Helm docs for k8s mesh gateways and federation

This commit is contained in:
Luke Kysow 2020-05-20 13:43:06 -07:00
parent 3dd8b66aa2
commit 6409c488ee
No known key found for this signature in database
GPG Key ID: FA168D4DC3F04307

View File

@ -41,7 +41,7 @@ and consider if they're appropriate for your deployment.
- `imageK8S` ((#v-global-imagek8s)) (`string: "hashicorp/consul-k8s:<latest version>"`) - The name (and tag) of the [consul-k8s](https://github.com/hashicorp/consul-k8s) Docker image that is used for functionality such the catalog sync. This can be overridden per component.
Note: support for the catalog sync's liveness and readiness probes was added to consul-k8s 0.6.0. If using an older consul-k8s version, you may need to remove these checks to make sync work. If using mesh gateways and bootstrapACLs then must be >= 0.9.0.
Note: support for the catalog sync's liveness and readiness probes was added to consul-k8s 0.6.0. If using an older consul-k8s version, you may need to remove these checks to make sync work. If using mesh gateways and global.acls.manageSystemACLs then must be >= 0.9.0.
- `datacenter` ((#v-global-datacenter)) (`string: "dc1"`) - The name of the datacenter that the agents should
register as. This can't be changed once the Consul cluster is up and running since Consul
@ -95,6 +95,41 @@ and consider if they're appropriate for your deployment.
- `secretKey` ((#v-global-acls-bootstraptoken-secretkey)) (`string: null`) - The key of the Kubernetes secret.
- `createReplicationToken` ((#v-global-acls-createreplicationtoken)) (`boolean: false`) - If true, an ACL token will be created that can be used in secondary
datacenters for replication. This should only be set to true in the
primary datacenter since the replication token must be created from that
datacenter.
In secondary datacenters, the secret needs to be imported from the primary
datacenter and referenced via `global.acls.replicationToken`.
Requires consul-k8s >= 0.13.0.
- `replicationToken` ((#v-global-acls-replicationtoken)) - replicationToken references a secret containing the replication ACL token.
This token will be used by secondary datacenters to perform ACL replication
and create ACL tokens and policies.
This value is ignored if `bootstrapToken` is also set.
Requires consul-k8s >= 0.13.0.
- `secretName` ((#v-global-acls-replicationtoken-secretname)) (`string: null`) - The name of the Kubernetes secret.
- `secretKey` ((#v-global-acls-replicationtoken-secretkey)) (`string: null`) - The key of the Kubernetes secret.
- `federation` ((#v-global-federation)) - Configure federation.
- `enabled` ((#v-global-federation-enabled)) (`boolean: false`) - **Experimental: Currently this is only available in Consul 1.8.0.**
If enabled, this datacenter will be federation-capable. Only federation
via mesh gateways is supported.
Mesh gateways and servers will be configured to allow federation.
Requires `global.tls.enabled`, `meshGateway.enabled` and `connectInject.enabled`
to be true.
- `createFederationSecret` ((#v-global-federation-createfederationsecret)) (`boolean: false`) - If true, the chart will create a Kubernetes secret that can be imported
into secondary datacenters so they can federate with this datacenter. The
secret contains all the information secondary datacenters need to contact
and authenticate with this datacenter. This should only be set to true
in your primary datacenter. The secret name is
`<global.name>-federation` (if setting `global.name`), otherwise
`<helm-release-name>-consul-federation`. Requires consul-k8s 0.15.0+.
- `tls` ((#v-global-tls)) - Enables TLS [encryption](https://learn.hashicorp.com/consul/security-networking/agent-encryption) across the cluster to verify authenticity of the Consul servers and clients. Requires Consul v1.4.1+ and consul-k8s v0.16.2+
- `enabled` ((#v-global-tls-enabled)) (`boolean: false`) - If true, the Helm chart will enable TLS for Consul
@ -730,9 +765,118 @@ and consider if they're appropriate for your deployment.
}
```
- `meshGateway` ((#v-meshgateway)) - Configure mesh gateways.
- `enabled` ((#v-meshgateway-enabled)) (`boolean: true`) - If mesh gateways are enabled, a Deployment will be created that runs
gateways and Consul Connect will be configured to use gateways.
See [mesh gateway docs](https://www.consul.io/docs/connect/mesh_gateway.html).
Requirements: Consul 1.6.0+ and consul-k8s 0.15.0+ if using
`global.acls.manageSystemACLs`.
- `globalMode` ((#v-meshgateway-globalmode)) (`string: "local"`) - Globally configure which mode the gateway should run in.
Can be set to either `"remote"`, `"local"`, `"none"` or `""` or `null`.
See [mesh gateway modes of operation](https://consul.io/docs/connect/mesh_gateway.html#modes-of-operation) for
a description of each mode.
If set to anything other than `""` or `null`, `connectInject.centralConfig.enabled`
should be set to true so that the global config will actually be used.
If set to the empty string, no global default will be set and the gateway mode
will need to be set individually for each service.
- `replicas` ((#v-meshgateway-replicas)) (`int: 2`) - Number of replicas for the Deployment.
- `wanAddress` ((#v-meshgateway-wanaddress)) - What gets registered as WAN (wide area network) address for the gateway.
- `source` ((#v-meshgateway-wanaddress-source)) (`string: "Service"`) - source configures where to retrieve the WAN address (and possibly port)
for the mesh gateway from.
Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. See the behavior of each below:
* `Service` - Determine the address based on the service type.
If `service.type=LoadBalancer` use the external IP or hostname of
the service. Use the port set by `service.port`.
If `service.type=NodePort` use the Node IP. The port will be set to
`service.nodePort` so `service.nodePort` cannot be null.
If `service.type=ClusterIP` use the ClusterIP. The port will be set to
`service.port`.
`service.type=ExternalName` is not supported.
* `NodeIP` - The node IP as provided by the Kubernetes downward API.
* `NodeName` - The name of the node as provided by the Kubernetes downward
API. This is useful if the node names are DNS entries that
are routable from other datacenters.
* `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`.
- `port` ((#v-meshgateway-wanaddress-port)) (`int: 443`) - Port that gets registered for WAN traffic.
If source is set to "Service" then this setting will have no effect.
See the documentation for `source` as to which port will be used in that
case.
- `static` ((#v-meshgateway-wanaddress-static)) (`string: ""`) - If source is set to "Static" then this value will be used as the WAN
address of the mesh gateways. This is useful if you've configured a
DNS entry to point to your mesh gateways.
- `service` ((#v-meshgateway-service)) - The service option configures the Service that fronts the Gateway Deployment.
- `enabled` ((#v-meshgateway-service-enabled)) (`bool: true`) - Whether to create a Service or not.
- `type` ((#v-meshgateway-service-type)) (`string: "LoadBalancer"`) - Type of service, ex. LoadBalancer, ClusterIP.
- `port` ((#v-meshgateway-service-port)) (`int: 443`) - Port that the service will be exposed on.
The `targetPort` will be set to `meshGateway.containerPort`.
- `nodePort` ((#v-meshgateway-service-nodeport)) (`int: null`) - Optionally hardcode the `nodePort` of the service if using a NodePort service.
If not set and using a NodePort service, Kubernetes will automatically assign a port.
- `annotations` ((#v-meshgateway-service-annotations)) (`string: null`) - Annotations to apply to the mesh gateway service.
```yaml
annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
```
- `additionalspec` ((#v-meshgateway-service-additionalspec)) (`string: null`) - Optional YAML string that will be appended to the Service spec.
- `imageEnvoy` ((#v-meshgateway-imageenvoy)) (`string: "envoyproxy/envoy:v1.13.0"`) - Envoy image to use. For Consul v1.7+, Envoy version 1.13+ is required.
- `hostNetwork` ((#v-meshgateway-hostnetwork)) (`bool: false`) - If set to true, gateway Pods will run on the host network.
- `dnsPolicy` ((#v-meshgateway-dnspolicy)) (`string: null`) - `dnsPolicy` to use.
- `consulServiceName` ((#v-meshgateway-consulservicename)) (`string: "mesh-gateway"`) - Consul service name for the mesh gateways.
Cannot be set to anything other than `"mesh-gateway"` if `global.acls.manageSystemACLs` is true since the ACL token
generated is only for the name "mesh-gateway".
- `containerPort` ((#v-meshgateway-containerPort)) (`int: 8443`) - Port that the gateway will run on inside the container.
- `hostPort` ((#v-meshgateway-hostport)) (`int: null`) - Optional `hostPort` for the gateway to be exposed on.
This can be used with `wanAddress.port` and `wanAddress.useNodeIP`
to expose the gateways directly from the node.
If `hostNetwork=true`, this must be `null` or set to the same port as
`containerPort`.
**NOTE:** Cannot set to 8500 or 8502 because those are reserved for the Consul
agent.
- `resources` ((#v-meshgateway-resources)) (`string`) - Resources for gateway pods. See values file for default.
- `affinity` ((#v-meshgateway-affinity)) (`string`) - Affinity setting for gateway pods. See values file for default.
- `tolerations` ((#v-meshgateway-tolerations)) (`string: null`) - Optional YAML string to specify tolerations.
- `nodeSelector` ((#v-meshgateway-nodeselector)) (`string: null`) - Optional YAML string to specify nodeSelector config.
- `priorityClassName` ((#v-meshgateway-priorityclassname)) (`string: """`) - Optional priorityClassName.
- `annotations` ((#v-meshgateway-annotations)) (`string: null`) - Annotations for the mesh gateway deployment.
- `tests` ((#v-tests)) - Control whether to enable a test for this Helm chart.
- `enabled` ((#v-tests-enabled)) (`boolean: true`) If true, the test Pod manifest will be generated
- `enabled` ((#v-tests-enabled)) (`boolean: true`) - If true, the test Pod manifest will be generated
to be used as a Helm test. The pod will be created when a `helm test` command is executed.
## Helm Chart Examples