Provide custom CA for AuthMethod creation with managed system ACLs

[Floppy012]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

Is your feature request related to a problem? Please describe.

When using the helm chart with externalServers.k8sAuthMethodHost and manageSystemACLs, the server-acl-init job creates the kubernetes auth methods in consul with the certificate authority it receives through the service account token secret. This CA is not necessarily the CA that has signed the TLS cert that is used for the k8sAuthMethodHost causing a lot of x509 errors and a non-working setup.

Feature Description

It should be possible to provide the desired CA certificate through a secret.

Two additional flags for the server-acl-init subcommand:

• auth-method-host-ca-secret-name
• auth-method-host-ca-secret-key

Then additionally in the Helm chart values:

externalServers:
    # [...]
    k8sAuthMethodHost: "https://apiserver.example.com"
    k8sAuthMethodHostCaCert:
        secretName: custom-ca-secret
        secretKey: ca.crt

Use Case(s)

We have made the API server available outside the cluster through a load balancer that exposes the apiserver on an internal domain name (eg. apiserver.intranet.local) the TLS certificate is signed by a self signed CA. This CA is different from the CA used by the cluster.

Contributions

I have not contributed to Consul yet. But I think I've identified the necessary places where the code has to change. So I could give it a try.