-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automatically Generate and Use Gossip Encryption Key #738
Conversation
5f2cb60
to
ab1181c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @t-eckert !! This is looking really good. I left some more comments but this is looking close to done!! 👍
charts/consul/templates/gossip-encryption-autogeneration-podsecuritypolicy.yaml
Outdated
Show resolved
Hide resolved
charts/consul/templates/gossip-encryption-autogeneration-role.yaml
Outdated
Show resolved
Hide resolved
charts/consul/templates/gossip-encryption-autogeneration-rolebinding.yaml
Outdated
Show resolved
Hide resolved
charts/consul/templates/gossip-encryption-autogeneration-serviceaccount.yaml
Outdated
Show resolved
Hide resolved
charts/consul/templates/gossip-encryption-autogeneration-job.yaml
Outdated
Show resolved
Hide resolved
charts/consul/test/unit/gossip-encryption-autogeneration-job.bats
Outdated
Show resolved
Hide resolved
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work Thomas. I left some minor comments and also agree with Ashwin's comments. I'm approving though, assuming those get resolved.
charts/consul/templates/gossip-encryption-autogeneration-job.yaml
Outdated
Show resolved
Hide resolved
charts/consul/templates/gossip-encryption-autogeneration-job.yaml
Outdated
Show resolved
Hide resolved
charts/consul/templates/gossip-encryption-autogeneration-job.yaml
Outdated
Show resolved
Hide resolved
charts/consul/templates/gossip-encryption-autogeneration-podsecuritypolicy.yaml
Outdated
Show resolved
Hide resolved
charts/consul/templates/gossip-encryption-autogeneration-role.yaml
Outdated
Show resolved
Hide resolved
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good. Added the suggestion that should fix the tests. Nice job on the PR!
reminder to squash and merge the PR 😅
Co-authored-by: Ashwin Venkatesh <ashwin@hashicorp.com>
Changes proposed in this PR:
global.gossipEncryption.autoGenerate
tovalues.yaml
client-daemonset.yaml
andserver-statefulset.yaml
to pickup the generated gossip encryption keygossip-encryption-autogeneration-job.yaml
to generate and set up the gossip encryption keygossip-encryption-autogeneration...
-podsecuritypolicy.yaml
-role.yaml
-rolebinding.yaml
-serviceaccount.yaml
bats
tests for theclient-daemonset
,server-statefulset
, andgossip-encryption-autogen-*
How I've tested this PR:
bats
tests and confirming that no currentbats
tests are brokenHow I expect reviewers to test this PR:
bats
for the relevant changes.On a fresh Kubernetes instance, from
charts/consul/
directoryhelm install consul . --set global.gossipEncryption.autoGenerate=true
kubectl exec consul-consul-server-0 -it -- /bin/sh
curl http://127.0.0.1:8500/v1/operator/keyring | jq
Checklist: