As a result of the current implementation of #48, RPC traffic is exposed publicly and should therefore be encrypted. Since consul provides mechanisms to do so we should include a way to inject certs into the containers before consul can start in a similar fashion to how autopilotpattern/vault uses docker exec to bootstrap.
The proposed design is to check for CONSUL_TLS_PATH during preStart and if present, wait for a file to appear the the specified path. Gossip key configuration can be done by specifying CONSUL_ENCRYPT_PATH or CONSUL_ENCRYPT_BASE64.
As a result of the current implementation of #48, RPC traffic is exposed publicly and should therefore be encrypted. Since consul provides mechanisms to do so we should include a way to inject certs into the containers before consul can start in a similar fashion to how autopilotpattern/vault uses
docker execto bootstrap.The proposed design is to check for
CONSUL_TLS_PATHduring preStart and if present, wait for a file to appear the the specified path. Gossip key configuration can be done by specifyingCONSUL_ENCRYPT_PATHorCONSUL_ENCRYPT_BASE64.