WIP: Automatically generate gossip encryption key

[nflaig]

Resolves #656

Still work in progress to get some feedback.

I tried to avoid breaking changes that's why I did not add a new value but in my opinion it would make sense to have default values for .Values.global.gossipEncryption.secretName and .Values.global.gossipEncryption.secretKey such as gossip-encryption-key and key and introduce a new value .Values.global.gossipEncryption.enabled to determine if it should be enabled or not but this would be a breaking change.

values.yaml

gossipEncryption:
    enabled: false
    secretName: "gossip-encryption-key"
    secretKey: "key"

Also one more thing to point out is that it does not use consul keygen but the key generated by the helm chart should be as good.

Todos

• add tests

[hashicorp-cla]

All committers have signed the CLA.

[lkysow]

Hi Nico, thanks for the PR! Our security team has reviewed the gossip key generation and determined that there is not enough entropy in randAscii since 1 bit of each ascii character is always the same. We've looked at other helm functions and haven't found one that satisfies the security constraints so I think we're going to need to do a Kubernetes job and use consul keygen unfortunately.

[t-eckert]

Thank you for your pull request! The contents of this repository have been merged into hashicorp/consul-k8s under the charts/consul directory. Please follow the instructions here to migrate your pull request to the consul-k8s repository.
This PR will now be closed and the consul-helm repository archived to avoid confusion between the old and new repositories.