consul-k8s icon indicating copy to clipboard operation
consul-k8s copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Add ability to specify `extraVolumes` for server-acl-init job in helm chart

Open barrymars opened this issue 2 years ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Is your feature request related to a problem? Please describe.

We are trying to connect clients in one kubernetes cluster to servers in another cluster using the k8s auto-join provider to detect the server pod IPs to connect to.

This works fine from the client pods by mounting an extraVolume with the kubeconfig in from a secret, however...

With ACLs enabled and using the auto-join string for externalServers.hosts (as values documentation suggests), it fails because the server-acl-init job does not have the kubeconfig mounted

Feature Description

Add extraVolumes option for server-acl-init job.

ie: externalServers.aclInit.extraVolumes

With the same logic as the clients daemonset to mount the volume to /consul/userconfig

Contributions

I will look to see if I can make the necessary helm chart changes tomorrow and submit an MR

barrymars avatar Mar 21 '22 19:03 barrymars

Thank you for this suggestion, @barrymars. I think it could definitely be valuable. If you are able to come up with the solution tomorrow, I'd be more than happy to take a look at it.

t-eckert avatar Mar 22 '22 02:03 t-eckert

Here's an MR to add the functionality - https://github.com/hashicorp/consul-k8s/pull/1110

Tested with a real deployment on a k8s cluster, but can't get the unit tests running locally atm (yq version issue I think).

barrymars avatar Mar 22 '22 15:03 barrymars

This same issue applies to the connectInject get-autoencrypt-client-ca sidecar when setting enableAutoEncrypt: true

barrymars avatar Apr 04 '22 08:04 barrymars