You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
Is your feature request related to a problem? Please describe.
When using the helm chart with externalServers.k8sAuthMethodHost and manageSystemACLs, the server-acl-init job creates the kubernetes auth methods in consul with the certificate authority it receives through the service account token secret. This CA is not necessarily the CA that has signed the TLS cert that is used for the k8sAuthMethodHost causing a lot of x509 errors and a non-working setup.
Feature Description
It should be possible to provide the desired CA certificate through a secret.
Two additional flags for the server-acl-init subcommand:
We have made the API server available outside the cluster through a load balancer that exposes the apiserver on an internal domain name (eg. apiserver.intranet.local) the TLS certificate is signed by a self signed CA. This CA is different from the CA used by the cluster.
Contributions
I have not contributed to Consul yet. But I think I've identified the necessary places where the code has to change. So I could give it a try.
The text was updated successfully, but these errors were encountered:
Community Note
Is your feature request related to a problem? Please describe.
When using the helm chart with
externalServers.k8sAuthMethodHost
andmanageSystemACLs
, theserver-acl-init
job creates the kubernetes auth methods in consul with the certificate authority it receives through the service account token secret. This CA is not necessarily the CA that has signed the TLS cert that is used for thek8sAuthMethodHost
causing a lot of x509 errors and a non-working setup.Feature Description
It should be possible to provide the desired CA certificate through a secret.
Two additional flags for the
server-acl-init
subcommand:auth-method-host-ca-secret-name
auth-method-host-ca-secret-key
Then additionally in the Helm chart values:
Use Case(s)
We have made the API server available outside the cluster through a load balancer that exposes the apiserver on an internal domain name (eg.
apiserver.intranet.local
) the TLS certificate is signed by a self signed CA. This CA is different from the CA used by the cluster.Contributions
I have not contributed to Consul yet. But I think I've identified the necessary places where the code has to change. So I could give it a try.
The text was updated successfully, but these errors were encountered: