Updating helm docs with additionalVault and ACLs refactor functionality. (#12669)

* Updating helm docs with additionalVault and ACLs refactor funtionality.

* PR Feedback corrections.

- Fix indentation.
- Fix description of secretName and secretKey to be consistent
- Change description of manageACLsRole to be more clear.
- Make the added vault role field descriptions consistent

* PR Feedback - correcting description for adminPartitionsRole

* Fixing broken shell sessions

* Fixing broken shell sessions by changing shell-session tobecloser tocomment marker
This commit is contained in:
John Murret 2022-04-04 14:36:19 -06:00 committed by GitHub
parent 319fe48561
commit 2bc11a5db6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 116 additions and 66 deletions

View File

@ -151,35 +151,56 @@ Use these links to navigate to a particular top-level stanza.
- `enabled` ((#v-global-secretsbackend-vault-enabled)) (`boolean: false`) - Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets. - `enabled` ((#v-global-secretsbackend-vault-enabled)) (`boolean: false`) - Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets.
- `consulServerRole` ((#v-global-secretsbackend-vault-consulserverrole)) (`string: ""`) - The Vault role for the Consul server. - `consulServerRole` ((#v-global-secretsbackend-vault-consulserverrole)) (`string: ""`) - The Vault role for the Consul server.
The role must be connected to the Consul server's service account and The role must be connected to the Consul server's service account.
have a policy with read capabilities for the following secrets: The role must also have a policy with read capabilities for the following secrets:
- gossip encryption key defined by `global.gossipEncryption.secretName` - gossip encryption key defined by the `global.gossipEncryption.secretName` value
- certificate issue path defined by `server.serverCert.secretName` - certificate issue path defined by the `server.serverCert.secretName` value
- CA certificate defined by `global.tls.caCert.secretName` - CA certificate defined by the `global.tls.caCert.secretName` value
- replication token defined by `global.acls.replicationToken.secretName` if `global.federation.enabled` is `true` - replication token defined by the `global.acls.replicationToken.secretName` value if `global.federation.enabled` is `true`
To discover the service account name of the Consul server, run To discover the service account name of the Consul server, run
```shell-session ```shell-session
$ helm template --show-only templates/server-serviceaccount.yaml <release-name> hashicorp/consul $ helm template --show-only templates/server-serviceaccount.yaml <release-name> hashicorp/consul
``` ```
and check the name of `metadata.name`. and check the name of `metadata.name`.
- `consulClientRole` ((#v-global-secretsbackend-vault-consulclientrole)) (`string: ""`) - The Vault role for the Consul client. - `consulClientRole` ((#v-global-secretsbackend-vault-consulclientrole)) (`string: ""`) - The Vault role for the Consul client.
The role must be connected to the Consul client's service account and The role must be connected to the Consul client's service account.
have a policy with read capabilities for the following secrets: The role must also have a policy with read capabilities for the gossip encryption
- gossip encryption key defined by `global.gossipEncryption.secretName`. key defined by the `global.gossipEncryption.secretName` value.
To discover the service account name of the Consul client, run To discover the service account name of the Consul client, run
```shell-session ```shell-session
$ helm template --show-only templates/client-serviceaccount.yaml <release-name> charts/consul $ helm template --show-only templates/client-serviceaccount.yaml <release-name> hashicorp/consul
``` ```
and check the name of `metadata.name`. and check the name of `metadata.name`.
- `manageSystemACLsRole` ((#v-global-secretsbackend-vault-managesystemaclsrole)) (`string: ""`) - A Vault role to allow Kubernetes job that manages ACLs for this Helm chart (`server-acl-init`) - `consulSnapshotAgentRole` ((#v-global-secretsbackend-vault-consulsnapshotagentrole)) (`string: ""`) - <EnterpriseAlert inline /> The Vault role for the Consul client snapshot agent.
to read and update Vault secrets for the Consul's bootstrap and replication tokens. The role must be connected to the Consul client snapshot agent's service account.
This role must be bound the `server-acl-init`'s service account. The role must also have a policy with read capabilities for the snapshot agent config
defined by the `client.snapshotAgent.configSecret.secretName` value.
To discover the service account name of the Consul client, run
```shell-session
$ helm template --show-only templates/client-snapshot-agent-serviceaccount.yaml --set client.snapshotAgent.enabled=true <release-name> hashicorp/consul
```
and check the name of `metadata.name`.
- `manageSystemACLsRole` ((#v-global-secretsbackend-vault-managesystemaclsrole)) (`string: ""`) - A Vault role for the Consul `server-acl-init` job, which manages setting ACLs so that clients and components can obtain ACL tokens.
The role must be connected to the `server-acl-init` job's service account.
The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens
To discover the service account name of the `server-acl-init` job, run To discover the service account name of the `server-acl-init` job, run
```shell-session ```shell-session
$ helm template --show-only templates/server-acl-init-serviceaccount.yaml <release-name> charts/consul $ helm template --show-only templates/server-acl-init-serviceaccount.yaml \
``` --set global.acls.manageSystemACLs=true <release-name> hashicorp/consul
```
and check the name of `metadata.name`.
- `adminPartitionsRole` ((#v-global-secretsbackend-vault-adminpartitionsrole)) (`string: ""`) - <EnterpriseAlert inline /> A Vault role that allows the Consul `partition-init` job to read a Vault secret for the partition ACL token.
The `partition-init` job bootstraps Admin Partitions on Consul servers.
.
This role must be bound the `partition-init` job's service account.
To discover the service account name of the `partition-init` job, run with Helm values for the client cluster:
```shell-session
$ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml <release-name> hashicorp/consul
```
and check the name of `metadata.name`. and check the name of `metadata.name`.
- `agentAnnotations` ((#v-global-secretsbackend-vault-agentannotations)) (`string: null`) - This value defines additional annotations for - `agentAnnotations` ((#v-global-secretsbackend-vault-agentannotations)) (`string: null`) - This value defines additional annotations for
@ -200,10 +221,10 @@ Use these links to navigate to a particular top-level stanza.
- `ca` ((#v-global-secretsbackend-vault-ca)) - Configuration for Vault server CA certificate. This certificate will be mounted - `ca` ((#v-global-secretsbackend-vault-ca)) - Configuration for Vault server CA certificate. This certificate will be mounted
to any pod where Vault agent needs to run. to any pod where Vault agent needs to run.
- `secretName` ((#v-global-secretsbackend-vault-ca-secretname)) (`string: ""`) - secretName is the name of the Kubernetes secret that holds the Vault CA certificate. - `secretName` ((#v-global-secretsbackend-vault-ca-secretname)) (`string: ""`) - The name of the Kubernetes or Vault secret that holds the Vault CA certificate.
A Kubernetes secret must be in the same namespace that Consul is installed into. A Kubernetes secret must be in the same namespace that Consul is installed into.
- `secretKey` ((#v-global-secretsbackend-vault-ca-secretkey)) (`string: ""`) - secretKey is the key within the Kubernetes secret that holds the Vault CA certificate. - `secretKey` ((#v-global-secretsbackend-vault-ca-secretkey)) (`string: ""`) - The key within the Kubernetes or Vault secret that holds the Vault CA certificate.
- `connectCA` ((#v-global-secretsbackend-vault-connectca)) - Configuration for the Vault Connect CA provider. - `connectCA` ((#v-global-secretsbackend-vault-connectca)) - Configuration for the Vault Connect CA provider.
The provider will be configured to use the Vault Kubernetes auth method The provider will be configured to use the Vault Kubernetes auth method
@ -261,12 +282,12 @@ Use these links to navigate to a particular top-level stanza.
`gossipEncryption.secretName="consul/data/secrets/gossip"` `gossipEncryption.secretName="consul/data/secrets/gossip"`
`gossipEncryption.secretKey="key"` `gossipEncryption.secretKey="key"`
- `autoGenerate` ((#v-global-gossipencryption-autogenerate)) (`boolean: false`) - Automatically generate a gossip encryption key and save it to a Kubernetes secret. - `autoGenerate` ((#v-global-gossipencryption-autogenerate)) (`boolean: false`) - Automatically generate a gossip encryption key and save it to a Kubernetes or Vault secret.
- `secretName` ((#v-global-gossipencryption-secretname)) (`string: ""`) - secretName is the name of the Kubernetes secret or Vault secret path that holds the gossip - `secretName` ((#v-global-gossipencryption-secretname)) (`string: ""`) - The name of the Kubernetes secret or Vault secret path that holds the gossip
encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into. encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into.
- `secretKey` ((#v-global-gossipencryption-secretkey)) (`string: ""`) - secretKey is the key within the Kubernetes secret or Vault secret key that holds the gossip - `secretKey` ((#v-global-gossipencryption-secretkey)) (`string: ""`) - The key within the Kubernetes secret or Vault secret key that holds the gossip
encryption key. encryption key.
- `recursors` ((#v-global-recursors)) (`array<string>: []`) - A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. - `recursors` ((#v-global-recursors)) (`array<string>: []`) - A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries.
@ -294,11 +315,11 @@ Use these links to navigate to a particular top-level stanza.
in the server certificate. This is useful when you need to access the in the server certificate. This is useful when you need to access the
Consul server(s) externally, for example, if you're using the UI. Consul server(s) externally, for example, if you're using the UI.
- `verify` ((#v-global-tls-verify)) (`boolean: true`) - If true, `tls.defaults.verify_outgoing`, - `verify` ((#v-global-tls-verify)) (`boolean: true`) - If true, `verify_outgoing`, `verify_server_hostname`,
`tls.internal_rpc.verify_server_hostname`, and `tls.internal_rpc.verify_incoming` will be set and `verify_incoming_rpc` will be set to `true` for Consul servers and clients.
to `true` for Consul servers and clients. Set this to false to incrementally roll out TLS Set this to false to incrementally roll out TLS on an existing Consul cluster.
on an existing Consul cluster. Please see https://consul.io/docs/k8s/operations/tls-on-existing-cluster
Please see https://consul.io/docs/k8s/operations/tls-on-existing-cluster for more details. for more details.
- `httpsOnly` ((#v-global-tls-httpsonly)) (`boolean: true`) - If true, the Helm chart will configure Consul to disable the HTTP port on - `httpsOnly` ((#v-global-tls-httpsonly)) (`boolean: true`) - If true, the Helm chart will configure Consul to disable the HTTP port on
both clients and servers and to only accept HTTPS connections. both clients and servers and to only accept HTTPS connections.
@ -317,11 +338,11 @@ Use these links to navigate to a particular top-level stanza.
This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components. This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components.
When using Vault the secretKey is not used. When using Vault the secretKey is not used.
- `secretName` ((#v-global-tls-cacert-secretname)) (`string: null`) - The name of the Kubernetes secret. - `secretName` ((#v-global-tls-cacert-secretname)) (`string: null`) - The name of the Kubernetes or Vault secret that holds the CA certificate.
- `secretKey` ((#v-global-tls-cacert-secretkey)) (`string: null`) - The key of the Kubernetes secret. - `secretKey` ((#v-global-tls-cacert-secretkey)) (`string: null`) - The key within the Kubernetes or Vault secret that holds the CA certificate.
- `caKey` ((#v-global-tls-cakey)) - A Kubernetes secret containing the private key of the CA to use for - `caKey` ((#v-global-tls-cakey)) - A Kubernetes or Vault secret containing the private key of the CA to use for
TLS communication within the Consul cluster. If you have generated the CA yourself TLS communication within the Consul cluster. If you have generated the CA yourself
with the consul CLI, you could use the following command to create the secret with the consul CLI, you could use the following command to create the secret
in Kubernetes: in Kubernetes:
@ -336,9 +357,9 @@ Use these links to navigate to a particular top-level stanza.
as Subject Alternative Names. In the future, we may support bringing your own server as Subject Alternative Names. In the future, we may support bringing your own server
certificates. certificates.
- `secretName` ((#v-global-tls-cakey-secretname)) (`string: null`) - The name of the Kubernetes secret. - `secretName` ((#v-global-tls-cakey-secretname)) (`string: null`) - The name of the Kubernetes or Vault secret that holds the CA key.
- `secretKey` ((#v-global-tls-cakey-secretkey)) (`string: null`) - The key of the Kubernetes secret. - `secretKey` ((#v-global-tls-cakey-secretkey)) (`string: null`) - The key within the Kubernetes or Vault secret that holds the CA key.
- `enableConsulNamespaces` ((#v-global-enableconsulnamespaces)) (`boolean: false`) - <EnterpriseAlert inline /> `enableConsulNamespaces` indicates that you are running - `enableConsulNamespaces` ((#v-global-enableconsulnamespaces)) (`boolean: false`) - <EnterpriseAlert inline /> `enableConsulNamespaces` indicates that you are running
Consul Enterprise v1.7+ with a valid Consul Enterprise license and would Consul Enterprise v1.7+ with a valid Consul Enterprise license and would
@ -353,14 +374,14 @@ Use these links to navigate to a particular top-level stanza.
for all Consul and consul-k8s-control-plane components. for all Consul and consul-k8s-control-plane components.
This requires Consul >= 1.4. This requires Consul >= 1.4.
- `bootstrapToken` ((#v-global-acls-bootstraptoken)) - A Kubernetes secret containing the bootstrap token to use for - `bootstrapToken` ((#v-global-acls-bootstraptoken)) - A Kubernetes or Vault secret containing the bootstrap token to use for
creating policies and tokens for all Consul and consul-k8s-control-plane components. creating policies and tokens for all Consul and consul-k8s-control-plane components.
If set, we will skip ACL bootstrapping of the servers and will only If set, we will skip ACL bootstrapping of the servers and will only
initialize ACLs for the Consul clients and consul-k8s-control-plane system components. initialize ACLs for the Consul clients and consul-k8s-control-plane system components.
- `secretName` ((#v-global-acls-bootstraptoken-secretname)) (`string: null`) - The name of the Kubernetes secret. - `secretName` ((#v-global-acls-bootstraptoken-secretname)) (`string: null`) - The name of the Kubernetes or Vault secret that holds the bootstrap token.
- `secretKey` ((#v-global-acls-bootstraptoken-secretkey)) (`string: null`) - The key of the Kubernetes secret. - `secretKey` ((#v-global-acls-bootstraptoken-secretkey)) (`string: null`) - The key within the Kubernetes or Vault secret that holds the bootstrap token.
- `createReplicationToken` ((#v-global-acls-createreplicationtoken)) (`boolean: false`) - If true, an ACL token will be created that can be used in secondary - `createReplicationToken` ((#v-global-acls-createreplicationtoken)) (`boolean: false`) - If true, an ACL token will be created that can be used in secondary
datacenters for replication. This should only be set to true in the datacenters for replication. This should only be set to true in the
@ -374,21 +395,32 @@ Use these links to navigate to a particular top-level stanza.
and create ACL tokens and policies. and create ACL tokens and policies.
This value is ignored if `bootstrapToken` is also set. This value is ignored if `bootstrapToken` is also set.
- `secretName` ((#v-global-acls-replicationtoken-secretname)) (`string: null`) - The name of the Kubernetes secret or the path of the secret in Vault. - `secretName` ((#v-global-acls-replicationtoken-secretname)) (`string: null`) - The name of the Kubernetes or Vault secret that holds the replication token.
- `secretKey` ((#v-global-acls-replicationtoken-secretkey)) (`string: null`) - The key of the Kubernetes or Vault secret. - `secretKey` ((#v-global-acls-replicationtoken-secretkey)) (`string: null`) - The key within the Kubernetes or Vault secret that holds the replication token.
- `enterpriseLicense` ((#v-global-enterpriselicense)) - <EnterpriseAlert inline /> This value refers to a Kubernetes secret that you have created - `partitionToken` ((#v-global-acls-partitiontoken)) - partitionToken references a Vault secret containing the ACL token to be used in non-default partitions.
This value should only be provided in the default partition and only when setting
the `global.secretsBackend.vault.enabled` value to true.
Consul will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the
secret as the secretID for the token.
In non-default, partitions set this secret as the `bootstrapToken`.
- `secretName` ((#v-global-acls-partitiontoken-secretname)) (`string: null`) - The name of the Vault secret that holds the partition token.
- `secretKey` ((#v-global-acls-partitiontoken-secretkey)) (`string: null`) - The key within the Vault secret that holds the parition token.
- `enterpriseLicense` ((#v-global-enterpriselicense)) - <EnterpriseAlert inline /> This value refers to a Kubernetes or Vault secret that you have created
that contains your enterprise license. It is required if you are using an that contains your enterprise license. It is required if you are using an
enterprise binary. Defining it here applies it to your cluster once a leader enterprise binary. Defining it here applies it to your cluster once a leader
has been elected. If you are not using an enterprise image or if you plan to has been elected. If you are not using an enterprise image or if you plan to
introduce the license key via another route, then set these fields to null. introduce the license key via another route, then set these fields to null.
Note: the job to apply license runs on both Helm installs and upgrades. Note: the job to apply license runs on both Helm installs and upgrades.
- `secretName` ((#v-global-enterpriselicense-secretname)) (`string: null`) - secretName is the name of the Kubernetes secret or Vault secret path that holds the enterprise license. - `secretName` ((#v-global-enterpriselicense-secretname)) (`string: null`) - The name of the Kubernetes or Vault secret that holds the enterprise license.
A Kubernetes secret must be in the same namespace that Consul is installed into. A Kubernetes secret must be in the same namespace that Consul is installed into.
- `secretKey` ((#v-global-enterpriselicense-secretkey)) (`string: null`) - secretKey is the key within the Kubernetes secret or Vault secret key that holds the enterprise license. - `secretKey` ((#v-global-enterpriselicense-secretkey)) (`string: null`) - The key within the Kubernetes or Vault secret that holds the enterprise license.
- `enableLicenseAutoload` ((#v-global-enterpriselicense-enablelicenseautoload)) (`boolean: true`) - Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. - `enableLicenseAutoload` ((#v-global-enterpriselicense-enablelicenseautoload)) (`boolean: true`) - Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+.
@ -408,11 +440,25 @@ Use these links to navigate to a particular top-level stanza.
`<global.name>-federation` (if setting `global.name`), otherwise `<global.name>-federation` (if setting `global.name`), otherwise
`<helm-release-name>-consul-federation`. `<helm-release-name>-consul-federation`.
- `primaryDatacenter` ((#v-global-federation-primarydatacenter)) (`string: ""`) - The name of the primary datacenter. - `primaryDatacenter` ((#v-global-federation-primarydatacenter)) (`string: null`) - The name of the primary datacenter.
- `primaryGateways` ((#v-global-federation-primarygateways)) (`array<string>: []`) - A list of addresses of the primary mesh gateways in the form `<ip>:<port>`. - `primaryGateways` ((#v-global-federation-primarygateways)) (`array<string>: []`) - A list of addresses of the primary mesh gateways in the form `<ip>:<port>`.
(e.g. ["1.1.1.1:443", "2.3.4.5:443"] (e.g. ["1.1.1.1:443", "2.3.4.5:443"]
- `k8sAuthMethodHost` ((#v-global-federation-k8sauthmethodhost)) (`string: null`) - If you are setting `global.federation.enabled` to true and are in a secondary datacenter,
set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter.
This address must be reachable from the Consul servers in the primary datacenter.
This authmethod will be used to provision ACL tokens for Consul components and is different
from the one used by the Consul Service Mesh.
Please see the Kubernetes Auth Method documentation (https://consul.io/docs/acl/auth-methods/kubernetes).
You could retrieve this value from your `kubeconfig` by running:
```shell-session
$ kubectl config view \
-o jsonpath="{.clusters[?(@.name=='<your cluster name>')].cluster.server}"
```
- `metrics` ((#v-global-metrics)) - Configures metrics for Consul service mesh - `metrics` ((#v-global-metrics)) - Configures metrics for Consul service mesh
- `enabled` ((#v-global-metrics-enabled)) (`boolean: false`) - Configures the Helm charts components - `enabled` ((#v-global-metrics-enabled)) (`boolean: false`) - Configures the Helm charts components
@ -511,7 +557,7 @@ Use these links to navigate to a particular top-level stanza.
Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine
must be provided. must be provided.
- `secretName` ((#v-server-servercert-secretname)) (`string: null`) - The name of the Kubernetes secret or Vault secret path containing the PEM encoded server certificate. - `secretName` ((#v-server-servercert-secretname)) (`string: null`) - The name of the Vault secret that holds the PEM encoded server certificate.
- `exposeGossipAndRPCPorts` ((#v-server-exposegossipandrpcports)) (`boolean: false`) - Exposes the servers' gossip and RPC ports as hostPorts. To enable a client - `exposeGossipAndRPCPorts` ((#v-server-exposegossipandrpcports)) (`boolean: false`) - Exposes the servers' gossip and RPC ports as hostPorts. To enable a client
agent outside of the k8s cluster to join the datacenter, you would need to agent outside of the k8s cluster to join the datacenter, you would need to
@ -860,7 +906,7 @@ Use these links to navigate to a particular top-level stanza.
"sample/annotation2": "bar" "sample/annotation2": "bar"
``` ```
- `resources` ((#v-client-resources)) (`map`) - Resource settings for Client agents. - `resources` ((#v-client-resources)) (`map`) - The resource settings for Client agents.
NOTE: The use of a YAML string is deprecated. Instead, set directly as a NOTE: The use of a YAML string is deprecated. Instead, set directly as a
YAML map. YAML map.
@ -1033,15 +1079,15 @@ Use these links to navigate to a particular top-level stanza.
- `replicas` ((#v-client-snapshotagent-replicas)) (`integer: 2`) - The number of snapshot agents to run. - `replicas` ((#v-client-snapshotagent-replicas)) (`integer: 2`) - The number of snapshot agents to run.
- `configSecret` ((#v-client-snapshotagent-configsecret)) - A Kubernetes secret that should be manually created to contain the entire - `configSecret` ((#v-client-snapshotagent-configsecret)) - A Kubernetes or Vault secret that should be manually created to contain the entire
config to be used on the snapshot agent. config to be used on the snapshot agent.
This is the preferred method of configuration since there are usually storage This is the preferred method of configuration since there are usually storage
credentials present. Please see Snapshot agent config (https://consul.io/commands/snapshot/agent#config-file-options) credentials present. Please see Snapshot agent config (https://consul.io/commands/snapshot/agent#config-file-options)
for details. for details.
- `secretName` ((#v-client-snapshotagent-configsecret-secretname)) (`string: null`) - The name of the Kubernetes secret. - `secretName` ((#v-client-snapshotagent-configsecret-secretname)) (`string: null`) - The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config.
- `secretKey` ((#v-client-snapshotagent-configsecret-secretkey)) (`string: null`) - The key of the Kubernetes secret. - `secretKey` ((#v-client-snapshotagent-configsecret-secretkey)) (`string: null`) - The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config.
- `serviceAccount` ((#v-client-snapshotagent-serviceaccount)) - `serviceAccount` ((#v-client-snapshotagent-serviceaccount))
@ -1054,7 +1100,7 @@ Use these links to navigate to a particular top-level stanza.
"sample/annotation2": "bar" "sample/annotation2": "bar"
``` ```
- `resources` ((#v-client-snapshotagent-resources)) (`map`) - Resource settings for snapshot agent pods. - `resources` ((#v-client-snapshotagent-resources)) (`map`) - The resource settings for snapshot agent pods.
- `caCert` ((#v-client-snapshotagent-cacert)) (`string: null`) - Optional PEM-encoded CA certificate that will be added to the trusted system CAs. - `caCert` ((#v-client-snapshotagent-cacert)) (`string: null`) - Optional PEM-encoded CA certificate that will be added to the trusted system CAs.
Useful if using an S3-compatible storage exposing a self-signed certificate. Useful if using an S3-compatible storage exposing a self-signed certificate.
@ -1326,9 +1372,9 @@ Use these links to navigate to a particular top-level stanza.
an ACL token for your Consul cluster which allows the sync process the correct an ACL token for your Consul cluster which allows the sync process the correct
permissions. This is only needed if ACLs are enabled on the Consul cluster. permissions. This is only needed if ACLs are enabled on the Consul cluster.
- `secretName` ((#v-synccatalog-aclsynctoken-secretname)) (`string: null`) - The name of the Kubernetes secret. - `secretName` ((#v-synccatalog-aclsynctoken-secretname)) (`string: null`) - The name of the Vault secret that holds the acl sync token.
- `secretKey` ((#v-synccatalog-aclsynctoken-secretkey)) (`string: null`) - The key of the Kubernetes secret. - `secretKey` ((#v-synccatalog-aclsynctoken-secretkey)) (`string: null`) - The key within the Vault secret that holds the acl sync.
- `nodeSelector` ((#v-synccatalog-nodeselector)) (`string: null`) - This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) - `nodeSelector` ((#v-synccatalog-nodeselector)) (`string: null`) - This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
labels for catalog sync pod assignment, formatted as a multi-line string. labels for catalog sync pod assignment, formatted as a multi-line string.
@ -1358,7 +1404,7 @@ Use these links to navigate to a particular top-level stanza.
"sample/annotation2": "bar" "sample/annotation2": "bar"
``` ```
- `resources` ((#v-synccatalog-resources)) (`map`) - Resource settings for sync catalog pods. - `resources` ((#v-synccatalog-resources)) (`map`) - The resource settings for sync catalog pods.
- `logLevel` ((#v-synccatalog-loglevel)) (`string: ""`) - Override global log verbosity level. One of "debug", "info", "warn", or "error". - `logLevel` ((#v-synccatalog-loglevel)) (`string: ""`) - Override global log verbosity level. One of "debug", "info", "warn", or "error".
@ -1464,7 +1510,7 @@ Use these links to navigate to a particular top-level stanza.
"sample/annotation2": "bar" "sample/annotation2": "bar"
``` ```
- `resources` ((#v-connectinject-resources)) (`map`) - Resource settings for connect inject pods. - `resources` ((#v-connectinject-resources)) (`map`) - The resource settings for connect inject pods.
- `failurePolicy` ((#v-connectinject-failurepolicy)) (`string: Fail`) - Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook - `failurePolicy` ((#v-connectinject-failurepolicy)) (`string: Fail`) - Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook
is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline.
@ -1576,9 +1622,9 @@ Use these links to navigate to a particular top-level stanza.
This token needs to have `operator = "write"` privileges to be able to This token needs to have `operator = "write"` privileges to be able to
create Consul namespaces. create Consul namespaces.
- `secretName` ((#v-connectinject-aclinjecttoken-secretname)) (`string: null`) - The name of the Kubernetes secret. - `secretName` ((#v-connectinject-aclinjecttoken-secretname)) (`string: null`) - The name of the Vault secret that holds the ACL inject token.
- `secretKey` ((#v-connectinject-aclinjecttoken-secretkey)) (`string: null`) - The key of the Kubernetes secret. - `secretKey` ((#v-connectinject-aclinjecttoken-secretkey)) (`string: null`) - The key within the Vault secret that holds the ACL inject token.
- `sidecarProxy` ((#v-connectinject-sidecarproxy)) - `sidecarProxy` ((#v-connectinject-sidecarproxy))
@ -1603,7 +1649,7 @@ Use these links to navigate to a particular top-level stanza.
- `cpu` ((#v-connectinject-sidecarproxy-resources-limits-cpu)) (`string: null`) - Recommended default: 100m - `cpu` ((#v-connectinject-sidecarproxy-resources-limits-cpu)) (`string: null`) - Recommended default: 100m
- `initContainer` ((#v-connectinject-initcontainer)) (`map`) - Resource settings for the Connect injected init container. - `initContainer` ((#v-connectinject-initcontainer)) (`map`) - The resource settings for the Connect injected init container.
### controller ### controller
@ -1628,7 +1674,7 @@ Use these links to navigate to a particular top-level stanza.
"sample/annotation2": "bar" "sample/annotation2": "bar"
``` ```
- `resources` ((#v-controller-resources)) (`map`) - Resource settings for controller pods. - `resources` ((#v-controller-resources)) (`map`) - The resource settings for controller pods.
- `nodeSelector` ((#v-controller-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config. - `nodeSelector` ((#v-controller-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config.
@ -1654,9 +1700,9 @@ Use these links to navigate to a particular top-level stanza.
``` ```
If running Consul Enterprise, talk to your account manager for assistance. If running Consul Enterprise, talk to your account manager for assistance.
- `secretName` ((#v-controller-acltoken-secretname)) (`string: null`) - The name of the Kubernetes secret. - `secretName` ((#v-controller-acltoken-secretname)) (`string: null`) - The name of the Vault secret that holds the ACL token.
- `secretKey` ((#v-controller-acltoken-secretkey)) (`string: null`) - The key of the Kubernetes secret. - `secretKey` ((#v-controller-acltoken-secretkey)) (`string: null`) - The key within the Vault secret that holds the ACL token.
### meshGateway ### meshGateway
@ -1760,13 +1806,13 @@ Use these links to navigate to a particular top-level stanza.
"sample/annotation2": "bar" "sample/annotation2": "bar"
``` ```
- `resources` ((#v-meshgateway-resources)) (`map`) - Resource settings for mesh gateway pods. - `resources` ((#v-meshgateway-resources)) (`map`) - The resource settings for mesh gateway pods.
NOTE: The use of a YAML string is deprecated. Instead, set directly as a NOTE: The use of a YAML string is deprecated. Instead, set directly as a
YAML map. YAML map.
- `initCopyConsulContainer` ((#v-meshgateway-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container. - `initCopyConsulContainer` ((#v-meshgateway-initcopyconsulcontainer)) (`map`) - The resource settings for the `copy-consul-bin` init container.
- `initServiceInitContainer` ((#v-meshgateway-initserviceinitcontainer)) (`map`) - Resource settings for the `service-init` init container. - `initServiceInitContainer` ((#v-meshgateway-initserviceinitcontainer)) (`map`) - The resource settings for the `service-init` init container.
- `affinity` ((#v-meshgateway-affinity)) (`string`) - By default, we set an anti-affinity so that two gateway pods won't be - `affinity` ((#v-meshgateway-affinity)) (`string`) - By default, we set an anti-affinity so that two gateway pods won't be
on the same node. NOTE: Gateways require that Consul client agents are on the same node. NOTE: Gateways require that Consul client agents are
@ -1846,7 +1892,7 @@ Use these links to navigate to a particular top-level stanza.
- `resources` ((#v-ingressgateways-defaults-resources)) (`map`) - Resource limits for all ingress gateway pods - `resources` ((#v-ingressgateways-defaults-resources)) (`map`) - Resource limits for all ingress gateway pods
- `initCopyConsulContainer` ((#v-ingressgateways-defaults-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container. - `initCopyConsulContainer` ((#v-ingressgateways-defaults-initcopyconsulcontainer)) (`map`) - The resource settings for the `copy-consul-bin` init container.
- `affinity` ((#v-ingressgateways-defaults-affinity)) (`string`) - By default, we set an anti-affinity so that two of the same gateway pods - `affinity` ((#v-ingressgateways-defaults-affinity)) (`string`) - By default, we set an anti-affinity so that two of the same gateway pods
won't be on the same node. NOTE: Gateways require that Consul client agents are won't be on the same node. NOTE: Gateways require that Consul client agents are
@ -1919,7 +1965,7 @@ Use these links to navigate to a particular top-level stanza.
- `resources` ((#v-terminatinggateways-defaults-resources)) (`map`) - Resource limits for all terminating gateway pods - `resources` ((#v-terminatinggateways-defaults-resources)) (`map`) - Resource limits for all terminating gateway pods
- `initCopyConsulContainer` ((#v-terminatinggateways-defaults-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container. - `initCopyConsulContainer` ((#v-terminatinggateways-defaults-initcopyconsulcontainer)) (`map`) - The resource settings for the `copy-consul-bin` init container.
- `affinity` ((#v-terminatinggateways-defaults-affinity)) (`string`) - By default, we set an anti-affinity so that two of the same gateway pods - `affinity` ((#v-terminatinggateways-defaults-affinity)) (`string`) - By default, we set an anti-affinity so that two of the same gateway pods
won't be on the same node. NOTE: Gateways require that Consul client agents are won't be on the same node. NOTE: Gateways require that Consul client agents are
@ -2069,6 +2115,10 @@ Use these links to navigate to a particular top-level stanza.
"annotation-key": "annotation-value" "annotation-key": "annotation-value"
``` ```
- `resources` ((#v-apigateway-resources)) (`map`) - The resource settings for api gateway pods.
- `initCopyConsulContainer` ((#v-apigateway-initcopyconsulcontainer)) (`map`) - The resource settings for the `copy-consul-bin` init container.
### webhookCertManager ### webhookCertManager
- `webhookCertManager` ((#v-webhookcertmanager)) - Configuration settings for the webhook-cert-manager - `webhookCertManager` ((#v-webhookcertmanager)) - Configuration settings for the webhook-cert-manager