connect: allow use of static certificates #6848
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Certificates can now be specified for use within the Envoy
configuration using the
-envoy-tls-cert and -envoy-tls-key-client-cert and -client-key flags.Rationale
It's my understanding that AutoEncrypt only works for the Envoy method if you allow Consul to launch it rather than generating the configuration via
-bootstrap
.I'm using consul-k8s, and the configuration is generated as a part of the initContainer's operation, not by the sidecar at runtime.
I don't understand how AutoEncrypt actually works for the envoy sidecars, particularly with the idea that
verify_incoming
has to be turned off first, and then turned back onAfter several weeks of bashing my head against several walls, I've found a path through using static certificates, where I attach them to the pod in a volume as part of the Mutating Webhook operation, and then reference those as part of the scripts.
Notes
- I wasn't sure if it made sense to use the-client-cert
and-client-key
flags for this, though after some thought, I'm not sure why I didn't to begin with, so I can switch to those if you'd like.- The template check will only work if both vars are specified, but if you don't specify both, then it will avoid adding that portion of the config (probably another reason to use the-client-*
flags)EDIT: Switched it over to the
-client-*
flags instead!