From 3bc51cb0118c297dff3db68cec72f6f37265ba3e Mon Sep 17 00:00:00 2001
From: Curt Bushko <cbushko@gmail.com>
Date: Thu, 25 Aug 2022 15:23:22 -0400
Subject: [PATCH 1/8] CNI Accptance test on Kind (#1445)

-  Added a new make target for installing Calico CNI in Kind. The target installs Calico CNI using config files located under /acceptance tests
- Added a helper make target for setting up local Kind with Calico just in case anyone wants to run it.
- Added a kind.config for setting up the Kind cluster
- Added an -enable-cni flag to the acceptance test config so that it can be passed through from CircleCI
-  Added a nightly circleci job for running the CNI kind tests
-  I had missed a bats test for the connect-inject template that I merged in a previous PR
---
 .circleci/config.yml | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 792776a2a3..2faee44ede 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -922,7 +922,7 @@ jobs:
           failure_message: "Acceptance tests against Kind with Kubernetes v1.23 failed. Check the logs at: ${CIRCLE_BUILD_URL}"
 
   acceptance-kind-cni-1-23:
-    parallelism: 6 
+    parallelism: 6
     environment:
       - TEST_RESULTS: /tmp/test-results
     machine:
@@ -1072,10 +1072,10 @@ workflows:
   version: 2
   test-and-build:
     jobs:
-     # Build this one control-plane binary so that acceptance and acceptance-tproxy will run
-     # The rest of these CircleCI jobs have been migrated to Github Actions. We need to wait until
-     # the summer of 2022 for larger puplic Github Action VMs be available before the acceptance tests can
-     # be moved
+      # Build this one control-plane binary so that acceptance and acceptance-tproxy will run
+      # The rest of these CircleCI jobs have been migrated to Github Actions. We need to wait until
+      # the summer of 2022 for larger puplic Github Action VMs be available before the acceptance tests can
+      # be moved
       - build-distro:
           OS: "linux"
           ARCH: "amd64 arm64"
@@ -1139,7 +1139,6 @@ workflows:
           requires:
             - dev-upload-docker
 
-
   nightly-acceptance-tests-consul:
     triggers:
       - schedule:

From 2f7141ff350eb70fbd856d20a5db0afb0ea1fb1e Mon Sep 17 00:00:00 2001
From: Curt Bushko <cbushko@gmail.com>
Date: Wed, 24 Aug 2022 11:07:21 -0400
Subject: [PATCH 2/8] Add CNI acceptance tests on Kind

---
 .circleci/config.yml                          | 52 +++++++++---------
 .../connect/connect_inject_namespaces_test.go | 18 +++++--
 .../tests/connect/connect_inject_test.go      | 13 +++--
 .../ingress_gateway_namespaces_test.go        |  4 +-
 .../ingress-gateway/ingress_gateway_test.go   |  1 +
 .../tests/mesh-gateway/mesh_gateway_test.go   | 22 ++++----
 acceptance/tests/metrics/metrics_test.go      | 11 ++--
 .../partitions/partitions_connect_test.go     | 53 +++++++++++++++----
 .../peering_connect_namespaces_test.go        | 23 +++++---
 .../tests/peering/peering_connect_test.go     | 13 ++++-
 .../terminating_gateway_destinations_test.go  | 10 ++--
 .../terminating_gateway_namespaces_test.go    |  4 +-
 .../terminating_gateway_test.go               |  4 +-
 .../tests/vault/vault_namespaces_test.go      | 10 ++--
 .../tests/vault/vault_partitions_test.go      |  8 +--
 acceptance/tests/vault/vault_test.go          |  8 +--
 .../tests/vault/vault_tls_auto_reload_test.go | 11 ++--
 acceptance/tests/vault/vault_wan_fed_test.go  | 17 +++---
 18 files changed, 194 insertions(+), 88 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 2faee44ede..06ea9d0293 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -276,7 +276,8 @@ jobs:
       - run:
           name: build local
           working_directory: *control-plane-path
-          command: XC_OS="<< parameters.OS >>" XC_ARCH="<< parameters.ARCH >>" ./build-support/scripts/build-local.sh
+          command: |
+            XC_OS="<< parameters.OS >>" XC_ARCH="<< parameters.ARCH >>" ./build-support/scripts/build-local.sh
       # persist to downstream job
       - persist_to_workspace:
           root: .
@@ -1098,13 +1099,13 @@ workflows:
           requires:
             - dev-upload-docker
   nightly-acceptance-tests:
-    triggers:
-      - schedule:
-          cron: "0 0 * * *"
-          filters:
-            branches:
-              only:
-                - main
+    # triggers:
+    #   - schedule:
+    #       cron: "0 0 * * *"
+    #       filters:
+    #         branches:
+    #           only:
+    #             - main
     jobs:
       - build-distro:
           OS: "linux"
@@ -1113,26 +1114,29 @@ workflows:
       - dev-upload-docker:
           requires:
             - build-distros-linux
-      - cleanup-gcp-resources
-      - cleanup-azure-resources
-      - cleanup-eks-resources
+      # - cleanup-gcp-resources
+      # - cleanup-azure-resources
+      # - cleanup-eks-resources
       # Disable until we can use UBI images.
       #      - acceptance-openshift:
       #          requires:
       #          - cleanup-azure-resources
-      - acceptance-gke-1-20:
-          requires:
-            - cleanup-gcp-resources
-            - dev-upload-docker
-      - acceptance-eks-1-19:
-          requires:
-            - cleanup-eks-resources
-            - dev-upload-docker
-      - acceptance-aks-1-21:
-          requires:
-            - cleanup-azure-resources
-            - dev-upload-docker
-      - acceptance-kind-1-23:
+      # - acceptance-gke-1-20:
+      #     requires:
+      #       - cleanup-gcp-resources
+      #       - dev-upload-docker
+      # - acceptance-eks-1-19:
+      #     requires:
+      #       - cleanup-eks-resources
+      #       - dev-upload-docker
+      # - acceptance-aks-1-21:
+      #     requires:
+      #       - cleanup-azure-resources
+      #       - dev-upload-docker
+      # - acceptance-kind-1-23:
+      #     requires:
+      #       - dev-upload-docker
+      - acceptance-kind-cni-1-23:
           requires:
             - dev-upload-docker
       - acceptance-kind-cni-1-23:
diff --git a/acceptance/tests/connect/connect_inject_namespaces_test.go b/acceptance/tests/connect/connect_inject_namespaces_test.go
index 22fcc19c7a..604e04fb78 100644
--- a/acceptance/tests/connect/connect_inject_namespaces_test.go
+++ b/acceptance/tests/connect/connect_inject_namespaces_test.go
@@ -18,8 +18,10 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-const staticServerNamespace = "ns1"
-const StaticClientNamespace = "ns2"
+const (
+	staticServerNamespace = "ns1"
+	StaticClientNamespace = "ns2"
+)
 
 // Test that Connect works with Consul Enterprise namespaces.
 // These tests currently only test non-secure and secure without auto-encrypt installations
@@ -71,6 +73,7 @@ func TestConnectInjectNamespaces(t *testing.T) {
 			helmValues := map[string]string{
 				"global.enableConsulNamespaces": "true",
 				"connectInject.enabled":         "true",
+				"connectInject.cni.enabled":     strconv.FormatBool(cfg.EnableCNI),
 				// When mirroringK8S is set, this setting is ignored.
 				"connectInject.consulNamespaces.consulDestinationNamespace": c.destinationNamespace,
 				"connectInject.consulNamespaces.mirroringK8S":               strconv.FormatBool(c.mirrorK8S),
@@ -226,7 +229,15 @@ func TestConnectInjectNamespaces(t *testing.T) {
 			// from server, which is the case when a connection is unsuccessful due to intentions in other tests.
 			logger.Log(t, "checking that connection is unsuccessful")
 			if cfg.EnableTransparentProxy {
-				k8s.CheckStaticServerConnectionMultipleFailureMessages(t, staticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.%s", staticServerNamespace))
+				k8s.CheckStaticServerConnectionMultipleFailureMessages(
+					t,
+					staticClientOpts,
+					StaticClientName,
+					false,
+					[]string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"},
+					"",
+					fmt.Sprintf("http://static-server.%s", staticServerNamespace),
+				)
 			} else {
 				k8s.CheckStaticServerConnectionMultipleFailureMessages(t, staticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server"}, "", "http://localhost:1234")
 			}
@@ -285,6 +296,7 @@ func TestConnectInjectNamespaces_CleanupController(t *testing.T) {
 			helmValues := map[string]string{
 				"global.enableConsulNamespaces": "true",
 				"connectInject.enabled":         "true",
+				"connectInject.cni.enabled":     strconv.FormatBool(cfg.EnableCNI),
 				// When mirroringK8S is set, this setting is ignored.
 				"connectInject.consulNamespaces.consulDestinationNamespace": c.destinationNamespace,
 				"connectInject.consulNamespaces.mirroringK8S":               strconv.FormatBool(c.mirrorK8S),
diff --git a/acceptance/tests/connect/connect_inject_test.go b/acceptance/tests/connect/connect_inject_test.go
index b57e188fdb..a0433f6835 100644
--- a/acceptance/tests/connect/connect_inject_test.go
+++ b/acceptance/tests/connect/connect_inject_test.go
@@ -205,6 +205,7 @@ func TestConnectInject_CleanupKilledPods(t *testing.T) {
 
 			helmValues := map[string]string{
 				"connectInject.enabled":        "true",
+				"connectInject.cni.enabled":    strconv.FormatBool(cfg.EnableCNI),
 				"global.tls.enabled":           strconv.FormatBool(c.secure),
 				"global.tls.enableAutoEncrypt": strconv.FormatBool(c.autoEncrypt),
 				"global.acls.manageSystemACLs": strconv.FormatBool(c.secure),
@@ -266,7 +267,8 @@ func TestConnectInject_RestartConsulClients(t *testing.T) {
 	ctx := suite.Environment().DefaultContext(t)
 
 	helmValues := map[string]string{
-		"connectInject.enabled": "true",
+		"connectInject.enabled":     "true",
+		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
 	}
 
 	releaseName := helpers.RandomName()
@@ -301,8 +303,10 @@ func TestConnectInject_RestartConsulClients(t *testing.T) {
 	}
 }
 
-const multiport = "multiport"
-const multiportAdmin = "multiport-admin"
+const (
+	multiport      = "multiport"
+	multiportAdmin = "multiport-admin"
+)
 
 // Test that Connect works for an application with multiple ports. The multiport application is a Pod listening on
 // two ports. This tests inbound connections to each port of the multiport app, and outbound connections from the
@@ -329,7 +333,8 @@ func TestConnectInject_MultiportServices(t *testing.T) {
 			}
 
 			helmValues := map[string]string{
-				"connectInject.enabled": "true",
+				"connectInject.enabled":     "true",
+				"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
 
 				"global.tls.enabled":           strconv.FormatBool(c.secure),
 				"global.tls.enableAutoEncrypt": strconv.FormatBool(c.autoEncrypt),
diff --git a/acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go b/acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go
index d1e5757f91..8b916b8a7d 100644
--- a/acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go
+++ b/acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go
@@ -45,7 +45,8 @@ func TestIngressGatewaySingleNamespace(t *testing.T) {
 			// Install the Helm chart without the ingress gateway first
 			// so that we can create the namespace for it.
 			helmValues := map[string]string{
-				"connectInject.enabled": "true",
+				"connectInject.enabled":                                     "true",
+				"connectInject.cni.enabled":                                 strconv.FormatBool(cfg.EnableCNI),
 				"connectInject.consulNamespaces.consulDestinationNamespace": testNamespace,
 
 				"global.enableConsulNamespaces": "true",
@@ -187,6 +188,7 @@ func TestIngressGatewayNamespaceMirroring(t *testing.T) {
 			// so that we can create the namespace for it.
 			helmValues := map[string]string{
 				"connectInject.enabled":                       "true",
+				"connectInject.cni.enabled":                   strconv.FormatBool(cfg.EnableCNI),
 				"connectInject.consulNamespaces.mirroringK8S": "true",
 
 				"global.enableConsulNamespaces": "true",
diff --git a/acceptance/tests/ingress-gateway/ingress_gateway_test.go b/acceptance/tests/ingress-gateway/ingress_gateway_test.go
index a913d2c024..38c67fa7f8 100644
--- a/acceptance/tests/ingress-gateway/ingress_gateway_test.go
+++ b/acceptance/tests/ingress-gateway/ingress_gateway_test.go
@@ -42,6 +42,7 @@ func TestIngressGateway(t *testing.T) {
 			igName := "ingress-gateway"
 			helmValues := map[string]string{
 				"connectInject.enabled":                "true",
+				"connectInject.cni.enabled":            strconv.FormatBool(cfg.EnableCNI),
 				"ingressGateways.enabled":              "true",
 				"ingressGateways.gateways[0].name":     igName,
 				"ingressGateways.gateways[0].replicas": "1",
diff --git a/acceptance/tests/mesh-gateway/mesh_gateway_test.go b/acceptance/tests/mesh-gateway/mesh_gateway_test.go
index 557f5befc1..d762c32a19 100644
--- a/acceptance/tests/mesh-gateway/mesh_gateway_test.go
+++ b/acceptance/tests/mesh-gateway/mesh_gateway_test.go
@@ -3,6 +3,7 @@ package meshgateway
 import (
 	"context"
 	"fmt"
+	"strconv"
 	"testing"
 
 	"github.com/hashicorp/consul-k8s/acceptance/framework/consul"
@@ -33,9 +34,10 @@ func TestMeshGatewayDefault(t *testing.T) {
 		"global.federation.enabled":                "true",
 		"global.federation.createFederationSecret": "true",
 
-		"connectInject.enabled":  "true",
-		"connectInject.replicas": "1",
-		"controller.enabled":     "true",
+		"connectInject.enabled":     "true",
+		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+		"connectInject.replicas":    "1",
+		"controller.enabled":        "true",
 
 		"meshGateway.enabled":  "true",
 		"meshGateway.replicas": "1",
@@ -80,9 +82,10 @@ func TestMeshGatewayDefault(t *testing.T) {
 		"server.extraVolumes[0].items[0].key":  "serverConfigJSON",
 		"server.extraVolumes[0].items[0].path": "config.json",
 
-		"connectInject.enabled":  "true",
-		"connectInject.replicas": "1",
-		"controller.enabled":     "true",
+		"connectInject.enabled":     "true",
+		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+		"connectInject.replicas":    "1",
+		"controller.enabled":        "true",
 
 		"meshGateway.enabled":  "true",
 		"meshGateway.replicas": "1",
@@ -167,9 +170,10 @@ func TestMeshGatewaySecure(t *testing.T) {
 				"global.federation.enabled":                "true",
 				"global.federation.createFederationSecret": "true",
 
-				"connectInject.enabled":  "true",
-				"connectInject.replicas": "1",
-				"controller.enabled":     "true",
+				"connectInject.enabled":     "true",
+				"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+				"connectInject.replicas":    "1",
+				"controller.enabled":        "true",
 
 				"meshGateway.enabled":  "true",
 				"meshGateway.replicas": "1",
diff --git a/acceptance/tests/metrics/metrics_test.go b/acceptance/tests/metrics/metrics_test.go
index 16bc101125..0d4e749eff 100644
--- a/acceptance/tests/metrics/metrics_test.go
+++ b/acceptance/tests/metrics/metrics_test.go
@@ -3,6 +3,7 @@ package metrics
 import (
 	"context"
 	"fmt"
+	"strconv"
 	"testing"
 	"time"
 
@@ -32,8 +33,10 @@ func TestComponentMetrics(t *testing.T) {
 		"global.metrics.enabled":            "true",
 		"global.metrics.enableAgentMetrics": "true",
 
-		"connectInject.enabled": "true",
-		"controller.enabled":    "true",
+		"connectInject.enabled":     "true",
+		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+
+		"controller.enabled": "true",
 
 		"meshGateway.enabled":      "true",
 		"meshGateway.replicas":     "1",
@@ -99,7 +102,9 @@ func TestAppMetrics(t *testing.T) {
 		"global.datacenter":      "dc1",
 		"global.metrics.enabled": "true",
 
-		"connectInject.enabled":                      "true",
+		"connectInject.enabled":     "true",
+		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+
 		"connectInject.metrics.defaultEnableMerging": "true",
 	}
 
diff --git a/acceptance/tests/partitions/partitions_connect_test.go b/acceptance/tests/partitions/partitions_connect_test.go
index e1a43850d6..553bcd4313 100644
--- a/acceptance/tests/partitions/partitions_connect_test.go
+++ b/acceptance/tests/partitions/partitions_connect_test.go
@@ -18,10 +18,12 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-const StaticClientName = "static-client"
-const staticServerName = "static-server"
-const staticServerNamespace = "ns1"
-const StaticClientNamespace = "ns2"
+const (
+	StaticClientName      = "static-client"
+	staticServerName      = "static-server"
+	staticServerNamespace = "ns1"
+	StaticClientNamespace = "ns2"
+)
 
 // Test that Connect works in a default and ACLsAndAutoEncryptEnabled installations for X-Partition and in-partition networking.
 func TestPartitions_Connect(t *testing.T) {
@@ -97,7 +99,8 @@ func TestPartitions_Connect(t *testing.T) {
 
 				"global.acls.manageSystemACLs": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
 
-				"connectInject.enabled": "true",
+				"connectInject.enabled":     "true",
+				"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
 				// When mirroringK8S is set, this setting is ignored.
 				"connectInject.consulNamespaces.consulDestinationNamespace": c.destinationNamespace,
 				"connectInject.consulNamespaces.mirroringK8S":               strconv.FormatBool(c.mirrorK8S),
@@ -442,8 +445,24 @@ func TestPartitions_Connect(t *testing.T) {
 				// from server, which is the case when a connection is unsuccessful due to intentions in other tests.
 				logger.Log(t, "checking that connection is unsuccessful")
 				if cfg.EnableTransparentProxy {
-					k8s.CheckStaticServerConnectionMultipleFailureMessages(t, serverClusterStaticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.%s", staticServerNamespace))
-					k8s.CheckStaticServerConnectionMultipleFailureMessages(t, clientClusterStaticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.%s", staticServerNamespace))
+					k8s.CheckStaticServerConnectionMultipleFailureMessages(
+						t,
+						serverClusterStaticClientOpts,
+						StaticClientName,
+						false,
+						[]string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"},
+						"",
+						fmt.Sprintf("http://static-server.%s", staticServerNamespace),
+					)
+					k8s.CheckStaticServerConnectionMultipleFailureMessages(
+						t,
+						clientClusterStaticClientOpts,
+						StaticClientName,
+						false,
+						[]string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"},
+						"",
+						fmt.Sprintf("http://static-server.%s", staticServerNamespace),
+					)
 				} else {
 					k8s.CheckStaticServerConnectionMultipleFailureMessages(t, serverClusterStaticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server"}, "", "http://localhost:1234")
 					k8s.CheckStaticServerConnectionMultipleFailureMessages(t, clientClusterStaticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server"}, "", "http://localhost:1234")
@@ -616,8 +635,24 @@ func TestPartitions_Connect(t *testing.T) {
 				logger.Log(t, "checking that connection is unsuccessful")
 				if cfg.EnableTransparentProxy {
 					if !c.mirrorK8S {
-						k8s.CheckStaticServerConnectionMultipleFailureMessages(t, serverClusterStaticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.virtual.%s.ns.%s.ap.dc1.dc.consul", c.destinationNamespace, secondaryPartition))
-						k8s.CheckStaticServerConnectionMultipleFailureMessages(t, clientClusterStaticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.virtual.%s.ns.%s.ap.dc1.dc.consul", c.destinationNamespace, defaultPartition))
+						k8s.CheckStaticServerConnectionMultipleFailureMessages(
+							t,
+							serverClusterStaticClientOpts,
+							StaticClientName,
+							false,
+							[]string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"},
+							"",
+							fmt.Sprintf("http://static-server.virtual.%s.ns.%s.ap.dc1.dc.consul", c.destinationNamespace, secondaryPartition),
+						)
+						k8s.CheckStaticServerConnectionMultipleFailureMessages(
+							t,
+							clientClusterStaticClientOpts,
+							StaticClientName,
+							false,
+							[]string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"},
+							"",
+							fmt.Sprintf("http://static-server.virtual.%s.ns.%s.ap.dc1.dc.consul", c.destinationNamespace, defaultPartition),
+						)
 					} else {
 						k8s.CheckStaticServerConnectionMultipleFailureMessages(t, serverClusterStaticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.virtual.%s.ns.%s.ap.dc1.dc.consul", staticServerNamespace, secondaryPartition))
 						k8s.CheckStaticServerConnectionMultipleFailureMessages(t, clientClusterStaticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.virtual.%s.ns.%s.ap.dc1.dc.consul", staticServerNamespace, defaultPartition))
diff --git a/acceptance/tests/peering/peering_connect_namespaces_test.go b/acceptance/tests/peering/peering_connect_namespaces_test.go
index 05915eb507..914643002a 100644
--- a/acceptance/tests/peering/peering_connect_namespaces_test.go
+++ b/acceptance/tests/peering/peering_connect_namespaces_test.go
@@ -20,10 +20,12 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-const staticClientName = "static-client"
-const staticServerName = "static-server"
-const staticServerNamespace = "ns1"
-const staticClientNamespace = "ns2"
+const (
+	staticClientName      = "static-client"
+	staticServerName      = "static-server"
+	staticServerNamespace = "ns1"
+	staticClientNamespace = "ns2"
+)
 
 // Test that Connect works in installations for X-Peers networking.
 func TestPeering_ConnectNamespaces(t *testing.T) {
@@ -102,7 +104,8 @@ func TestPeering_ConnectNamespaces(t *testing.T) {
 
 				"global.acls.manageSystemACLs": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
 
-				"connectInject.enabled": "true",
+				"connectInject.enabled":     "true",
+				"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
 
 				// When mirroringK8S is set, this setting is ignored.
 				"connectInject.consulNamespaces.consulDestinationNamespace": c.destinationNamespace,
@@ -299,7 +302,15 @@ func TestPeering_ConnectNamespaces(t *testing.T) {
 			if c.ACLsAndAutoEncryptEnabled {
 				logger.Log(t, "checking that the connection is not successful because there's no allow intention")
 				if cfg.EnableTransparentProxy {
-					k8s.CheckStaticServerConnectionMultipleFailureMessages(t, staticClientOpts, staticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", fmt.Sprintf("curl: (7) Failed to connect to static-server.%s port 80: Connection refused", c.destinationNamespace)}, "", fmt.Sprintf("http://static-server.virtual.%s.%s.consul", c.destinationNamespace, staticServerPeer))
+					k8s.CheckStaticServerConnectionMultipleFailureMessages(
+						t,
+						staticClientOpts,
+						staticClientName,
+						false,
+						[]string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", fmt.Sprintf("curl: (7) Failed to connect to static-server.%s port 80: Connection refused", c.destinationNamespace)},
+						"",
+						fmt.Sprintf("http://static-server.virtual.%s.%s.consul", c.destinationNamespace, staticServerPeer),
+					)
 				} else {
 					k8s.CheckStaticServerConnectionFailing(t, staticClientOpts, staticClientName, "http://localhost:1234")
 				}
diff --git a/acceptance/tests/peering/peering_connect_test.go b/acceptance/tests/peering/peering_connect_test.go
index 6a884b2efa..4d589be923 100644
--- a/acceptance/tests/peering/peering_connect_test.go
+++ b/acceptance/tests/peering/peering_connect_test.go
@@ -61,7 +61,8 @@ func TestPeering_Connect(t *testing.T) {
 
 				"global.acls.manageSystemACLs": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
 
-				"connectInject.enabled": "true",
+				"connectInject.enabled":     "true",
+				"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
 
 				"meshGateway.enabled":  "true",
 				"meshGateway.replicas": "1",
@@ -230,7 +231,15 @@ func TestPeering_Connect(t *testing.T) {
 			if c.ACLsAndAutoEncryptEnabled {
 				logger.Log(t, "checking that the connection is not successful because there's no allow intention")
 				if cfg.EnableTransparentProxy {
-					k8s.CheckStaticServerConnectionMultipleFailureMessages(t, staticClientOpts, staticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.virtual.%s.consul", staticServerPeer))
+					k8s.CheckStaticServerConnectionMultipleFailureMessages(
+						t,
+						staticClientOpts,
+						staticClientName,
+						false,
+						[]string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server port 80: Connection refused"},
+						"",
+						fmt.Sprintf("http://static-server.virtual.%s.consul", staticServerPeer),
+					)
 				} else {
 					k8s.CheckStaticServerConnectionFailing(t, staticClientOpts, staticClientName, "http://localhost:1234")
 				}
diff --git a/acceptance/tests/terminating-gateway/terminating_gateway_destinations_test.go b/acceptance/tests/terminating-gateway/terminating_gateway_destinations_test.go
index d18d971743..ccc8a2cd1b 100644
--- a/acceptance/tests/terminating-gateway/terminating_gateway_destinations_test.go
+++ b/acceptance/tests/terminating-gateway/terminating_gateway_destinations_test.go
@@ -2,11 +2,12 @@ package terminatinggateway
 
 import (
 	"fmt"
+	"strconv"
+	"testing"
+
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/go-version"
 	"github.com/stretchr/testify/require"
-	"strconv"
-	"testing"
 
 	"github.com/hashicorp/consul-k8s/acceptance/framework/consul"
 	"github.com/hashicorp/consul-k8s/acceptance/framework/helpers"
@@ -53,7 +54,9 @@ func TestTerminatingGatewayDestinations(t *testing.T) {
 			ctx := suite.Environment().DefaultContext(t)
 
 			helmValues := map[string]string{
-				"connectInject.enabled":                    "true",
+				"connectInject.enabled":     "true",
+				"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+
 				"terminatingGateways.enabled":              "true",
 				"terminatingGateways.gateways[0].name":     "terminating-gateway",
 				"terminatingGateways.gateways[0].replicas": "1",
@@ -139,6 +142,7 @@ func TestTerminatingGatewayDestinations(t *testing.T) {
 		})
 	}
 }
+
 func createServiceDefaultDestination(t *testing.T, consulClient *api.Client, serviceNamespace string, name string, protocol string, port int, addresses ...string) {
 	t.Helper()
 
diff --git a/acceptance/tests/terminating-gateway/terminating_gateway_namespaces_test.go b/acceptance/tests/terminating-gateway/terminating_gateway_namespaces_test.go
index 7168fdd4e8..71019c490b 100644
--- a/acceptance/tests/terminating-gateway/terminating_gateway_namespaces_test.go
+++ b/acceptance/tests/terminating-gateway/terminating_gateway_namespaces_test.go
@@ -45,7 +45,8 @@ func TestTerminatingGatewaySingleNamespace(t *testing.T) {
 			// Install the Helm chart without the terminating gateway first
 			// so that we can create the namespace for it.
 			helmValues := map[string]string{
-				"connectInject.enabled": "true",
+				"connectInject.enabled":                                     "true",
+				"connectInject.cni.enabled":                                 strconv.FormatBool(cfg.EnableCNI),
 				"connectInject.consulNamespaces.consulDestinationNamespace": testNamespace,
 
 				"global.enableConsulNamespaces": "true",
@@ -160,6 +161,7 @@ func TestTerminatingGatewayNamespaceMirroring(t *testing.T) {
 			// so that we can create the namespace for it.
 			helmValues := map[string]string{
 				"connectInject.enabled":                       "true",
+				"connectInject.cni.enabled":                   strconv.FormatBool(cfg.EnableCNI),
 				"connectInject.consulNamespaces.mirroringK8S": "true",
 
 				"global.enableConsulNamespaces": "true",
diff --git a/acceptance/tests/terminating-gateway/terminating_gateway_test.go b/acceptance/tests/terminating-gateway/terminating_gateway_test.go
index 8facd30f53..682aa48526 100644
--- a/acceptance/tests/terminating-gateway/terminating_gateway_test.go
+++ b/acceptance/tests/terminating-gateway/terminating_gateway_test.go
@@ -39,7 +39,9 @@ func TestTerminatingGateway(t *testing.T) {
 			cfg := suite.Config()
 
 			helmValues := map[string]string{
-				"connectInject.enabled":                    "true",
+				"connectInject.enabled":     "true",
+				"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+
 				"terminatingGateways.enabled":              "true",
 				"terminatingGateways.gateways[0].name":     "terminating-gateway",
 				"terminatingGateways.gateways[0].replicas": "1",
diff --git a/acceptance/tests/vault/vault_namespaces_test.go b/acceptance/tests/vault/vault_namespaces_test.go
index 82ed605a48..4dbf44e8d1 100644
--- a/acceptance/tests/vault/vault_namespaces_test.go
+++ b/acceptance/tests/vault/vault_namespaces_test.go
@@ -3,6 +3,7 @@ package vault
 import (
 	"fmt"
 	"os"
+	"strconv"
 	"testing"
 
 	terratestLogger "github.com/gruntwork-io/terratest/modules/logger"
@@ -106,7 +107,7 @@ func TestVault_VaultNamespace(t *testing.T) {
 		licenseSecret.SaveSecretAndAddReadPolicy(t, vaultClient)
 	}
 
-	//Bootstrap Token
+	// Bootstrap Token
 	bootstrapToken, err := uuid.GenerateUUID()
 	require.NoError(t, err)
 	bootstrapTokenSecret := &vault.KV2Secret{
@@ -177,9 +178,10 @@ func TestVault_VaultNamespace(t *testing.T) {
 		"server.extraVolumes[0].name": vaultCASecret,
 		"server.extraVolumes[0].load": "false",
 
-		"connectInject.enabled":  "true",
-		"connectInject.replicas": "1",
-		"controller.enabled":     "true",
+		"connectInject.enabled":     "true",
+		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+		"connectInject.replicas":    "1",
+		"controller.enabled":        "true",
 
 		"global.secretsBackend.vault.enabled":              "true",
 		"global.secretsBackend.vault.consulServerRole":     consulServerRole,
diff --git a/acceptance/tests/vault/vault_partitions_test.go b/acceptance/tests/vault/vault_partitions_test.go
index 31eac7bc1a..7c43a8276c 100644
--- a/acceptance/tests/vault/vault_partitions_test.go
+++ b/acceptance/tests/vault/vault_partitions_test.go
@@ -3,6 +3,7 @@ package vault
 import (
 	"context"
 	"fmt"
+	"strconv"
 	"testing"
 
 	"github.com/hashicorp/consul-k8s/acceptance/framework/consul"
@@ -286,9 +287,10 @@ func TestVault_Partitions(t *testing.T) {
 
 		"global.enableConsulNamespaces": "true",
 
-		"connectInject.enabled":  "true",
-		"connectInject.replicas": "1",
-		"controller.enabled":     "true",
+		"connectInject.enabled":     "true",
+		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+		"connectInject.replicas":    "1",
+		"controller.enabled":        "true",
 
 		"global.secretsBackend.vault.enabled":              "true",
 		"global.secretsBackend.vault.consulClientRole":     consulClientRole,
diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go
index 49b1b59bf8..3f6cae2e0a 100644
--- a/acceptance/tests/vault/vault_test.go
+++ b/acceptance/tests/vault/vault_test.go
@@ -3,6 +3,7 @@ package vault
 import (
 	"context"
 	"fmt"
+	"strconv"
 	"testing"
 	"time"
 
@@ -207,9 +208,10 @@ func TestVault(t *testing.T) {
 		"server.extraVolumes[0].name": vaultCASecret,
 		"server.extraVolumes[0].load": "false",
 
-		"connectInject.enabled":  "true",
-		"connectInject.replicas": "1",
-		"controller.enabled":     "true",
+		"connectInject.enabled":     "true",
+		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+		"connectInject.replicas":    "1",
+		"controller.enabled":        "true",
 		"global.secretsBackend.vault.connectInject.tlsCert.secretName": connectInjectorWebhookPKIConfig.CertPath,
 		"global.secretsBackend.vault.connectInject.caCert.secretName":  connectInjectorWebhookPKIConfig.CAPath,
 		"global.secretsBackend.vault.controller.tlsCert.secretName":    controllerWebhookPKIConfig.CertPath,
diff --git a/acceptance/tests/vault/vault_tls_auto_reload_test.go b/acceptance/tests/vault/vault_tls_auto_reload_test.go
index 6cbcb5d351..d3cf2398be 100644
--- a/acceptance/tests/vault/vault_tls_auto_reload_test.go
+++ b/acceptance/tests/vault/vault_tls_auto_reload_test.go
@@ -4,6 +4,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
+	"strconv"
 	"testing"
 	"time"
 
@@ -59,7 +60,7 @@ func TestVault_TLSAutoReload(t *testing.T) {
 	// If wanting to make this higher, there is no problem except for consideration of how long the test will
 	// take to complete.
 	expirationInSeconds := 30
-	//Configure Server PKI
+	// Configure Server PKI
 	serverPKIConfig := &vault.PKIAndAuthRoleConfiguration{
 		BaseURL:             "pki",
 		PolicyName:          "consul-ca-policy",
@@ -169,9 +170,10 @@ func TestVault_TLSAutoReload(t *testing.T) {
 		"server.extraVolumes[0].name": vaultCASecret,
 		"server.extraVolumes[0].load": "false",
 
-		"connectInject.enabled":  "true",
-		"connectInject.replicas": "1",
-		"controller.enabled":     "true",
+		"connectInject.enabled":     "true",
+		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+		"connectInject.replicas":    "1",
+		"controller.enabled":        "true",
 
 		"global.secretsBackend.vault.enabled":              "true",
 		"global.secretsBackend.vault.consulServerRole":     consulServerRole,
@@ -277,7 +279,6 @@ func TestVault_TLSAutoReload(t *testing.T) {
 	// by comparing the NotAfter on the two certs.
 	require.NotEqual(t, httpsCert.NotAfter, httpsCert2.NotAfter)
 	require.NotEqual(t, rpcCert.NotAfter, rpcCert2.NotAfter)
-
 }
 
 func getCertificate(t *testing.T, address string) (*x509.Certificate, error) {
diff --git a/acceptance/tests/vault/vault_wan_fed_test.go b/acceptance/tests/vault/vault_wan_fed_test.go
index a58f45ee97..386e778a72 100644
--- a/acceptance/tests/vault/vault_wan_fed_test.go
+++ b/acceptance/tests/vault/vault_wan_fed_test.go
@@ -3,6 +3,7 @@ package vault
 import (
 	"context"
 	"fmt"
+	"strconv"
 	"testing"
 
 	"github.com/hashicorp/consul-k8s/acceptance/framework/config"
@@ -350,10 +351,11 @@ func TestVault_WANFederationViaGateways(t *testing.T) {
 		"global.acls.replicationToken.secretKey":  replicationTokenSecret.Key,
 
 		// Mesh config.
-		"connectInject.enabled": "true",
-		"controller.enabled":    "true",
-		"meshGateway.enabled":   "true",
-		"meshGateway.replicas":  "1",
+		"connectInject.enabled":     "true",
+		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+		"controller.enabled":        "true",
+		"meshGateway.enabled":       "true",
+		"meshGateway.replicas":      "1",
 
 		// Server config.
 		"server.extraVolumes[0].type": "secret",
@@ -425,9 +427,10 @@ func TestVault_WANFederationViaGateways(t *testing.T) {
 		"global.acls.replicationToken.secretKey":  replicationTokenSecret.Key,
 
 		// Mesh config.
-		"connectInject.enabled": "true",
-		"meshGateway.enabled":   "true",
-		"meshGateway.replicas":  "1",
+		"connectInject.enabled":     "true",
+		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+		"meshGateway.enabled":       "true",
+		"meshGateway.replicas":      "1",
 
 		// Server config.
 		"server.extraVolumes[0].type": "secret",

From 5e1b03e0344f7102c3aeb8def456d0fbb408db10 Mon Sep 17 00:00:00 2001
From: Curt Bushko <cbushko@gmail.com>
Date: Wed, 24 Aug 2022 11:17:53 -0400
Subject: [PATCH 3/8] missed setting cni.enabled for one mesh test

---
 acceptance/tests/mesh-gateway/mesh_gateway_test.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/acceptance/tests/mesh-gateway/mesh_gateway_test.go b/acceptance/tests/mesh-gateway/mesh_gateway_test.go
index d762c32a19..8a35ba08a7 100644
--- a/acceptance/tests/mesh-gateway/mesh_gateway_test.go
+++ b/acceptance/tests/mesh-gateway/mesh_gateway_test.go
@@ -239,6 +239,7 @@ func TestMeshGatewaySecure(t *testing.T) {
 				"server.extraVolumes[0].items[0].path": "config.json",
 
 				"connectInject.enabled":  "true",
+				"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
 				"connectInject.replicas": "1",
 				"controller.enabled":     "true",
 

From 5e084660abcd52fa41ffbc103f8ca6ec457bc2ba Mon Sep 17 00:00:00 2001
From: Curt Bushko <cbushko@gmail.com>
Date: Wed, 24 Aug 2022 11:24:43 -0400
Subject: [PATCH 4/8] fix lint

---
 acceptance/tests/mesh-gateway/mesh_gateway_test.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/acceptance/tests/mesh-gateway/mesh_gateway_test.go b/acceptance/tests/mesh-gateway/mesh_gateway_test.go
index 8a35ba08a7..cc23317e7f 100644
--- a/acceptance/tests/mesh-gateway/mesh_gateway_test.go
+++ b/acceptance/tests/mesh-gateway/mesh_gateway_test.go
@@ -238,10 +238,10 @@ func TestMeshGatewaySecure(t *testing.T) {
 				"server.extraVolumes[0].items[0].key":  "serverConfigJSON",
 				"server.extraVolumes[0].items[0].path": "config.json",
 
-				"connectInject.enabled":  "true",
+				"connectInject.enabled":     "true",
 				"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
-				"connectInject.replicas": "1",
-				"controller.enabled":     "true",
+				"connectInject.replicas":    "1",
+				"controller.enabled":        "true",
 
 				"meshGateway.enabled":  "true",
 				"meshGateway.replicas": "1",

From 9b127ffae1fa706b78feb748b749f89e304c89b3 Mon Sep 17 00:00:00 2001
From: Curt Bushko <cbushko@gmail.com>
Date: Wed, 24 Aug 2022 12:19:03 -0400
Subject: [PATCH 5/8] revert a line in circle ci config

---
 .circleci/config.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 06ea9d0293..9efea25838 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -276,8 +276,7 @@ jobs:
       - run:
           name: build local
           working_directory: *control-plane-path
-          command: |
-            XC_OS="<< parameters.OS >>" XC_ARCH="<< parameters.ARCH >>" ./build-support/scripts/build-local.sh
+          command: XC_OS="<< parameters.OS >>" XC_ARCH="<< parameters.ARCH >>" ./build-support/scripts/build-local.sh
       # persist to downstream job
       - persist_to_workspace:
           root: .

From 14c51462f274d6bff8a870f9c9f444d140615464 Mon Sep 17 00:00:00 2001
From: Curt Bushko <cbushko@gmail.com>
Date: Wed, 24 Aug 2022 15:48:33 -0400
Subject: [PATCH 6/8] Add CNI Kind tests to test-and-build, remove unneeded
 sleeps, remove connectInject.cni.enabled from several files as the framework
 will set this when the flag is passed in

---
 .../connect/connect_inject_namespaces_test.go | 18 ++-----
 .../tests/connect/connect_inject_test.go      | 13 ++---
 .../ingress_gateway_namespaces_test.go        |  4 +-
 .../ingress-gateway/ingress_gateway_test.go   |  1 -
 .../tests/mesh-gateway/mesh_gateway_test.go   | 29 +++++-----
 acceptance/tests/metrics/metrics_test.go      | 11 ++--
 .../partitions/partitions_connect_test.go     | 53 ++++---------------
 .../peering_connect_namespaces_test.go        | 23 +++-----
 .../tests/peering/peering_connect_test.go     | 13 +----
 .../terminating_gateway_destinations_test.go  | 10 ++--
 .../terminating_gateway_namespaces_test.go    |  4 +-
 .../terminating_gateway_test.go               |  4 +-
 .../tests/vault/vault_namespaces_test.go      | 10 ++--
 .../tests/vault/vault_partitions_test.go      |  8 ++-
 acceptance/tests/vault/vault_test.go          |  8 ++-
 .../tests/vault/vault_tls_auto_reload_test.go | 11 ++--
 acceptance/tests/vault/vault_wan_fed_test.go  | 17 +++---
 17 files changed, 67 insertions(+), 170 deletions(-)

diff --git a/acceptance/tests/connect/connect_inject_namespaces_test.go b/acceptance/tests/connect/connect_inject_namespaces_test.go
index 604e04fb78..22fcc19c7a 100644
--- a/acceptance/tests/connect/connect_inject_namespaces_test.go
+++ b/acceptance/tests/connect/connect_inject_namespaces_test.go
@@ -18,10 +18,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-const (
-	staticServerNamespace = "ns1"
-	StaticClientNamespace = "ns2"
-)
+const staticServerNamespace = "ns1"
+const StaticClientNamespace = "ns2"
 
 // Test that Connect works with Consul Enterprise namespaces.
 // These tests currently only test non-secure and secure without auto-encrypt installations
@@ -73,7 +71,6 @@ func TestConnectInjectNamespaces(t *testing.T) {
 			helmValues := map[string]string{
 				"global.enableConsulNamespaces": "true",
 				"connectInject.enabled":         "true",
-				"connectInject.cni.enabled":     strconv.FormatBool(cfg.EnableCNI),
 				// When mirroringK8S is set, this setting is ignored.
 				"connectInject.consulNamespaces.consulDestinationNamespace": c.destinationNamespace,
 				"connectInject.consulNamespaces.mirroringK8S":               strconv.FormatBool(c.mirrorK8S),
@@ -229,15 +226,7 @@ func TestConnectInjectNamespaces(t *testing.T) {
 			// from server, which is the case when a connection is unsuccessful due to intentions in other tests.
 			logger.Log(t, "checking that connection is unsuccessful")
 			if cfg.EnableTransparentProxy {
-				k8s.CheckStaticServerConnectionMultipleFailureMessages(
-					t,
-					staticClientOpts,
-					StaticClientName,
-					false,
-					[]string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"},
-					"",
-					fmt.Sprintf("http://static-server.%s", staticServerNamespace),
-				)
+				k8s.CheckStaticServerConnectionMultipleFailureMessages(t, staticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.%s", staticServerNamespace))
 			} else {
 				k8s.CheckStaticServerConnectionMultipleFailureMessages(t, staticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server"}, "", "http://localhost:1234")
 			}
@@ -296,7 +285,6 @@ func TestConnectInjectNamespaces_CleanupController(t *testing.T) {
 			helmValues := map[string]string{
 				"global.enableConsulNamespaces": "true",
 				"connectInject.enabled":         "true",
-				"connectInject.cni.enabled":     strconv.FormatBool(cfg.EnableCNI),
 				// When mirroringK8S is set, this setting is ignored.
 				"connectInject.consulNamespaces.consulDestinationNamespace": c.destinationNamespace,
 				"connectInject.consulNamespaces.mirroringK8S":               strconv.FormatBool(c.mirrorK8S),
diff --git a/acceptance/tests/connect/connect_inject_test.go b/acceptance/tests/connect/connect_inject_test.go
index a0433f6835..b57e188fdb 100644
--- a/acceptance/tests/connect/connect_inject_test.go
+++ b/acceptance/tests/connect/connect_inject_test.go
@@ -205,7 +205,6 @@ func TestConnectInject_CleanupKilledPods(t *testing.T) {
 
 			helmValues := map[string]string{
 				"connectInject.enabled":        "true",
-				"connectInject.cni.enabled":    strconv.FormatBool(cfg.EnableCNI),
 				"global.tls.enabled":           strconv.FormatBool(c.secure),
 				"global.tls.enableAutoEncrypt": strconv.FormatBool(c.autoEncrypt),
 				"global.acls.manageSystemACLs": strconv.FormatBool(c.secure),
@@ -267,8 +266,7 @@ func TestConnectInject_RestartConsulClients(t *testing.T) {
 	ctx := suite.Environment().DefaultContext(t)
 
 	helmValues := map[string]string{
-		"connectInject.enabled":     "true",
-		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+		"connectInject.enabled": "true",
 	}
 
 	releaseName := helpers.RandomName()
@@ -303,10 +301,8 @@ func TestConnectInject_RestartConsulClients(t *testing.T) {
 	}
 }
 
-const (
-	multiport      = "multiport"
-	multiportAdmin = "multiport-admin"
-)
+const multiport = "multiport"
+const multiportAdmin = "multiport-admin"
 
 // Test that Connect works for an application with multiple ports. The multiport application is a Pod listening on
 // two ports. This tests inbound connections to each port of the multiport app, and outbound connections from the
@@ -333,8 +329,7 @@ func TestConnectInject_MultiportServices(t *testing.T) {
 			}
 
 			helmValues := map[string]string{
-				"connectInject.enabled":     "true",
-				"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+				"connectInject.enabled": "true",
 
 				"global.tls.enabled":           strconv.FormatBool(c.secure),
 				"global.tls.enableAutoEncrypt": strconv.FormatBool(c.autoEncrypt),
diff --git a/acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go b/acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go
index 8b916b8a7d..d1e5757f91 100644
--- a/acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go
+++ b/acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go
@@ -45,8 +45,7 @@ func TestIngressGatewaySingleNamespace(t *testing.T) {
 			// Install the Helm chart without the ingress gateway first
 			// so that we can create the namespace for it.
 			helmValues := map[string]string{
-				"connectInject.enabled":                                     "true",
-				"connectInject.cni.enabled":                                 strconv.FormatBool(cfg.EnableCNI),
+				"connectInject.enabled": "true",
 				"connectInject.consulNamespaces.consulDestinationNamespace": testNamespace,
 
 				"global.enableConsulNamespaces": "true",
@@ -188,7 +187,6 @@ func TestIngressGatewayNamespaceMirroring(t *testing.T) {
 			// so that we can create the namespace for it.
 			helmValues := map[string]string{
 				"connectInject.enabled":                       "true",
-				"connectInject.cni.enabled":                   strconv.FormatBool(cfg.EnableCNI),
 				"connectInject.consulNamespaces.mirroringK8S": "true",
 
 				"global.enableConsulNamespaces": "true",
diff --git a/acceptance/tests/ingress-gateway/ingress_gateway_test.go b/acceptance/tests/ingress-gateway/ingress_gateway_test.go
index 38c67fa7f8..a913d2c024 100644
--- a/acceptance/tests/ingress-gateway/ingress_gateway_test.go
+++ b/acceptance/tests/ingress-gateway/ingress_gateway_test.go
@@ -42,7 +42,6 @@ func TestIngressGateway(t *testing.T) {
 			igName := "ingress-gateway"
 			helmValues := map[string]string{
 				"connectInject.enabled":                "true",
-				"connectInject.cni.enabled":            strconv.FormatBool(cfg.EnableCNI),
 				"ingressGateways.enabled":              "true",
 				"ingressGateways.gateways[0].name":     igName,
 				"ingressGateways.gateways[0].replicas": "1",
diff --git a/acceptance/tests/mesh-gateway/mesh_gateway_test.go b/acceptance/tests/mesh-gateway/mesh_gateway_test.go
index cc23317e7f..557f5befc1 100644
--- a/acceptance/tests/mesh-gateway/mesh_gateway_test.go
+++ b/acceptance/tests/mesh-gateway/mesh_gateway_test.go
@@ -3,7 +3,6 @@ package meshgateway
 import (
 	"context"
 	"fmt"
-	"strconv"
 	"testing"
 
 	"github.com/hashicorp/consul-k8s/acceptance/framework/consul"
@@ -34,10 +33,9 @@ func TestMeshGatewayDefault(t *testing.T) {
 		"global.federation.enabled":                "true",
 		"global.federation.createFederationSecret": "true",
 
-		"connectInject.enabled":     "true",
-		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
-		"connectInject.replicas":    "1",
-		"controller.enabled":        "true",
+		"connectInject.enabled":  "true",
+		"connectInject.replicas": "1",
+		"controller.enabled":     "true",
 
 		"meshGateway.enabled":  "true",
 		"meshGateway.replicas": "1",
@@ -82,10 +80,9 @@ func TestMeshGatewayDefault(t *testing.T) {
 		"server.extraVolumes[0].items[0].key":  "serverConfigJSON",
 		"server.extraVolumes[0].items[0].path": "config.json",
 
-		"connectInject.enabled":     "true",
-		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
-		"connectInject.replicas":    "1",
-		"controller.enabled":        "true",
+		"connectInject.enabled":  "true",
+		"connectInject.replicas": "1",
+		"controller.enabled":     "true",
 
 		"meshGateway.enabled":  "true",
 		"meshGateway.replicas": "1",
@@ -170,10 +167,9 @@ func TestMeshGatewaySecure(t *testing.T) {
 				"global.federation.enabled":                "true",
 				"global.federation.createFederationSecret": "true",
 
-				"connectInject.enabled":     "true",
-				"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
-				"connectInject.replicas":    "1",
-				"controller.enabled":        "true",
+				"connectInject.enabled":  "true",
+				"connectInject.replicas": "1",
+				"controller.enabled":     "true",
 
 				"meshGateway.enabled":  "true",
 				"meshGateway.replicas": "1",
@@ -238,10 +234,9 @@ func TestMeshGatewaySecure(t *testing.T) {
 				"server.extraVolumes[0].items[0].key":  "serverConfigJSON",
 				"server.extraVolumes[0].items[0].path": "config.json",
 
-				"connectInject.enabled":     "true",
-				"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
-				"connectInject.replicas":    "1",
-				"controller.enabled":        "true",
+				"connectInject.enabled":  "true",
+				"connectInject.replicas": "1",
+				"controller.enabled":     "true",
 
 				"meshGateway.enabled":  "true",
 				"meshGateway.replicas": "1",
diff --git a/acceptance/tests/metrics/metrics_test.go b/acceptance/tests/metrics/metrics_test.go
index 0d4e749eff..16bc101125 100644
--- a/acceptance/tests/metrics/metrics_test.go
+++ b/acceptance/tests/metrics/metrics_test.go
@@ -3,7 +3,6 @@ package metrics
 import (
 	"context"
 	"fmt"
-	"strconv"
 	"testing"
 	"time"
 
@@ -33,10 +32,8 @@ func TestComponentMetrics(t *testing.T) {
 		"global.metrics.enabled":            "true",
 		"global.metrics.enableAgentMetrics": "true",
 
-		"connectInject.enabled":     "true",
-		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
-
-		"controller.enabled": "true",
+		"connectInject.enabled": "true",
+		"controller.enabled":    "true",
 
 		"meshGateway.enabled":      "true",
 		"meshGateway.replicas":     "1",
@@ -102,9 +99,7 @@ func TestAppMetrics(t *testing.T) {
 		"global.datacenter":      "dc1",
 		"global.metrics.enabled": "true",
 
-		"connectInject.enabled":     "true",
-		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
-
+		"connectInject.enabled":                      "true",
 		"connectInject.metrics.defaultEnableMerging": "true",
 	}
 
diff --git a/acceptance/tests/partitions/partitions_connect_test.go b/acceptance/tests/partitions/partitions_connect_test.go
index 553bcd4313..e1a43850d6 100644
--- a/acceptance/tests/partitions/partitions_connect_test.go
+++ b/acceptance/tests/partitions/partitions_connect_test.go
@@ -18,12 +18,10 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-const (
-	StaticClientName      = "static-client"
-	staticServerName      = "static-server"
-	staticServerNamespace = "ns1"
-	StaticClientNamespace = "ns2"
-)
+const StaticClientName = "static-client"
+const staticServerName = "static-server"
+const staticServerNamespace = "ns1"
+const StaticClientNamespace = "ns2"
 
 // Test that Connect works in a default and ACLsAndAutoEncryptEnabled installations for X-Partition and in-partition networking.
 func TestPartitions_Connect(t *testing.T) {
@@ -99,8 +97,7 @@ func TestPartitions_Connect(t *testing.T) {
 
 				"global.acls.manageSystemACLs": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
 
-				"connectInject.enabled":     "true",
-				"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+				"connectInject.enabled": "true",
 				// When mirroringK8S is set, this setting is ignored.
 				"connectInject.consulNamespaces.consulDestinationNamespace": c.destinationNamespace,
 				"connectInject.consulNamespaces.mirroringK8S":               strconv.FormatBool(c.mirrorK8S),
@@ -445,24 +442,8 @@ func TestPartitions_Connect(t *testing.T) {
 				// from server, which is the case when a connection is unsuccessful due to intentions in other tests.
 				logger.Log(t, "checking that connection is unsuccessful")
 				if cfg.EnableTransparentProxy {
-					k8s.CheckStaticServerConnectionMultipleFailureMessages(
-						t,
-						serverClusterStaticClientOpts,
-						StaticClientName,
-						false,
-						[]string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"},
-						"",
-						fmt.Sprintf("http://static-server.%s", staticServerNamespace),
-					)
-					k8s.CheckStaticServerConnectionMultipleFailureMessages(
-						t,
-						clientClusterStaticClientOpts,
-						StaticClientName,
-						false,
-						[]string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"},
-						"",
-						fmt.Sprintf("http://static-server.%s", staticServerNamespace),
-					)
+					k8s.CheckStaticServerConnectionMultipleFailureMessages(t, serverClusterStaticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.%s", staticServerNamespace))
+					k8s.CheckStaticServerConnectionMultipleFailureMessages(t, clientClusterStaticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.%s", staticServerNamespace))
 				} else {
 					k8s.CheckStaticServerConnectionMultipleFailureMessages(t, serverClusterStaticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server"}, "", "http://localhost:1234")
 					k8s.CheckStaticServerConnectionMultipleFailureMessages(t, clientClusterStaticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server"}, "", "http://localhost:1234")
@@ -635,24 +616,8 @@ func TestPartitions_Connect(t *testing.T) {
 				logger.Log(t, "checking that connection is unsuccessful")
 				if cfg.EnableTransparentProxy {
 					if !c.mirrorK8S {
-						k8s.CheckStaticServerConnectionMultipleFailureMessages(
-							t,
-							serverClusterStaticClientOpts,
-							StaticClientName,
-							false,
-							[]string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"},
-							"",
-							fmt.Sprintf("http://static-server.virtual.%s.ns.%s.ap.dc1.dc.consul", c.destinationNamespace, secondaryPartition),
-						)
-						k8s.CheckStaticServerConnectionMultipleFailureMessages(
-							t,
-							clientClusterStaticClientOpts,
-							StaticClientName,
-							false,
-							[]string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"},
-							"",
-							fmt.Sprintf("http://static-server.virtual.%s.ns.%s.ap.dc1.dc.consul", c.destinationNamespace, defaultPartition),
-						)
+						k8s.CheckStaticServerConnectionMultipleFailureMessages(t, serverClusterStaticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.virtual.%s.ns.%s.ap.dc1.dc.consul", c.destinationNamespace, secondaryPartition))
+						k8s.CheckStaticServerConnectionMultipleFailureMessages(t, clientClusterStaticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.virtual.%s.ns.%s.ap.dc1.dc.consul", c.destinationNamespace, defaultPartition))
 					} else {
 						k8s.CheckStaticServerConnectionMultipleFailureMessages(t, serverClusterStaticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.virtual.%s.ns.%s.ap.dc1.dc.consul", staticServerNamespace, secondaryPartition))
 						k8s.CheckStaticServerConnectionMultipleFailureMessages(t, clientClusterStaticClientOpts, StaticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server.ns1 port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.virtual.%s.ns.%s.ap.dc1.dc.consul", staticServerNamespace, defaultPartition))
diff --git a/acceptance/tests/peering/peering_connect_namespaces_test.go b/acceptance/tests/peering/peering_connect_namespaces_test.go
index 914643002a..05915eb507 100644
--- a/acceptance/tests/peering/peering_connect_namespaces_test.go
+++ b/acceptance/tests/peering/peering_connect_namespaces_test.go
@@ -20,12 +20,10 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-const (
-	staticClientName      = "static-client"
-	staticServerName      = "static-server"
-	staticServerNamespace = "ns1"
-	staticClientNamespace = "ns2"
-)
+const staticClientName = "static-client"
+const staticServerName = "static-server"
+const staticServerNamespace = "ns1"
+const staticClientNamespace = "ns2"
 
 // Test that Connect works in installations for X-Peers networking.
 func TestPeering_ConnectNamespaces(t *testing.T) {
@@ -104,8 +102,7 @@ func TestPeering_ConnectNamespaces(t *testing.T) {
 
 				"global.acls.manageSystemACLs": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
 
-				"connectInject.enabled":     "true",
-				"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+				"connectInject.enabled": "true",
 
 				// When mirroringK8S is set, this setting is ignored.
 				"connectInject.consulNamespaces.consulDestinationNamespace": c.destinationNamespace,
@@ -302,15 +299,7 @@ func TestPeering_ConnectNamespaces(t *testing.T) {
 			if c.ACLsAndAutoEncryptEnabled {
 				logger.Log(t, "checking that the connection is not successful because there's no allow intention")
 				if cfg.EnableTransparentProxy {
-					k8s.CheckStaticServerConnectionMultipleFailureMessages(
-						t,
-						staticClientOpts,
-						staticClientName,
-						false,
-						[]string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", fmt.Sprintf("curl: (7) Failed to connect to static-server.%s port 80: Connection refused", c.destinationNamespace)},
-						"",
-						fmt.Sprintf("http://static-server.virtual.%s.%s.consul", c.destinationNamespace, staticServerPeer),
-					)
+					k8s.CheckStaticServerConnectionMultipleFailureMessages(t, staticClientOpts, staticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", fmt.Sprintf("curl: (7) Failed to connect to static-server.%s port 80: Connection refused", c.destinationNamespace)}, "", fmt.Sprintf("http://static-server.virtual.%s.%s.consul", c.destinationNamespace, staticServerPeer))
 				} else {
 					k8s.CheckStaticServerConnectionFailing(t, staticClientOpts, staticClientName, "http://localhost:1234")
 				}
diff --git a/acceptance/tests/peering/peering_connect_test.go b/acceptance/tests/peering/peering_connect_test.go
index 4d589be923..6a884b2efa 100644
--- a/acceptance/tests/peering/peering_connect_test.go
+++ b/acceptance/tests/peering/peering_connect_test.go
@@ -61,8 +61,7 @@ func TestPeering_Connect(t *testing.T) {
 
 				"global.acls.manageSystemACLs": strconv.FormatBool(c.ACLsAndAutoEncryptEnabled),
 
-				"connectInject.enabled":     "true",
-				"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
+				"connectInject.enabled": "true",
 
 				"meshGateway.enabled":  "true",
 				"meshGateway.replicas": "1",
@@ -231,15 +230,7 @@ func TestPeering_Connect(t *testing.T) {
 			if c.ACLsAndAutoEncryptEnabled {
 				logger.Log(t, "checking that the connection is not successful because there's no allow intention")
 				if cfg.EnableTransparentProxy {
-					k8s.CheckStaticServerConnectionMultipleFailureMessages(
-						t,
-						staticClientOpts,
-						staticClientName,
-						false,
-						[]string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server port 80: Connection refused"},
-						"",
-						fmt.Sprintf("http://static-server.virtual.%s.consul", staticServerPeer),
-					)
+					k8s.CheckStaticServerConnectionMultipleFailureMessages(t, staticClientOpts, staticClientName, false, []string{"curl: (56) Recv failure: Connection reset by peer", "curl: (52) Empty reply from server", "curl: (7) Failed to connect to static-server port 80: Connection refused"}, "", fmt.Sprintf("http://static-server.virtual.%s.consul", staticServerPeer))
 				} else {
 					k8s.CheckStaticServerConnectionFailing(t, staticClientOpts, staticClientName, "http://localhost:1234")
 				}
diff --git a/acceptance/tests/terminating-gateway/terminating_gateway_destinations_test.go b/acceptance/tests/terminating-gateway/terminating_gateway_destinations_test.go
index ccc8a2cd1b..d18d971743 100644
--- a/acceptance/tests/terminating-gateway/terminating_gateway_destinations_test.go
+++ b/acceptance/tests/terminating-gateway/terminating_gateway_destinations_test.go
@@ -2,12 +2,11 @@ package terminatinggateway
 
 import (
 	"fmt"
-	"strconv"
-	"testing"
-
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/go-version"
 	"github.com/stretchr/testify/require"
+	"strconv"
+	"testing"
 
 	"github.com/hashicorp/consul-k8s/acceptance/framework/consul"
 	"github.com/hashicorp/consul-k8s/acceptance/framework/helpers"
@@ -54,9 +53,7 @@ func TestTerminatingGatewayDestinations(t *testing.T) {
 			ctx := suite.Environment().DefaultContext(t)
 
 			helmValues := map[string]string{
-				"connectInject.enabled":     "true",
-				"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
-
+				"connectInject.enabled":                    "true",
 				"terminatingGateways.enabled":              "true",
 				"terminatingGateways.gateways[0].name":     "terminating-gateway",
 				"terminatingGateways.gateways[0].replicas": "1",
@@ -142,7 +139,6 @@ func TestTerminatingGatewayDestinations(t *testing.T) {
 		})
 	}
 }
-
 func createServiceDefaultDestination(t *testing.T, consulClient *api.Client, serviceNamespace string, name string, protocol string, port int, addresses ...string) {
 	t.Helper()
 
diff --git a/acceptance/tests/terminating-gateway/terminating_gateway_namespaces_test.go b/acceptance/tests/terminating-gateway/terminating_gateway_namespaces_test.go
index 71019c490b..7168fdd4e8 100644
--- a/acceptance/tests/terminating-gateway/terminating_gateway_namespaces_test.go
+++ b/acceptance/tests/terminating-gateway/terminating_gateway_namespaces_test.go
@@ -45,8 +45,7 @@ func TestTerminatingGatewaySingleNamespace(t *testing.T) {
 			// Install the Helm chart without the terminating gateway first
 			// so that we can create the namespace for it.
 			helmValues := map[string]string{
-				"connectInject.enabled":                                     "true",
-				"connectInject.cni.enabled":                                 strconv.FormatBool(cfg.EnableCNI),
+				"connectInject.enabled": "true",
 				"connectInject.consulNamespaces.consulDestinationNamespace": testNamespace,
 
 				"global.enableConsulNamespaces": "true",
@@ -161,7 +160,6 @@ func TestTerminatingGatewayNamespaceMirroring(t *testing.T) {
 			// so that we can create the namespace for it.
 			helmValues := map[string]string{
 				"connectInject.enabled":                       "true",
-				"connectInject.cni.enabled":                   strconv.FormatBool(cfg.EnableCNI),
 				"connectInject.consulNamespaces.mirroringK8S": "true",
 
 				"global.enableConsulNamespaces": "true",
diff --git a/acceptance/tests/terminating-gateway/terminating_gateway_test.go b/acceptance/tests/terminating-gateway/terminating_gateway_test.go
index 682aa48526..8facd30f53 100644
--- a/acceptance/tests/terminating-gateway/terminating_gateway_test.go
+++ b/acceptance/tests/terminating-gateway/terminating_gateway_test.go
@@ -39,9 +39,7 @@ func TestTerminatingGateway(t *testing.T) {
 			cfg := suite.Config()
 
 			helmValues := map[string]string{
-				"connectInject.enabled":     "true",
-				"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
-
+				"connectInject.enabled":                    "true",
 				"terminatingGateways.enabled":              "true",
 				"terminatingGateways.gateways[0].name":     "terminating-gateway",
 				"terminatingGateways.gateways[0].replicas": "1",
diff --git a/acceptance/tests/vault/vault_namespaces_test.go b/acceptance/tests/vault/vault_namespaces_test.go
index 4dbf44e8d1..82ed605a48 100644
--- a/acceptance/tests/vault/vault_namespaces_test.go
+++ b/acceptance/tests/vault/vault_namespaces_test.go
@@ -3,7 +3,6 @@ package vault
 import (
 	"fmt"
 	"os"
-	"strconv"
 	"testing"
 
 	terratestLogger "github.com/gruntwork-io/terratest/modules/logger"
@@ -107,7 +106,7 @@ func TestVault_VaultNamespace(t *testing.T) {
 		licenseSecret.SaveSecretAndAddReadPolicy(t, vaultClient)
 	}
 
-	// Bootstrap Token
+	//Bootstrap Token
 	bootstrapToken, err := uuid.GenerateUUID()
 	require.NoError(t, err)
 	bootstrapTokenSecret := &vault.KV2Secret{
@@ -178,10 +177,9 @@ func TestVault_VaultNamespace(t *testing.T) {
 		"server.extraVolumes[0].name": vaultCASecret,
 		"server.extraVolumes[0].load": "false",
 
-		"connectInject.enabled":     "true",
-		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
-		"connectInject.replicas":    "1",
-		"controller.enabled":        "true",
+		"connectInject.enabled":  "true",
+		"connectInject.replicas": "1",
+		"controller.enabled":     "true",
 
 		"global.secretsBackend.vault.enabled":              "true",
 		"global.secretsBackend.vault.consulServerRole":     consulServerRole,
diff --git a/acceptance/tests/vault/vault_partitions_test.go b/acceptance/tests/vault/vault_partitions_test.go
index 7c43a8276c..31eac7bc1a 100644
--- a/acceptance/tests/vault/vault_partitions_test.go
+++ b/acceptance/tests/vault/vault_partitions_test.go
@@ -3,7 +3,6 @@ package vault
 import (
 	"context"
 	"fmt"
-	"strconv"
 	"testing"
 
 	"github.com/hashicorp/consul-k8s/acceptance/framework/consul"
@@ -287,10 +286,9 @@ func TestVault_Partitions(t *testing.T) {
 
 		"global.enableConsulNamespaces": "true",
 
-		"connectInject.enabled":     "true",
-		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
-		"connectInject.replicas":    "1",
-		"controller.enabled":        "true",
+		"connectInject.enabled":  "true",
+		"connectInject.replicas": "1",
+		"controller.enabled":     "true",
 
 		"global.secretsBackend.vault.enabled":              "true",
 		"global.secretsBackend.vault.consulClientRole":     consulClientRole,
diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go
index 3f6cae2e0a..49b1b59bf8 100644
--- a/acceptance/tests/vault/vault_test.go
+++ b/acceptance/tests/vault/vault_test.go
@@ -3,7 +3,6 @@ package vault
 import (
 	"context"
 	"fmt"
-	"strconv"
 	"testing"
 	"time"
 
@@ -208,10 +207,9 @@ func TestVault(t *testing.T) {
 		"server.extraVolumes[0].name": vaultCASecret,
 		"server.extraVolumes[0].load": "false",
 
-		"connectInject.enabled":     "true",
-		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
-		"connectInject.replicas":    "1",
-		"controller.enabled":        "true",
+		"connectInject.enabled":  "true",
+		"connectInject.replicas": "1",
+		"controller.enabled":     "true",
 		"global.secretsBackend.vault.connectInject.tlsCert.secretName": connectInjectorWebhookPKIConfig.CertPath,
 		"global.secretsBackend.vault.connectInject.caCert.secretName":  connectInjectorWebhookPKIConfig.CAPath,
 		"global.secretsBackend.vault.controller.tlsCert.secretName":    controllerWebhookPKIConfig.CertPath,
diff --git a/acceptance/tests/vault/vault_tls_auto_reload_test.go b/acceptance/tests/vault/vault_tls_auto_reload_test.go
index d3cf2398be..6cbcb5d351 100644
--- a/acceptance/tests/vault/vault_tls_auto_reload_test.go
+++ b/acceptance/tests/vault/vault_tls_auto_reload_test.go
@@ -4,7 +4,6 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
-	"strconv"
 	"testing"
 	"time"
 
@@ -60,7 +59,7 @@ func TestVault_TLSAutoReload(t *testing.T) {
 	// If wanting to make this higher, there is no problem except for consideration of how long the test will
 	// take to complete.
 	expirationInSeconds := 30
-	// Configure Server PKI
+	//Configure Server PKI
 	serverPKIConfig := &vault.PKIAndAuthRoleConfiguration{
 		BaseURL:             "pki",
 		PolicyName:          "consul-ca-policy",
@@ -170,10 +169,9 @@ func TestVault_TLSAutoReload(t *testing.T) {
 		"server.extraVolumes[0].name": vaultCASecret,
 		"server.extraVolumes[0].load": "false",
 
-		"connectInject.enabled":     "true",
-		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
-		"connectInject.replicas":    "1",
-		"controller.enabled":        "true",
+		"connectInject.enabled":  "true",
+		"connectInject.replicas": "1",
+		"controller.enabled":     "true",
 
 		"global.secretsBackend.vault.enabled":              "true",
 		"global.secretsBackend.vault.consulServerRole":     consulServerRole,
@@ -279,6 +277,7 @@ func TestVault_TLSAutoReload(t *testing.T) {
 	// by comparing the NotAfter on the two certs.
 	require.NotEqual(t, httpsCert.NotAfter, httpsCert2.NotAfter)
 	require.NotEqual(t, rpcCert.NotAfter, rpcCert2.NotAfter)
+
 }
 
 func getCertificate(t *testing.T, address string) (*x509.Certificate, error) {
diff --git a/acceptance/tests/vault/vault_wan_fed_test.go b/acceptance/tests/vault/vault_wan_fed_test.go
index 386e778a72..a58f45ee97 100644
--- a/acceptance/tests/vault/vault_wan_fed_test.go
+++ b/acceptance/tests/vault/vault_wan_fed_test.go
@@ -3,7 +3,6 @@ package vault
 import (
 	"context"
 	"fmt"
-	"strconv"
 	"testing"
 
 	"github.com/hashicorp/consul-k8s/acceptance/framework/config"
@@ -351,11 +350,10 @@ func TestVault_WANFederationViaGateways(t *testing.T) {
 		"global.acls.replicationToken.secretKey":  replicationTokenSecret.Key,
 
 		// Mesh config.
-		"connectInject.enabled":     "true",
-		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
-		"controller.enabled":        "true",
-		"meshGateway.enabled":       "true",
-		"meshGateway.replicas":      "1",
+		"connectInject.enabled": "true",
+		"controller.enabled":    "true",
+		"meshGateway.enabled":   "true",
+		"meshGateway.replicas":  "1",
 
 		// Server config.
 		"server.extraVolumes[0].type": "secret",
@@ -427,10 +425,9 @@ func TestVault_WANFederationViaGateways(t *testing.T) {
 		"global.acls.replicationToken.secretKey":  replicationTokenSecret.Key,
 
 		// Mesh config.
-		"connectInject.enabled":     "true",
-		"connectInject.cni.enabled": strconv.FormatBool(cfg.EnableCNI),
-		"meshGateway.enabled":       "true",
-		"meshGateway.replicas":      "1",
+		"connectInject.enabled": "true",
+		"meshGateway.enabled":   "true",
+		"meshGateway.replicas":  "1",
 
 		// Server config.
 		"server.extraVolumes[0].type": "secret",

From 6d76294de8447cac1e3cf3bf392908c2c378992e Mon Sep 17 00:00:00 2001
From: Curt Bushko <cbushko@gmail.com>
Date: Wed, 24 Aug 2022 22:56:08 -0400
Subject: [PATCH 7/8] Try running against EKS

---
 .circleci/config.yml                          | 69 +++++++++++++++++++
 charts/consul/templates/cni-clusterrole.yaml  |  7 ++
 .../templates/cni-podsecuritypolicy.yaml      |  4 +-
 3 files changed, 78 insertions(+), 2 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 9efea25838..141f472486 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -834,6 +834,70 @@ jobs:
           fail_only: true
           failure_message: "EKS acceptance tests failed. Check the logs at: ${CIRCLE_BUILD_URL}"
 
+  acceptance-eks-cni-1-19:
+    parallelism: 6
+    environment:
+      - TEST_RESULTS: /tmp/test-results
+    docker:
+      # This image is built from test/docker/Test.dockerfile
+      - image: docker.mirror.hashicorp.services/hashicorpdev/consul-helm-test:0.11.0
+
+    steps:
+      - checkout
+
+      - run:
+          name: configure aws
+          command: |
+            aws configure --profile helm_user set aws_access_key_id "$AWS_ACCESS_KEY_ID"
+            aws configure --profile helm_user set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY"
+            aws configure set role_arn "$AWS_ROLE_ARN"
+            aws configure set source_profile helm_user
+
+            echo "unset AWS_ACCESS_KEY_ID" >> $BASH_ENV
+            echo "unset AWS_SECRET_ACCESS_KEY" >> $BASH_ENV
+
+      - run:
+          name: terraform init & apply
+          working_directory: *eks-terraform-path
+          command: |
+            terraform init
+
+            terraform apply -var cluster_count=2 -var tags="{\"build_url\": \"$CIRCLE_BUILD_URL\"}" -auto-approve
+
+            primary_kubeconfig=$(terraform output -json | jq -r .kubeconfigs.value[0])
+            secondary_kubeconfig=$(terraform output -json | jq -r .kubeconfigs.value[1])
+
+            echo "export primary_kubeconfig=$primary_kubeconfig" >> $BASH_ENV
+            echo "export secondary_kubeconfig=$secondary_kubeconfig" >> $BASH_ENV
+
+      # Restore go module cache if there is one
+      - restore_cache:
+          keys:
+            - consul-helm-acceptance-modcache-v2-{{ checksum "acceptance/go.mod" }}
+
+      - run: mkdir -p $TEST_RESULTS
+
+      - run-acceptance-tests:
+          additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-transparent-proxy -enable-cni
+
+      - store_test_results:
+          path: /tmp/test-results
+      - store_artifacts:
+          path: /tmp/test-results
+
+      - run:
+          name: terraform destroy
+          working_directory: *eks-terraform-path
+          command: |
+            terraform destroy -var cluster_count=2 -auto-approve
+          when: always
+
+      - slack/status:
+          # temporarily sending to #cni-acceptance-tests channel
+          channel: C03V3K0040G
+          fail_only: true
+          failure_message: "EKS CNI acceptance tests failed. Check the logs at: ${CIRCLE_BUILD_URL}"
+
   acceptance-openshift:
     environment:
       TEST_RESULTS: /tmp/test-results
@@ -1128,6 +1192,11 @@ workflows:
       #     requires:
       #       - cleanup-eks-resources
       #       - dev-upload-docker
+      - acceptance-eks-cni-1-19:
+          requires:
+            # TODO: Cleanup on merge
+            #  - cleanup-eks-resources
+            - dev-upload-docker
       # - acceptance-aks-1-21:
       #     requires:
       #       - cleanup-azure-resources
diff --git a/charts/consul/templates/cni-clusterrole.yaml b/charts/consul/templates/cni-clusterrole.yaml
index 744a4af864..84551205c0 100644
--- a/charts/consul/templates/cni-clusterrole.yaml
+++ b/charts/consul/templates/cni-clusterrole.yaml
@@ -20,4 +20,11 @@ rules:
   - watch
   - patch
   - update
+- apiGroups: ["policy"]
+  resources:
+  - podsecuritypolicies 
+  resourceNames:
+  - {{ template "consul.fullname" . }}-cni
+  verbs:
+  - use
 {{- end }}
diff --git a/charts/consul/templates/cni-podsecuritypolicy.yaml b/charts/consul/templates/cni-podsecuritypolicy.yaml
index ddc75913ae..15b96bc230 100644
--- a/charts/consul/templates/cni-podsecuritypolicy.yaml
+++ b/charts/consul/templates/cni-podsecuritypolicy.yaml
@@ -12,8 +12,8 @@ metadata:
     component: cni 
 spec:
   privileged: true
-  # Required to prevent escalations to root.
-  allowPrivilegeEscalation: false
+  # GKE requires that allowPrivilegeEscalation:true if privileged: true.
+  allowPrivilegeEscalation: true 
   volumes:
   - hostPath
   - secret

From 976b5bb71c4b580b4a630a29dbf6c955ad93f702 Mon Sep 17 00:00:00 2001
From: Curt Bushko <cbushko@gmail.com>
Date: Thu, 25 Aug 2022 18:00:10 -0400
Subject: [PATCH 8/8] cleanup before merge

---
 .circleci/config.yml | 56 ++++++++++++++++++++++----------------------
 1 file changed, 28 insertions(+), 28 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 141f472486..c1fd53bbf3 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1162,13 +1162,13 @@ workflows:
           requires:
             - dev-upload-docker
   nightly-acceptance-tests:
-    # triggers:
-    #   - schedule:
-    #       cron: "0 0 * * *"
-    #       filters:
-    #         branches:
-    #           only:
-    #             - main
+    triggers:
+      - schedule:
+          cron: "0 0 * * *"
+          filters:
+            branches:
+              only:
+                - main
     jobs:
       - build-distro:
           OS: "linux"
@@ -1177,33 +1177,33 @@ workflows:
       - dev-upload-docker:
           requires:
             - build-distros-linux
-      # - cleanup-gcp-resources
-      # - cleanup-azure-resources
-      # - cleanup-eks-resources
+      - cleanup-gcp-resources
+      - cleanup-azure-resources
+      - cleanup-eks-resources
       # Disable until we can use UBI images.
-      #      - acceptance-openshift:
-      #          requires:
-      #          - cleanup-azure-resources
-      # - acceptance-gke-1-20:
-      #     requires:
-      #       - cleanup-gcp-resources
-      #       - dev-upload-docker
-      # - acceptance-eks-1-19:
-      #     requires:
-      #       - cleanup-eks-resources
-      #       - dev-upload-docker
+      - acceptance-openshift:
+               requires:
+               - cleanup-azure-resources
+      - acceptance-gke-1-20:
+          requires:
+            - cleanup-gcp-resources
+            - dev-upload-docker
+      - acceptance-eks-1-19:
+          requires:
+            - cleanup-eks-resources
+            - dev-upload-docker
       - acceptance-eks-cni-1-19:
           requires:
             # TODO: Cleanup on merge
             #  - cleanup-eks-resources
             - dev-upload-docker
-      # - acceptance-aks-1-21:
-      #     requires:
-      #       - cleanup-azure-resources
-      #       - dev-upload-docker
-      # - acceptance-kind-1-23:
-      #     requires:
-      #       - dev-upload-docker
+      - acceptance-aks-1-21:
+          requires:
+            - cleanup-azure-resources
+            - dev-upload-docker
+      - acceptance-kind-1-23:
+          requires:
+            - dev-upload-docker
       - acceptance-kind-cni-1-23:
           requires:
             - dev-upload-docker