From f87697271a6f4c71ba45f1748e07f9d839d3f2fb Mon Sep 17 00:00:00 2001
From: nflaig <nflaig@protonmail.com>
Date: Sun, 25 Oct 2020 20:26:43 +0100
Subject: [PATCH] WIP: Automatically generate gossip encryption key

---
 templates/gossip-encryption-key-secret.yaml | 25 +++++++++++++++++++++
 values.yaml                                 |  8 ++++---
 2 files changed, 30 insertions(+), 3 deletions(-)
 create mode 100644 templates/gossip-encryption-key-secret.yaml

diff --git a/templates/gossip-encryption-key-secret.yaml b/templates/gossip-encryption-key-secret.yaml
new file mode 100644
index 000000000..89ac052f0
--- /dev/null
+++ b/templates/gossip-encryption-key-secret.yaml
@@ -0,0 +1,25 @@
+{{- $root := . }}
+{{- with .Values.global.gossipEncryption }}
+{{- if (and .secretName .secretKey) }}
+{{- $gossipEncryptionKey := "" }}
+{{- $secret := (lookup "v1" "Secret" $root.Release.Namespace .secretName) }}
+{{- if $secret }}
+{{- $gossipEncryptionKey = index $secret.data .secretKey }}
+{{- else }}
+{{- $gossipEncryptionKey =  randAscii 32 | b64enc | b64enc }}
+{{- end }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .secretName }}
+  namespace: {{ $root.Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" $root }}
+    chart: {{ template "consul.chart" $root }}
+    heritage: {{ $root.Release.Service }}
+    release: {{ $root.Release.Name }}
+type: Opaque
+data:
+  {{ .secretKey }}: {{ $gossipEncryptionKey }}
+{{- end }}
+{{- end }}
diff --git a/values.yaml b/values.yaml
index 0ceac9a12..eb2fe101c 100644
--- a/values.yaml
+++ b/values.yaml
@@ -66,10 +66,12 @@ global:
   # chart. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/.
   enablePodSecurityPolicies: false
 
-  # gossipEncryption configures which Kubernetes secret to retrieve Consul's
-  # gossip encryption key from (see https://www.consul.io/docs/agent/options.html#_encrypt).
+  # Enables encryption of Consul network traffic. The key will be retrieved from
+  # the secret if it exists else a new key will be automatically generated by
+  # the chart. See https://www.consul.io/docs/agent/options.html#_encrypt.
   # If secretName or secretKey are not set, gossip encryption will not be enabled.
-  # The secret must be in the same namespace that Consul is installed into.
+  # The secret can also be manually created beforehand in which case it must be 
+  # in the same namespace that Consul is installed into.
   #
   # The secret can be created by running:
   #    kubectl create secret generic consul-gossip-encryption-key \