WIP: Automatically generate gossip encryption key

templates/gossip-encryption-key-secret.yaml

@@ -0,0 +1,25 @@
+{{- $root := . }}
+{{- with .Values.global.gossipEncryption }}
+{{- if (and .secretName .secretKey) }}
+{{- $gossipEncryptionKey := "" }}
+{{- $secret := (lookup "v1" "Secret" $root.Release.Namespace .secretName) }}
+{{- if $secret }}
+{{- $gossipEncryptionKey = index $secret.data .secretKey }}
+{{- else }}
+{{- $gossipEncryptionKey =  randAscii 32 | b64enc | b64enc }}
+{{- end }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .secretName }}
+  namespace: {{ $root.Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" $root }}
+    chart: {{ template "consul.chart" $root }}
+    heritage: {{ $root.Release.Service }}
+    release: {{ $root.Release.Name }}
+type: Opaque
+data:
+  {{ .secretKey }}: {{ $gossipEncryptionKey }}
+{{- end }}
+{{- end }}

values.yaml

@@ -66,10 +66,12 @@ global:
   # chart. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/.
   enablePodSecurityPolicies: false
 
-  # gossipEncryption configures which Kubernetes secret to retrieve Consul's
-  # gossip encryption key from (see https://www.consul.io/docs/agent/options.html#_encrypt).
+  # Enables encryption of Consul network traffic. The key will be retrieved from
+  # the secret if it exists else a new key will be automatically generated by
+  # the chart. See https://www.consul.io/docs/agent/options.html#_encrypt.
   # If secretName or secretKey are not set, gossip encryption will not be enabled.
-  # The secret must be in the same namespace that Consul is installed into.
+  # The secret can also be manually created beforehand in which case it must be 
+  # in the same namespace that Consul is installed into.
   #
   # The secret can be created by running:
   #    kubectl create secret generic consul-gossip-encryption-key \