutoEncryptEnabled)
-			staticClientPeerClient, _ := staticClientPeerCluster.SetupConsulClient(t, c.ACLsAndAutoEncryptEnabled)
+			staticServerPeerClient, _ := staticServerPeerCluster.SetupConsulClient(t, c.ACLsEnabled)
+			staticClientPeerClient, _ := staticClientPeerCluster.SetupConsulClient(t, c.ACLsEnabled)
 
 			// Create a ProxyDefaults resource to configure services to use the mesh
 			// gateways.
@@ -227,7 +230,7 @@ func TestPeering_Connect(t *testing.T) {
 				k8s.KubectlDeleteK(t, staticServerPeerClusterContext.KubectlOptions(t), "../fixtures/cases/crd-peers/default")
 			})
 
-			if c.ACLsAndAutoEncryptEnabled {
+			if c.ACLsEnabled {
 				logger.Log(t, "checking that the connection is not successful because there's no allow intention")
 				if cfg.EnableTransparentProxy {
 					k8s.CheckStaticServerConnectionMultipleFailureMessages(t, staticClientOpts, staticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.virtual.%s.consul", staticServerPeer))