cli: improve secure preset

[david-yu]

Changes proposed in this PR:

• Enable gossipEncryption generation and autoEncrypt in the secure preset.
• Remove server.bootstrapExpect from demo preset since it defaults to server.replicas as defined in our docs
• Add controller.enabled to true to demo preset.

How I've tested this PR:

❯ consul-k8s install -preset=secure

==> Pre-Install Checks
No existing installations found.
 ✓ No previous persistent volume claims found
 ✓ No previous secrets found

==> Consul Installation Summary
    Installation name: consul
    Namespace: consul
    Overrides:
    connectInject:
      enabled: true
    controller:
      enabled: true
    global:
      acls:
        manageSystemACLs: true
      gossipEncryption:
        autoGenerate: true
      name: consul
      tls:
        enableAutoEncrypt: true
        enabled: true
    server:
      replicas: 1

    Proceed with installation? (y/N) y

==> Running Installation
 ✓ Downloaded charts
 --> creating 1 resource(s)
 --> Starting delete for "consul-gossip-encryption-autogenerate" PodSecurityPolicy
 --> podsecuritypolicies.policy "consul-gossip-encryption-autogenerate" not found
 --> creating 1 resource(s)
 --> Starting delete for "consul-gossip-encryption-autogenerate" ServiceAccount
 --> serviceaccounts "consul-gossip-encryption-autogenerate" not found
 --> creating 1 resource(s)
 --> Starting delete for "consul-gossip-encryption-autogenerate" Role
 --> roles.rbac.authorization.k8s.io "consul-gossip-encryption-autogenerate" not found
 --> creating 1 resource(s)
 --> Starting delete for "consul-gossip-encryption-autogenerate" RoleBinding
 --> rolebindings.rbac.authorization.k8s.io "consul-gossip-encryption-autogenerate" not found
 --> creating 1 resource(s)
 --> Starting delete for "consul-tls-init" ServiceAccount
 --> serviceaccounts "consul-tls-init" not found
 --> creating 1 resource(s)
 --> Starting delete for "consul-tls-init" Role
 --> roles.rbac.authorization.k8s.io "consul-tls-init" not found
 --> creating 1 resource(s)
 --> Starting delete for "consul-tls-init" RoleBinding
 --> rolebindings.rbac.authorization.k8s.io "consul-tls-init" not found
 --> creating 1 resource(s)
 --> Starting delete for "consul-gossip-encryption-autogenerate" Job
 --> jobs.batch "consul-gossip-encryption-autogenerate" not found
 --> creating 1 resource(s)
 --> Watching for changes to Job consul-gossip-encryption-autogenerate with timeout of 10m0s
 --> Add/Modify event for consul-gossip-encryption-autogenerate: ADDED
 --> consul-gossip-encryption-autogenerate: Jobs active: 0, jobs failed: 0, jobs succeeded: 0
 --> Add/Modify event for consul-gossip-encryption-autogenerate: MODIFIED
 --> consul-gossip-encryption-autogenerate: Jobs active: 1, jobs failed: 0, jobs succeeded: 0
 --> Add/Modify event for consul-gossip-encryption-autogenerate: MODIFIED
 --> consul-gossip-encryption-autogenerate: Jobs active: 1, jobs failed: 0, jobs succeeded: 0
 --> Add/Modify event for consul-gossip-encryption-autogenerate: MODIFIED
 --> Starting delete for "consul-tls-init" Job
 --> jobs.batch "consul-tls-init" not found
 --> creating 1 resource(s)
 --> Watching for changes to Job consul-tls-init with timeout of 10m0s
 --> Add/Modify event for consul-tls-init: ADDED
 --> consul-tls-init: Jobs active: 0, jobs failed: 0, jobs succeeded: 0
 --> Add/Modify event for consul-tls-init: MODIFIED
 --> consul-tls-init: Jobs active: 1, jobs failed: 0, jobs succeeded: 0
 --> Add/Modify event for consul-tls-init: MODIFIED
 --> Starting delete for "consul-gossip-encryption-autogenerate" Job
 --> Starting delete for "consul-tls-init" Job
 --> creating 56 resource(s)
 --> beginning wait for 56 resources with timeout of 10m0s
 --> creating 1 resource(s)
 --> Watching for changes to Job consul-server-acl-init-cleanup with timeout of 10m0s
 --> Add/Modify event for consul-server-acl-init-cleanup: ADDED
 --> consul-server-acl-init-cleanup: Jobs active: 1, jobs failed: 0, jobs succeeded: 0
 --> Add/Modify event for consul-server-acl-init-cleanup: MODIFIED
 --> Starting delete for "consul-server-acl-init-cleanup" Job
 ✓ Consul installed into namespace "consul"

~/projects/consul-k8s/cli david-yu-cli-secure-preset 1m 49s
❯ k get pods -n consul
NAME                                                          READY   STATUS    RESTARTS   AGE
consul-4258h                                                  1/1     Running   0          66s
consul-connect-injector-webhook-deployment-668cd47898-56zjg   1/1     Running   0          66s
consul-connect-injector-webhook-deployment-668cd47898-p9lpj   1/1     Running   0          65s
consul-controller-76bf96646d-58lkh                            1/1     Running   0          66s
consul-ptqfw                                                  1/1     Running   0          66s
consul-q2tbp                                                  1/1     Running   0          66s
consul-server-0                                               1/1     Running   0          64s
consul-webhook-cert-manager-6d8cf874cc-xlh7c                  1/1     Running   0          66s

❯ k exec -it consul-server-0 -n consul -- /bin/sh
/ $ echo $GOSSIP_KEY
fdZ10GVbUjCntfZDipXBot+mxLzAMssfopf0+kPRY4c=

How I expect reviewers to test this PR:

Checklist:

• Tests added
• CHANGELOG entry added

  HashiCorp engineers only, community PRs should not add a changelog entry.
  Entries should use present tense (e.g. Add support for...)

[ishustava]

Looks great, just a couple of comments to remove values that are the same as the defaults.

[ndhanushkodi]

Looks great David! Do you think we should include controller=enabled in the demo preset if we're including it in secure for consistency? And should we include the metrics values in secure? The reason I ask is I was imagining secure to be like demo with some secure defaults enabled on top of that.

[david-yu]

Good point about controller enabled to true on the demo preset. As far as the metrics in secure, I believe we currently allow the ability to scrape metrics over TLS which is why I didn't have that in there, otherwise it makes sense to include that.