update docs (#11784)

This commit is contained in:
Ashwin Venkatesh 2021-12-08 21:21:46 -05:00 committed by GitHub
parent 5f5720837b
commit b71fff9f1c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 138 additions and 26 deletions

View File

@ -131,25 +131,117 @@ Use these links to navigate to a particular top-level stanza.
- `enablePodSecurityPolicies` ((#v-global-enablepodsecuritypolicies)) (`boolean: false`) - Controls whether pod security policies are created for the Consul components
created by this chart. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/.
- `gossipEncryption` ((#v-global-gossipencryption)) - Configures Consul's gossip encryption key, set as a Kubernetes secret
- `secretsBackend` ((#v-global-secretsbackend)) - secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation.
The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled
and have necessary secrets, policies and roles created prior to installing Consul.
See https://www.consul.io/docs/k8s/installation/vault for full instructions.
The Vault cluster *must* not have the Consul cluster installed by this Helm chart as its storage backend
as that would cause a circular dependency.
It can have Consul as its storage backend as long as that Consul cluster is not running on this Kubernetes cluster
and is being managed separately from this Helm installation.
Note: When using Vault KV2 secrets engines the "data" field is implicitly required for Vault API calls,
secretName should be in the form of "vault-kv2-mount-path/data/secret-name".
secretKey should be in the form of "key".
- `vault` ((#v-global-secretsbackend-vault))
- `enabled` ((#v-global-secretsbackend-vault-enabled)) (`boolean: false`) - Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets.
- `consulServerRole` ((#v-global-secretsbackend-vault-consulserverrole)) (`string: ""`) - The Vault role for the Consul server.
The role must be connected to the Consul server's service account and
have a policy with read capabilities for the following secrets:
- gossip encryption key defined by `global.gossipEncryption.secretName`.
To discover the service account name of the Consul server, run
```
helm template -s templates/server-serviceaccount.yaml <release-name> hashicorp/consul
```
and check the name of `metadata.name`.
- `consulClientRole` ((#v-global-secretsbackend-vault-consulclientrole)) (`string: ""`) - The Vault role for the Consul client.
The role must be connected to the Consul client's service account and
have a policy with read capabilities for the following secrets:
- gossip encryption key defined by `global.gossipEncryption.secretName`.
To discover the service account name of the Consul server, run
```
helm template -s templates/client-daemonset.yaml <release-name> charts/consul
```
and check the name of `metadata.name`.
- `consulCARole` ((#v-global-secretsbackend-vault-consulcarole)) (`string: ""`) - The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated).
The role should be connected to the service accounts of all Consul components, or alternatively `*` since it
will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants
read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`.
- `ca` ((#v-global-secretsbackend-vault-ca)) - Configuration for Vault server CA certificate. This certificate will be mounted
to any pod where Vault agent needs to run.
- `secretName` ((#v-global-secretsbackend-vault-ca-secretname)) (`string: ""`) - secretName is the name of the Kubernetes secret that holds the Vault CA certificate.
A Kubernetes secret must be in the same namespace that Consul is installed into.
- `secretKey` ((#v-global-secretsbackend-vault-ca-secretkey)) (`string: ""`) - secretKey is the key within the Kubernetes secret that holds the Vault CA certificate.
- `connectCA` ((#v-global-secretsbackend-vault-connectca)) - Configuration for the Vault Connect CA provider.
The provider will be configured to use the Vault Kubernetes auth method
and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole`
to have permissions to the root and intermediate PKI paths.
Please see https://www.consul.io/docs/connect/ca/vault#vault-acl-policies
for information on how to configure the Vault policies.
- `address` ((#v-global-secretsbackend-vault-connectca-address)) (`string: ""`) - The address of the Vault server.
- `rootPKIPath` ((#v-global-secretsbackend-vault-connectca-rootpkipath)) (`string: ""`) - The path to a PKI secrets engine for the root certificate.
Please see https://www.consul.io/docs/connect/ca/vault#rootpkipath.
- `intermediatePKIPath` ((#v-global-secretsbackend-vault-connectca-intermediatepkipath)) (`string: ""`) - The path to a PKI secrets engine for the generated intermediate certificate.
Please see https://www.consul.io/docs/connect/ca/vault#intermediatepkipath.
- `additionalConfig` ((#v-global-secretsbackend-vault-connectca-additionalconfig)) (`string: {}`) - Additional Connect CA configuration in JSON format.
Please see https://www.consul.io/docs/connect/ca/vault#common-ca-config-options
for additional configuration options.
Example:
```yaml
additionalConfig: |
{
"connect": [{
"ca_config": [{
"leaf_cert_ttl": "36h"
}]
}]
}
```
- `gossipEncryption` ((#v-global-gossipencryption)) - Configures Consul's gossip encryption key.
(see `-encrypt` (https://consul.io/docs/agent/options#_encrypt)).
By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually.
The recommended method is to automatically generate the key.
To automatically generate and set a gossip encryption key, set autoGenerate to true.
Values for secretName and secretKey should not be set if autoGenerate is true.
To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate
a Kubernetes secret referencing these values.
a key, saving this as a Kubernetes secret or Vault secret path and key.
If `global.secretsBackend.vault.enabled=true`, be sure to add the "data" component of the secretName path as required by
the Vault KV-2 secrets engine [see example].
```
$ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen)
```
Vault CLI Example:
```
$ vault kv put consul/secrets/gossip key=$(consul keygen)
```
`gossipEncryption.secretName="consul/data/secrets/gossip"`
`gossipEncryption.secretKey="key"`
- `autoGenerate` ((#v-global-gossipencryption-autogenerate)) (`boolean: false`) - Automatically generate a gossip encryption key and save it to a Kubernetes secret.
- `secretName` ((#v-global-gossipencryption-secretname)) (`string: ""`) - secretName is the name of the Kubernetes secret that holds the gossip
encryption key. The secret must be in the same namespace that Consul is installed into.
- `secretName` ((#v-global-gossipencryption-secretname)) (`string: ""`) - secretName is the name of the Kubernetes secret or Vault secret path that holds the gossip
encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into.
- `secretKey` ((#v-global-gossipencryption-secretkey)) (`string: ""`) - secretKey is the key within the Kubernetes secret that holds the gossip
- `secretKey` ((#v-global-gossipencryption-secretkey)) (`string: ""`) - secretKey is the key within the Kubernetes secret or Vault secret key that holds the gossip
encryption key.
- `recursors` ((#v-global-recursors)) (`array<string>: []`) - A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries.
@ -186,15 +278,19 @@ Use these links to navigate to a particular top-level stanza.
- `httpsOnly` ((#v-global-tls-httpsonly)) (`boolean: true`) - If true, the Helm chart will configure Consul to disable the HTTP port on
both clients and servers and to only accept HTTPS connections.
- `caCert` ((#v-global-tls-cacert)) - A Kubernetes secret containing the certificate of the CA to use for
TLS communication within the Consul cluster. If you have generated the CA yourself
with the consul CLI, you could use the following command to create the secret
- `caCert` ((#v-global-tls-cacert)) - A secret containing the certificate of the CA to use for TLS communication within the Consul cluster.
If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret
in Kubernetes:
```bash
kubectl create secret generic consul-ca-cert \
--from-file='tls.crt=./consul-agent-ca.pem'
```
If you are using Vault as a secrets backend with TLS, `caCert.secretName` must be provided and should reference
the CA path for your PKI secrets engine. This should be of the form `pki/cert/ca` where `pki` is the mount point of your PKI secrets engine.
A read policy must be created and associated with the CA cert path for `global.tls.caCert.secretName`.
This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components.
When using Vault the secretKey is not used.
- `secretName` ((#v-global-tls-cacert-secretname)) (`string: null`) - The name of the Kubernetes secret.
@ -257,6 +353,20 @@ Use these links to navigate to a particular top-level stanza.
- `secretKey` ((#v-global-acls-replicationtoken-secretkey)) (`string: null`) - The key of the Kubernetes secret.
- `enterpriseLicense` ((#v-global-enterpriselicense)) - <EnterpriseAlert inline /> This value refers to a Kubernetes secret that you have created
that contains your enterprise license. It is required if you are using an
enterprise binary. Defining it here applies it to your cluster once a leader
has been elected. If you are not using an enterprise image or if you plan to
introduce the license key via another route, then set these fields to null.
Note: the job to apply license runs on both Helm installs and upgrades.
- `secretName` ((#v-global-enterpriselicense-secretname)) (`string: null`) - The name of the Kubernetes secret that holds the enterprise license.
The secret must be in the same namespace that Consul is installed into.
- `secretKey` ((#v-global-enterpriselicense-secretkey)) (`string: null`) - The key within the Kubernetes secret that holds the enterprise license.
- `enableLicenseAutoload` ((#v-global-enterpriselicense-enablelicenseautoload)) (`boolean: true`) - Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+.
- `federation` ((#v-global-federation)) - Configure federation.
- `enabled` ((#v-global-federation-enabled)) (`boolean: false`) - If enabled, this datacenter will be federation-capable. Only federation
@ -329,24 +439,11 @@ Use these links to navigate to a particular top-level stanza.
were joined into the same datacenter and each cluster ran a certain number
of servers.
- `enterpriseLicense` ((#v-server-enterpriselicense)) - <EnterpriseAlert inline /> This value refers to a Kubernetes secret that you have created
that contains your enterprise license. It is required if you are using an
enterprise binary. Defining it here applies it to your cluster once a leader
has been elected. If you are not using an enterprise image or if you plan to
introduce the license key via another route, then set these fields to null.
Note: the job to apply license runs on both Helm installs and upgrades.
- `secretName` ((#v-server-enterpriselicense-secretname)) (`string: null`) - The name of the Kubernetes secret that holds the enterprise license.
The secret must be in the same namespace that Consul is installed into.
- `secretKey` ((#v-server-enterpriselicense-secretkey)) (`string: null`) - The key within the Kubernetes secret that holds the enterprise license.
- `enableLicenseAutoload` ((#v-server-enterpriselicense-enablelicenseautoload)) (`boolean: true`) - Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+.
- `serverCert` ((#v-server-servercert)) - A Kubernetes secret containing a certificate & key for the server agents to use
- `serverCert` ((#v-server-servercert)) - A secret containing a certificate & key for the server agents to use
for TLS communication within the Consul cluster. Cert needs to be provided with
additional DNS name SANs so that it will work within the Kubernetes cluster:
Kubernetes Secrets backend:
```bash
consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \
-key=consul-agent-ca-key.pem -dc={{datacenter}} \
@ -358,8 +455,7 @@ Use these links to navigate to a particular top-level stanza.
-additional-dnsname="server.{{datacenter}}.{{domain}}"
```
If you have generated the
server-cert yourself with the consul CLI, you could use the following command
If you have generated the server-cert yourself with the consul CLI, you could use the following command
to create the secret in Kubernetes:
```bash
@ -368,7 +464,15 @@ Use these links to navigate to a particular top-level stanza.
--from-file='tls.key=./dc1-server-consul-0-key.pem'
```
- `secretName` ((#v-server-servercert-secretname)) (`string: null`) - The name of the Kubernetes secret.
Vault Secrets backend:
If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]`
capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`.
Please see the following guide for steps to generate a compatible certificate:
https://learn.hashicorp.com/tutorials/consul/vault-pki-consul-secure-tls
Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine
must be provided.
- `secretName` ((#v-server-servercert-secretname)) (`string: null`) - The name of the Kubernetes secret or Vault secret path containing the PEM encoded server certificate.
- `exposeGossipAndRPCPorts` ((#v-server-exposegossipandrpcports)) (`boolean: false`) - Exposes the servers' gossip and RPC ports as hostPorts. To enable a client
agent outside of the k8s cluster to join the datacenter, you would need to
@ -403,6 +507,8 @@ Use these links to navigate to a particular top-level stanza.
storage classes, the PersistentVolumeClaims would need to be manually created.
A `null` value will use the Kubernetes cluster's default StorageClass. If a default
StorageClass does not exist, you will need to create one.
See https://www.consul.io/docs/install/performance#read-write-tuning for considerations around choosing a
performant storage class.
- `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable Connect (https://consul.io/docs/connect). Setting this to true
_will not_ automatically secure pod communication, this
@ -934,6 +1040,10 @@ Use these links to navigate to a particular top-level stanza.
- `enabled` ((#v-dns-enabled)) (`boolean: -`)
- `enableRedirection` ((#v-dns-enableredirection)) (`boolean: false`) - If true, services using Consul Connect will use Consul DNS
for default DNS resolution. The DNS lookups fall back to the nameserver IPs
listed in /etc/resolv.conf if not found in Consul.
- `type` ((#v-dns-type)) (`string: ClusterIP`) - Used to control the type of service created. For
example, setting this to "LoadBalancer" will create an external load
balancer (for supported K8S installations)
@ -1003,6 +1113,8 @@ Use these links to navigate to a particular top-level stanza.
- `enabled` ((#v-ui-ingress-enabled)) (`boolean: false`) - This will create an Ingress resource for the Consul UI.
- `ingressClassName` ((#v-ui-ingress-ingressclassname)) (`string: ""`) - Optionally set the ingressClassName.
- `pathType` ((#v-ui-ingress-pathtype)) (`string: Prefix`) - pathType override - see: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types
- `hosts` ((#v-ui-ingress-hosts)) (`array<map>`) - hosts is a list of host name to create Ingress rules.