ishustava
commented
2 years ago Hey @walkamongus
That's a very good point and to some extent we're limited here by what k8s allows us to do. Thank you for sharing config-syncer tool. I think it'd definitely make sense for us to allow you to specify custom labels or annotations for secrets.
One thing that we've been working on to help with that is supporting Vault which could play a role of a more central secrets storage for your cluster. Of course, this wouldn't help if you're not using it.
L1ghtman2k
Community Note
Is your feature request related to a problem? Please describe.
When installing a Consul cluster with TLS enabled and initialized via the Helm chart, the necessary generated consul server CA cert Secret initially only resides within the namespace the Consul server was deployed into. If other applications outside of that namespace need to interact with Consul via TLS, some extra process must be enacted to copy the Secret to all necessary namespaces so that
consul-k8s get-consul-client-cacan use it to retrieve the client CA cert.Suboptimal workarounds include manually copying over the Secret or doing so with custom Helm init hooks or other custom scripts/hooks.
Feature Description
Ideally there would be a built-in consul-k8s mechanism to sync the necessary secret to any needed namespace. This would likely be a decent amount of work. This work could be avoided if there was a way to customize the generated CA Secret by passing in custom labels and annotations. These labels an annotations would allow third-party tools such as https://github.com/kubeops/config-syncer to easily handle Secret syncing across cluster namespaces.
Use Case(s)
As a cluster admin I want to deploy a cluster-wide Consul cluster that is easily accessible in any namespace with as little effort from a consuming app as possible.
Contributions