Skip to content

retry-join should be fetched from Secret resource as well since it MIGHT contains credentical information #4971

New issue
New issue
Open
Open
retry-join should be fetched from Secret resource as well since it MIGHT contains credentical information#4971
Labels
type/enhancementNew feature or request
@Dentrax

Description

@Dentrax
Dentrax
opened on Nov 20, 2025

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Is your feature request related to a problem? Please describe.

retry-join contains security-critical information like user_name and password, so it MUST be fetched from a Secret resource instead.

consul-k8s/charts/consul/values.yaml

Lines 1643 to 1650 in f45e027

# A list of valid [`-retry-join` values](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_retry_join).
# If this is `null` (default), then the clients will attempt to automatically
# join the server cluster running within Kubernetes.
# This means that with `server.enabled` set to true, clients will automatically
# join that cluster. If `server.enabled` is not true, then a value must be
# specified so the clients can join a valid cluster.
# @type: array<string>
join: null

Example retry join:

-retry-join="key=val tag_key=consul_cluster tag_value=test-stage domain_id=default region=az-1 project_id=my-project-id user_name=<USERNAME> password=<PASSWORD> auth_url=<AUTH_URL>"

Feature Description

consul-k8s/charts/consul/templates/client-daemonset.yaml

Lines 387 to 390 in f45e027

{{- if .Values.client.join }}
{{- range $value := .Values.client.join }}
-retry-join={{ quote $value }} \
{{- end }}

Get those variables from env in the DaemonSet, similar to GOSSIP_KEY.

- name: RETRY_JOINS
  valueFrom:
    secretKeyRef:
      name: consul-retry-join-keys

In order to not to do breaking change, it should work as-is and we should also able to get data from the Secret object as well.

Use Case(s)

Security-in-mind deployments, anyone with [GET] permission for Pod and/or DaemonSet resources, can able to scrape user name and password.

Contributions

Metadata

Metadata

Assignees

No one assigned

    Labels

    type/enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions