Use the auto-encrypt CA volume for service-init (hashicorp#405)

When auto-encrypt is enabled we need to use the volume with the client's CA rather than the server's.
ndhanushkodi · Apr 2, 2020 · fcdaa4f · fcdaa4f
1 parent ebf57c2
commit fcdaa4f
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/templates/client-daemonset.yaml b/templates/client-daemonset.yaml
@@ -147,7 +147,7 @@ spec:
               value: https://localhost:8501
             {{- if .Values.global.tls.enableAutoEncrypt }}
             - name: CONSUL_HTTP_SSL_VERIFY
-              value: false
+              value: "false"
             {{- else }}
             - name: CONSUL_CACERT
               value: /consul/tls/ca/tls.crt

diff --git a/templates/mesh-gateway-deployment.yaml b/templates/mesh-gateway-deployment.yaml
@@ -197,7 +197,11 @@ spec:
             - name: consul-service
               mountPath: /consul/service
             {{- if .Values.global.tls.enabled }}
+            {{- if .Values.global.tls.enableAutoEncrypt }}
+            - name: consul-auto-encrypt-ca-cert
+            {{- else }}
             - name: consul-ca-cert
+            {{- end }}
               mountPath: /consul/tls/ca
               readOnly: true
             {{- end }}
@@ -298,7 +302,11 @@ spec:
               mountPath: /consul/service
               readOnly: true
             {{- if .Values.global.tls.enabled }}
+            {{- if .Values.global.tls.enableAutoEncrypt }}
+            - name: consul-auto-encrypt-ca-cert
+            {{- else }}
             - name: consul-ca-cert
+            {{- end }}
               mountPath: /consul/tls/ca
               readOnly: true
             {{- end }}