hashicorp / consul-k8s

First-class support for Consul Service Mesh on Kubernetes
https://www.consul.io/docs/k8s
Mozilla Public License 2.0
669 stars 322 forks source link

Enable Consul server generated CA Secret distribution across namespaces #964

Open walkamongus opened 2 years ago

walkamongus commented 2 years ago

Community Note


Is your feature request related to a problem? Please describe.

When installing a Consul cluster with TLS enabled and initialized via the Helm chart, the necessary generated consul server CA cert Secret initially only resides within the namespace the Consul server was deployed into. If other applications outside of that namespace need to interact with Consul via TLS, some extra process must be enacted to copy the Secret to all necessary namespaces so that consul-k8s get-consul-client-ca can use it to retrieve the client CA cert.

Suboptimal workarounds include manually copying over the Secret or doing so with custom Helm init hooks or other custom scripts/hooks.

Feature Description

Ideally there would be a built-in consul-k8s mechanism to sync the necessary secret to any needed namespace. This would likely be a decent amount of work. This work could be avoided if there was a way to customize the generated CA Secret by passing in custom labels and annotations. These labels an annotations would allow third-party tools such as https://github.com/kubeops/config-syncer to easily handle Secret syncing across cluster namespaces.

Use Case(s)

As a cluster admin I want to deploy a cluster-wide Consul cluster that is easily accessible in any namespace with as little effort from a consuming app as possible.

Contributions

ishustava commented 2 years ago

Hey @walkamongus

That's a very good point and to some extent we're limited here by what k8s allows us to do. Thank you for sharing config-syncer tool. I think it'd definitely make sense for us to allow you to specify custom labels or annotations for secrets.

One thing that we've been working on to help with that is supporting Vault which could play a role of a more central secrets storage for your cluster. Of course, this wouldn't help if you're not using it.

L1ghtman2k commented 1 year ago

https://cert-manager.io/docs/trust/trust-manager/ can be used to help with this too