Backport of Adjust API gateway controller deployment appropriately when Vault configured as secrets backend into release/1.1.x #2095
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #2083 to be assessed for backporting due to the inclusion of the label backport/1.1.x.
The below text is copied from the body of the original PR.
Changes proposed in this PR:
Consider whether Vault is being used as a secrets backend when determining whether to mount a TLS cert into the API gateway controller deployment.
Largely, this change is based off of how other deployments already handle Vault as a secrets backend. For example:
consul-k8s/charts/consul/templates/connect-inject-deployment.yaml
Lines 293 to 297 in 112ad18
The only unique aspect here is that the api-gateway-controller communicates directly with agents when
client.enabled=true
, so we require some additional gating to make sure that we're using the correct cert in this case.How I've tested this PR:
Install Consul w/ API gateway enabled in configurations both with and without Vault used as a secrets backend. In each case, verify that the API gateway controller is able to start up successfully and that deployed API gateways function correctly.
Install Consul w/ external server configuration (HCP, for example). Test with and without clients enabled.
How I expect reviewers to test this PR:
Checklist:
Overview of commits