connect: allow use of static certificates

[kjdelisle]

Summary

Certificates can now be specified for use within the Envoy
configuration using the -envoy-tls-cert and -envoy-tls-key -client-cert and -client-key flags.

Rationale

It's my understanding that AutoEncrypt only works for the Envoy method if you allow Consul to launch it rather than generating the configuration via -bootstrap.

I'm using consul-k8s, and the configuration is generated as a part of the initContainer's operation, not by the sidecar at runtime.

I don't understand how AutoEncrypt actually works for the envoy sidecars, particularly with the idea that verify_incoming has to be turned off first, and then turned back on

After several weeks of bashing my head against several walls, I've found a path through using static certificates, where I attach them to the pod in a volume as part of the Mutating Webhook operation, and then reference those as part of the scripts.

Notes

- I wasn't sure if it made sense to use the -client-cert and -client-key flags for this, though after some thought, I'm not sure why I didn't to begin with, so I can switch to those if you'd like.

- The template check will only work if both vars are specified, but if you don't specify both, then it will avoid adding that portion of the config (probably another reason to use the -client-* flags)
EDIT: Switched it over to the -client-* flags instead!

[hashicorp-cla]

All committers have signed the CLA.

[hanshasselberg]

Hello @kjdelisle thanks for your work. For questions, you should rather post to the mailing list instead of opening issues here.
AutoEncrypt is entirely separate from Envoy and only affects the communication between Consul client and Consul server. It will setup certificates on the clients automatically. You can read about it here: https://learn.hashicorp.com/consul/security-networking/certificates.