Allow for the creation of the client ACL token when the clients are d…

…isabled

templates/server-acl-init-job.yaml

@@ -86,7 +86,7 @@ spec:
                 {{- if .Values.client.snapshotAgent.enabled }}
                 -create-snapshot-agent-token=true \
                 {{- end }}
-                {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
+                {{- if not (or (.Values.client.createACLToken) (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }}
                 -create-client-token=false \
                 {{- end }}
                 {{- if .Values.global.enableConsulNamespaces }}

test/unit/server-acl-init-job.bats

@@ -211,6 +211,54 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
+#--------------------------------------------------------------------
+# client.createACLToken
+
+@test "serverACLInit/Job: client acl option disabled in the absence of clients" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-acl-init-job.yaml  \
+      --set 'global.bootstrapACLs=true' \
+      --set 'client.enabled=false' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | any(contains("-create-client-token"))' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "serverACLInit/Job: client acl option enabled by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-acl-init-job.yaml  \
+      --set 'global.bootstrapACLs=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | any(contains("-create-client-token"))' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "serverACLInit/Job: client acl option enabled with even if not creating clients" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-acl-init-job.yaml  \
+      --set 'global.bootstrapACLs=true' \
+      --set 'client.enabled=false' \
+      --set 'client.createACLToken=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | any(contains("-create-client-token"))' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "serverACLInit/Job: client acl option enabled when creating clients" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/server-acl-init-job.yaml  \
+      --set 'global.bootstrapACLs=true' \
+      --set 'client.enabled=true' \
+      --set 'client.createACLToken=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | any(contains("-create-client-token"))' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
 #--------------------------------------------------------------------
 # global.tls.enabled
 

values.yaml

@@ -235,6 +235,11 @@ client:
   image: null
   join: null
 
+  # createACLToken is a way to force the creation of the client ACL token
+  # in the case where the client is an external deployment, such as Vault
+  # Only being considered when `global.bootstrapACLs` is set to `true`.
+  createACLToken: false
+
   # dataDirectoryHostPath is an absolute path to a directory on the host machine
   # to use as the Consul client data directory.
   # If set to the empty string or null, the Consul agent will store its data