[NET-6829] Add tls support for mesh gateways (#3429)

* Add tls support for mesh gateways

* Added tests

* fixing tests that broke from rebase

* extract function to build tls args for dataplane container

* move tls env vars to constants

control-plane/api-gateway/gatekeeper/init.go

@@ -12,6 +12,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 
 	"github.com/hashicorp/consul-k8s/control-plane/api-gateway/common"
+	"github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants"
 	"github.com/hashicorp/consul-k8s/control-plane/namespaces"
 	"k8s.io/utils/pointer"
 )
@@ -119,15 +120,15 @@ func initContainer(config common.HelmConfig, name, namespace string) (corev1.Con
 	if config.TLSEnabled {
 		container.Env = append(container.Env,
 			corev1.EnvVar{
-				Name:  "CONSUL_USE_TLS",
+				Name:  constants.UseTLSEnvVar,
 				Value: "true",
 			},
 			corev1.EnvVar{
-				Name:  "CONSUL_CACERT_PEM",
+				Name:  constants.CACertPEMEnvVar,
 				Value: config.ConsulCACert,
 			},
 			corev1.EnvVar{
-				Name:  "CONSUL_TLS_SERVER_NAME",
+				Name:  constants.TLSServerNameEnvVar,
 				Value: config.ConsulTLSServerName,
 			})
 	}

control-plane/connect-inject/constants/constants.go

@@ -73,8 +73,13 @@ const (
 
 	KubernetesSuccessReasonMsg = "Kubernetes health checks passing"
 
-	// ProxyIDVolumePath is the name of the volume that contains the proxy ID.
-	ProxyIDVolumePath = "/consul/mesh-inject"
+	// MeshV2VolumePath is the name of the volume that contains the proxy ID.
+	MeshV2VolumePath = "/consul/mesh-inject"
+
+	UseTLSEnvVar        = "CONSUL_USE_TLS"
+	CACertFileEnvVar    = "CONSUL_CACERT_FILE"
+	CACertPEMEnvVar     = "CONSUL_CACERT_PEM"
+	TLSServerNameEnvVar = "CONSUL_TLS_SERVER_NAME"
 )
 
 // GetNormalizedConsulNamespace returns the default namespace if the passed namespace

control-plane/connect-inject/webhook/container_init.go

@@ -155,15 +155,15 @@ func (w *MeshWebhook) containerInit(namespace corev1.Namespace, pod corev1.Pod,
 	if w.TLSEnabled {
 		container.Env = append(container.Env,
 			corev1.EnvVar{
-				Name:  "CONSUL_USE_TLS",
+				Name:  constants.UseTLSEnvVar,
 				Value: "true",
 			},
 			corev1.EnvVar{
-				Name:  "CONSUL_CACERT_PEM",
+				Name:  constants.CACertPEMEnvVar,
 				Value: w.ConsulCACert,
 			},
 			corev1.EnvVar{
-				Name:  "CONSUL_TLS_SERVER_NAME",
+				Name:  constants.TLSServerNameEnvVar,
 				Value: w.ConsulTLSServerName,
 			})
 	}

control-plane/connect-inject/webhookv2/container_init.go

@@ -124,15 +124,15 @@ func (w *MeshWebhook) containerInit(namespace corev1.Namespace, pod corev1.Pod)
 	if w.TLSEnabled {
 		container.Env = append(container.Env,
 			corev1.EnvVar{
-				Name:  "CONSUL_USE_TLS",
+				Name:  constants.UseTLSEnvVar,
 				Value: "true",
 			},
 			corev1.EnvVar{
-				Name:  "CONSUL_CACERT_PEM",
+				Name:  constants.CACertPEMEnvVar,
 				Value: w.ConsulCACert,
 			},
 			corev1.EnvVar{
-				Name:  "CONSUL_TLS_SERVER_NAME",
+				Name:  constants.TLSServerNameEnvVar,
 				Value: w.ConsulTLSServerName,
 			})
 	}

control-plane/gateways/deployment_dataplane_container.go

@@ -79,7 +79,7 @@ func consulDataplaneContainer(config GatewayConfig, containerConfig v2beta1.Gate
 			},
 			{
 				Name:  "TMPDIR",
-				Value: constants.ProxyIDVolumePath,
+				Value: constants.MeshV2VolumePath,
 			},
 			{
 				Name: "NODE_NAME",
@@ -105,7 +105,7 @@ func consulDataplaneContainer(config GatewayConfig, containerConfig v2beta1.Gate
 		VolumeMounts: []corev1.VolumeMount{
 			{
 				Name:      volumeName,
-				MountPath: constants.ProxyIDVolumePath,
+				MountPath: constants.MeshV2VolumePath,
 			},
 		},
 		Args:           args,
@@ -186,7 +186,7 @@ func getDataplaneArgs(namespace string, config GatewayConfig, bearerTokenFile st
 		args = append(args, "-service-partition="+config.ConsulTenancyConfig.ConsulPartition)
 	}
 
-	args = append(args, "-tls-disabled")
+	args = append(args, buildTLSArgs(config)...)
 
 	// Configure the readiness port on the dataplane sidecar if proxy health checks are enabled.
 	args = append(args, fmt.Sprintf("%s=%d", "-envoy-ready-bind-port", constants.ProxyDefaultHealthPort))
@@ -195,3 +195,19 @@ func getDataplaneArgs(namespace string, config GatewayConfig, bearerTokenFile st
 
 	return args, nil
 }
+
+func buildTLSArgs(config GatewayConfig) []string {
+	if !config.TLSEnabled {
+		return []string{"-tls-disabled"}
+	}
+	tlsArgs := make([]string, 0, 2)
+
+	if config.ConsulTLSServerName != "" {
+		tlsArgs = append(tlsArgs, fmt.Sprintf("-tls-server-name=%s", config.ConsulTLSServerName))
+	}
+	if config.ConsulCACert != "" {
+		tlsArgs = append(tlsArgs, fmt.Sprintf("-ca-certs=%s", constants.ConsulCAFile))
+	}
+
+	return tlsArgs
+}

control-plane/gateways/deployment_init_container.go

@@ -45,7 +45,7 @@ func initContainer(config GatewayConfig, name, namespace string) (corev1.Contain
 	volMounts := []corev1.VolumeMount{
 		{
 			Name:      volumeName,
-			MountPath: constants.ProxyIDVolumePath,
+			MountPath: constants.MeshV2VolumePath,
 		},
 	}
 
@@ -143,6 +143,22 @@ func initContainer(config GatewayConfig, name, namespace string) (corev1.Contain
 			Value: consulNamespace,
 		})
 
+	if config.TLSEnabled {
+		container.Env = append(container.Env,
+			corev1.EnvVar{
+				Name:  constants.UseTLSEnvVar,
+				Value: "true",
+			},
+			corev1.EnvVar{
+				Name:  constants.CACertPEMEnvVar,
+				Value: config.ConsulCACert,
+			},
+			corev1.EnvVar{
+				Name:  constants.TLSServerNameEnvVar,
+				Value: config.ConsulTLSServerName,
+			})
+	}
+
 	if config.ConsulTenancyConfig.ConsulPartition != "" {
 		container.Env = append(container.Env,
 			corev1.EnvVar{