Create federation secret with default consul-gossip-encryption-key …

…secret when global.gossipEncryption.autoGenerate is set to true (#854) * adding conditional to check autogenerate * adding conditional around create federation secret flag command * add changelog
hashicorp · Nov 15, 2021 · 31586a7 · 31586a7
1 parent 1eb2075
commit 31586a7
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -37,6 +37,7 @@ BUG FIXES:
     Consul destination namespace for connect or catalog sync. [[GH-846](https://github.com/hashicorp/consul-k8s/pull/846)]
   * Truncate Persistent Volume Claim names when namespace names are too long. [[GH-799](https://github.com/hashicorp/consul-k8s/pull/799)]
   * Fix issue where UI metrics would be enabled when `global.metrics=false` and `ui.metrics.enabled=-`. [[GH-841](https://github.com/hashicorp/consul-k8s/pull/841)]
+  * Populate the federation secret with the generated Gossip key when `global.gossipEncryption.autoGenerate` is set to true. [[GH-854](https://github.com/hashicorp/consul-k8s/pull/854)]
 
 ## 0.36.0 (November 02, 2021)
 

diff --git a/charts/consul/templates/create-federation-secret-job.yaml b/charts/consul/templates/create-federation-secret-job.yaml
@@ -68,6 +68,13 @@ spec:
             items:
               - key: {{ .Values.global.gossipEncryption.secretKey }}
                 path: gossip.key
+        {{- else if .Values.global.gossipEncryption.autoGenerate }}
+        - name: gossip-encryption-key
+          secret:
+            secretName: consul-gossip-encryption-key
+            items:
+              - key: key
+                path: gossip.key
         {{- end }}
 
       {{- if .Values.global.tls.enableAutoEncrypt }}
@@ -107,7 +114,8 @@ spec:
               mountPath: /consul/tls/client/ca
               readOnly: true
             {{- end }}
-            {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
+            {{- if (or .Values.global.gossipEncryption.autoGenerate 
+                       (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
             - name: gossip-encryption-key
               mountPath: /consul/gossip
               readOnly: true
@@ -119,7 +127,8 @@ spec:
                 consul-k8s-control-plane create-federation-secret \
                   -log-level={{ .Values.global.logLevel }} \
                   -log-json={{ .Values.global.logJSON }} \
-                  {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
+                  {{- if (or .Values.global.gossipEncryption.autoGenerate (and
+                             .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
                   -gossip-key-file=/consul/gossip/gossip.key \
                   {{- end }}
                   {{- if .Values.global.acls.createReplicationToken }}