Support auto-encrypt

[lkysow]

Support Consul's auto_encrypt functionality for client certificates

[ishustava]

Fixed by #375.

[ltagliamonte-dd]

@lkysow @ishustava can you please give more context on the issue here?
what the fix fixes?

[ishustava]

Hey @ltagliamonte-dd, yes sorry for being so vague. The PR I linked there provides support for auto-encrypt. There will more details in the release notes, but you could take a look at the changelog PR #408. FYI though there is a bug on master that will be fixed before we release, so don't try it out yet.

[ltagliamonte-dd]

@ishustava i'm looking at the new code from the PR #375 and i've a question about:
turning off SSL validation in:
https://github.com/hashicorp/consul-helm/blob/master/templates/client-daemonset.yaml#L148
and here:
https://github.com/hashicorp/consul-helm/blob/master/templates/client-daemonset.yaml#L172

why can't i have the clients validate the servers endpoint?
if the server cert has been created using the consul cli cmd they should be valid and contain the right hostname.

[lkysow]

@ltagliamonte-dd so those environment variables only apply when you're running consul commands inside the pod when you kubectl exec in. When autoencrypt is enabled, there is no CA cert that we can pass to the CONSUL_CA_CERT environment variable so there's no way to run consul commands without disabling verification or getting the CA cert.

So to be clear, there is full verification going on between clients and servers, it's just when you exec in that this applies when talking to the local client/server which should be okay because you're going over localhost.