From 74bd138bae2ae6e4350c8841e761a14bfc9614e8 Mon Sep 17 00:00:00 2001 From: Iryna Shustava Date: Tue, 7 Apr 2020 14:41:16 -0700 Subject: [PATCH] docs: Add Helm docs for auto-encrypt and external servers (#7595) * docs: Add Helm docs for auto-encrypt and external servers --- website/source/docs/platform/k8s/helm.html.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/website/source/docs/platform/k8s/helm.html.md b/website/source/docs/platform/k8s/helm.html.md index 3ab6c6ffba..9d6a3c8ffa 100644 --- a/website/source/docs/platform/k8s/helm.html.md +++ b/website/source/docs/platform/k8s/helm.html.md @@ -70,10 +70,12 @@ and consider if they're appropriate for your deployment. * `manageSystemACLs` (`boolean: false`) - If true, the Helm chart will automatically manage ACL tokens and policies for all Consul and consul-k8s components. This requires servers to be running inside Kubernetes. Additionally requires Consul >= 1.4 and consul-k8s >= 0.10.1. - * `tls` - Enables TLS [encryption](https://learn.hashicorp.com/consul/security-networking/agent-encryption) across the cluster to verify authenticity of the Consul servers and clients. Requires Consul v1.4.1+ and consul-k8s v0.16.2+ + * `tls` - Enables TLS [encryption](https://learn.hashicorp.com/consul/security-networking/agent-encryption) across the cluster to verify authenticity of the Consul servers and clients. Requires Consul v1.4.1+ and consul-k8s v0.16.2+. * `enabled` (`boolean: false`) - If true, the Helm chart will enable TLS for Consul servers and clients and all consul-k8s components, as well as generate certificate authority (optional) and server and client certificates. + * `enableAutoEncrypt` (`boolean: false`) - If true, turns on the auto-encrypt feature on clients and servers. It also switches consul-k8s components to retrieve the CA from the servers via the API. Requires Consul 1.7.1+ and consul-k8s 0.13.0+. + * `serverAdditionalDNSSANs` (`array: []`) - A list of additional DNS names to set as Subject Alternative Names (SANs) in the server certificate. This is useful when you need to access the Consul server(s) externally, for example, if you're using the UI. * `serverAdditionalIPSANs` (`array: []`) - A list of additional IP addresses to set as Subject Alternative Names (SANs) in the server certificate. This is useful when you need to access the Consul server(s) externally, for example, if you're using the UI. @@ -234,6 +236,19 @@ and consider if they're appropriate for your deployment. annotations: | "annotation-key": "annotation-value" ``` +* `externalServers` - Configuration for Consul servers running externally. This information is required if Consul servers are running outside of Kubernetes and you’re setting `global.tls.enableAutoEncrypt` to `true`. + + * `enabled` (`boolean: false`) - If true, the chart will talk to external servers configured here. + + * `https` - HTTPS configuration for external servers. Note: HTTP connections to the servers are not supported. + + * `address` (`string: null`) - IP, DNS name, or [cloud auto-join](https://www.consul.io/docs/agent/cloud-auto-join.html) string pointing to the external Consul servers. Note that if you’re providing the cloud auto-join string and multiple addresses can be returned, only the first address will be used. This value is required only if you would like to use a different server address from the one specified in the `client.join` property. + + * `port` (`integer: 443`) - The HTTPS port of the server. + + * `tlsServerName` (`string: null`) - The server name to use as the SNI host header when connecting with HTTPS. This property is useful in case `externalServers.https.address` is not or can not be included in the server certificate’s SANs. + + * `useSystemRoots` (`boolean: false`) - If true, the Helm chart will ignore the CA set in `global.tls.caCert` or generated by the `tls-init` job and will rely on the container's system CAs for TLS verification when talking to Consul servers. * `client` - Values that configure running a Consul client on Kubernetes nodes.