docs: Add Helm docs for auto-encrypt and external servers (#7595)

* docs: Add Helm docs for auto-encrypt and external servers
This commit is contained in:
Iryna Shustava 2020-04-07 14:41:16 -07:00 committed by GitHub
parent c03e314c16
commit 74bd138bae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 1 deletions

View File

@ -70,10 +70,12 @@ and consider if they're appropriate for your deployment.
* <a name="v-global-acls-managesystemacls" href="#v-global-acls-managesystemacls">`manageSystemACLs`</a> (`boolean: false`) - If true, the Helm chart will automatically manage ACL tokens and policies for all Consul and consul-k8s components. This requires servers to be running inside Kubernetes. Additionally requires Consul >= 1.4 and consul-k8s >= 0.10.1.
* <a name="v-global-tls" href="#v-global-tls">`tls`</a> - Enables TLS [encryption](https://learn.hashicorp.com/consul/security-networking/agent-encryption) across the cluster to verify authenticity of the Consul servers and clients. Requires Consul v1.4.1+ and consul-k8s v0.16.2+
* <a name="v-global-tls" href="#v-global-tls">`tls`</a> - Enables TLS [encryption](https://learn.hashicorp.com/consul/security-networking/agent-encryption) across the cluster to verify authenticity of the Consul servers and clients. Requires Consul v1.4.1+ and consul-k8s v0.16.2+.
* <a name="v-global-tls-enabled" href="#v-global-enabled">`enabled`</a> (`boolean: false`) - If true, the Helm chart will enable TLS for Consul servers and clients and all consul-k8s components, as well as generate certificate authority (optional) and server and client certificates.
* <a name="v-global-tls-enableautoencrypt" href="#v-global-enableautoencrypt">`enableAutoEncrypt`</a> (`boolean: false`) - If true, turns on the auto-encrypt feature on clients and servers. It also switches consul-k8s components to retrieve the CA from the servers via the API. Requires Consul 1.7.1+ and consul-k8s 0.13.0+.
* <a name="v-global-tls-serveradditionaldnsssans" href="#v-global-serveradditionaldnsssans">`serverAdditionalDNSSANs`</a> (`array<string>: []`) - A list of additional DNS names to set as Subject Alternative Names (SANs) in the server certificate. This is useful when you need to access the Consul server(s) externally, for example, if you're using the UI.
* <a name="v-global-tls-serveradditionalipsans" href="#v-global-serveradditionalipsans">`serverAdditionalIPSANs`</a> (`array<string>: []`) - A list of additional IP addresses to set as Subject Alternative Names (SANs) in the server certificate. This is useful when you need to access the Consul server(s) externally, for example, if you're using the UI.
@ -234,6 +236,19 @@ and consider if they're appropriate for your deployment.
annotations: |
"annotation-key": "annotation-value"
```
* <a name="v-externalservers" href="#v-externalservers">`externalServers`</a> - Configuration for Consul servers running externally. This information is required if Consul servers are running outside of Kubernetes and youre setting `global.tls.enableAutoEncrypt` to `true`.
* <a name="v-externalservers-enabled" href="#v-externalservers-enabled">`enabled`</a> (`boolean: false`) - If true, the chart will talk to external servers configured here.
* <a name="v-externalservers-https" href="#v-externalservers-https">`https`</a> - HTTPS configuration for external servers. Note: HTTP connections to the servers are not supported.
* <a name="v-externalservers-address" href="#v-externalservers-address">`address`</a> (`string: null`) - IP, DNS name, or [cloud auto-join](https://www.consul.io/docs/agent/cloud-auto-join.html) string pointing to the external Consul servers. Note that if youre providing the cloud auto-join string and multiple addresses can be returned, only the first address will be used. This value is required only if you would like to use a different server address from the one specified in the `client.join` property.
* <a name="v-externalservers-port" href="#v-externalservers-port">`port`</a> (`integer: 443`) - The HTTPS port of the server.
* <a name="v-externalservers-tlsservername" href="#v-externalservers-tlsservername">`tlsServerName`</a> (`string: null`) - The server name to use as the SNI host header when connecting with HTTPS. This property is useful in case `externalServers.https.address` is not or can not be included in the server certificates SANs.
* <a name="v-externalservers-usesystemroots" href="#v-externalservers-usesystemroots">`useSystemRoots`</a> (`boolean: false`) - If true, the Helm chart will ignore the CA set in `global.tls.caCert` or generated by the `tls-init` job and will rely on the container's system CAs for TLS verification when talking to Consul servers.
* <a name="v-client" href="#v-client">`client`</a> - Values that configure running a Consul client on Kubernetes nodes.