Enabling TLS causes tls-init container to fail: /bin/sh: consul-k8s-control-plane: not found

When I enable tls in the helm chart i get the following error in the tls init container logs:

/bin/sh: consul-k8s-control-plane: not found

Helm Chart

    # If true, the Helm chart will enable TLS for Consul
    # servers and clients and all consul-k8s components, as well as generate certificate
    # authority (optional) and server and client certificates.
    enabled: true

    # If true, turns on the auto-encrypt feature on clients and servers.
    # It also switches consul-k8s components to retrieve the CA from the servers
    # via the API. Requires Consul 1.7.1+ and consul-k8s 0.13.0
    enableAutoEncrypt: true

I have not configured any certificates as from what i’ve read, TLS can be simply enabled by setting global.tls.enabled=true.

Any guidance much appreciated.

Hi @jamesdhope - This is probably due to a mismatch between your helm repo version and your global.imageK8S. If you have that field set in your val.yaml file you’ll need to remove it. About 2 releases ago we migrated the consul-helm and consul-k8s repositories into a monorepo and they are now versioned together.

I’d recommend using the latest helm repo release and not setting imageK8S.

Hi @kschoche indeed that was the issue. Thanks. James

@kschoche So Consul won’t complain if I use TLS between the client/server sidecars without setting the CA?

    # A Kubernetes secret containing the certificate of the CA to use for
    # TLS communication within the Consul cluster. If you have generated the CA yourself
    # with the consul CLI, you could use the following command to create the secret
    # in Kubernetes:
    # ```bash
    # kubectl create secret generic consul-ca-cert \
    #     --from-file='tls.crt=./consul-agent-ca.pem'
    # ```
      # The name of the Kubernetes secret.
      secretName: null
      # The key of the Kubernetes secret.
      secretKey: null

If you don’t specify the caCert as a secret Consul will autogenerate one for you (tls-init)

Thank you @kschoche appreciate it

How can I get the autogenerated caCert detail? Would I find them persisted to disk somewhere?

It will be created as the consul-ca-cert and consul-ca-key secrets.