`
hostname. By default, this is false, and Consul does not verify the hostname
@@ -2369,7 +1851,7 @@ to the old fragment -->
[CVE-2018-19653](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19653)
for more details. For those versions you **must also set `verify_outgoing = true`** to ensure encrypted RPC connections.
-* `watches` - Watches is a list of watch specifications which
+- `watches` - Watches is a list of watch specifications which
allow an external process to be automatically invoked when a particular data view
is updated. See the [watch documentation](/docs/agent/watches.html) for more detail.
Watches can be modified when the configuration is reloaded.
diff --git a/website/pages/docs/agent/watches.mdx b/website/pages/docs/agent/watches.mdx
index 02ee2e9901..0a10435d8b 100644
--- a/website/pages/docs/agent/watches.mdx
+++ b/website/pages/docs/agent/watches.mdx
@@ -54,7 +54,7 @@ Anything written to stdout is logged.
Here is an example configuration, where `handler_type` is optionally set to
`script`:
-```javascript
+```json
{
"type": "key",
"key": "foo/bar/baz",
@@ -82,15 +82,15 @@ always sent as a JSON payload.
Here is an example configuration:
-```javascript
+```json
{
"type": "key",
"key": "foo/bar/baz",
"handler_type": "http",
"http_handler_config": {
- "path":"https://localhost:8000/watch",
+ "path": "https://localhost:8000/watch",
"method": "POST",
- "header": {"x-foo":["bar", "baz"]},
+ "header": { "x-foo": ["bar", "baz"] },
"timeout": "10s",
"tls_skip_verify": false
}
@@ -119,7 +119,7 @@ The following types are supported. Detailed documentation on each is below:
- [`checks`](#checks) - Watch the value of health checks
- [`event`](#event) - Watch for custom user events
-### Type: key
+### Type: key ((#key))
The "key" watch type is used to watch a specific key in the KV store.
It requires that the "key" parameter be specified.
@@ -138,11 +138,13 @@ Here is an example configuration:
Or, using the watch command:
- $ consul watch -type=key -key=foo/bar/baz /usr/bin/my-key-handler.sh
+```shell
+$ consul watch -type=key -key=foo/bar/baz /usr/bin/my-key-handler.sh
+```
An example of the output of this command:
-```javascript
+```json
{
"Key": "foo/bar/baz",
"CreateIndex": 1793,
@@ -154,7 +156,7 @@ An example of the output of this command:
}
```
-### Type: keyprefix
+### Type: keyprefix ((#keyprefix))
The "keyprefix" watch type is used to watch a prefix of keys in the KV store.
It requires that the "prefix" parameter be specified. This watch
@@ -165,7 +167,7 @@ This maps to the `/v1/kv/` API internally.
Here is an example configuration:
-```javascript
+```json
{
"type": "keyprefix",
"prefix": "foo/",
@@ -175,12 +177,14 @@ Here is an example configuration:
Or, using the watch command:
- $ consul watch -type=keyprefix -prefix=foo/ /usr/bin/my-prefix-handler.sh
+```shell
+$ consul watch -type=keyprefix -prefix=foo/ /usr/bin/my-prefix-handler.sh
+```
An example of the output of this command:
-```javascript
-;[
+```text
+[
{
Key: 'foo/bar',
CreateIndex: 1796,
@@ -211,7 +215,7 @@ An example of the output of this command:
]
```
-### Type: services
+### Type: services ((#services))
The "services" watch type is used to watch the list of available
services. It has no parameters.
@@ -220,7 +224,7 @@ This maps to the `/v1/catalog/services` API internally.
An example of the output of this command:
-```javascript
+```json
{
"consul": [],
"redis": [],
@@ -228,7 +232,7 @@ An example of the output of this command:
}
```
-### Type: nodes
+### Type: nodes ((#nodes))
The "nodes" watch type is used to watch the list of available
nodes. It has no parameters.
@@ -237,8 +241,8 @@ This maps to the `/v1/catalog/nodes` API internally.
An example of the output of this command:
-```javascript
-;[
+```text
+[
{
Node: 'nyc1-consul-1',
Address: '192.241.159.115',
@@ -262,11 +266,11 @@ An example of the output of this command:
{
Node: 'nyc1-worker-3',
Address: '162.243.162.229',
- },
+ }
]
```
-### Type: service
+### Type: service ((#service))
The "service" watch type is used to monitor the providers
of a single service. It requires the "service" parameter
@@ -280,7 +284,7 @@ This maps to the `/v1/health/service` API internally.
Here is an example configuration with a single tag:
-```javascript
+```json
{
"type": "service",
"service": "redis",
@@ -291,7 +295,7 @@ Here is an example configuration with a single tag:
Here is an example configuration with multiple tags:
-```javascript
+```json
{
"type": "service",
"service": "redis",
@@ -304,16 +308,20 @@ Or, using the watch command:
Single tag:
- $ consul watch -type=service -service=redis -tag=bar /usr/bin/my-service-handler.sh
+```shell
+$ consul watch -type=service -service=redis -tag=bar /usr/bin/my-service-handler.sh
+```
Multiple tag:
- $ consul watch -type=service -service=redis -tag=bar -tag=foo /usr/bin/my-service-handler.sh
+```shell
+$ consul watch -type=service -service=redis -tag=bar -tag=foo /usr/bin/my-service-handler.sh
+```
An example of the output of this command:
-```javascript
-;[
+```text
+[
{
Node: {
Node: 'foobar',
@@ -347,11 +355,11 @@ An example of the output of this command:
ServiceName: '',
},
],
- },
+ }
]
```
-### Type: checks
+### Type: checks ((#checks))
The "checks" watch type is used to monitor the checks of a given
service or those in a specific state. It optionally takes the "service"
@@ -385,11 +393,15 @@ Or, using the watch command:
State:
- $ consul watch -type=checks -state=passing /usr/bin/my-check-handler.sh -passing
+```shell
+$ consul watch -type=checks -state=passing /usr/bin/my-check-handler.sh -passing
+```
Service:
- $ consul watch -type=checks -service=redis /usr/bin/my-check-handler.sh -redis
+```shell
+$ consul watch -type=checks -service=redis /usr/bin/my-check-handler.sh -redis
+```
An example of the output of this command:
@@ -408,7 +420,7 @@ An example of the output of this command:
]
```
-### Type: event
+### Type: event ((#event))
The "event" watch type is used to monitor for custom user
events. These are fired using the [consul event](/docs/commands/event.html) command.
@@ -419,7 +431,7 @@ This maps to the `/v1/event/list` API internally.
Here is an example configuration:
-```javascript
+```json
{
"type": "event",
"name": "web-deploy",
@@ -429,11 +441,13 @@ Here is an example configuration:
Or, using the watch command:
- $ consul watch -type=event -name=web-deploy /usr/bin/my-event-handler.sh -web-deploy
+```shell
+$ consul watch -type=event -name=web-deploy /usr/bin/my-event-handler.sh -web-deploy
+```
An example of the output of this command:
-```javascript
+```json
[
{
"ID": "f07f3fcc-4b7d-3a7c-6d1e-cf414039fcee",
@@ -451,4 +465,6 @@ An example of the output of this command:
To fire a new `web-deploy` event the following could be used:
- $ consul event -name=web-deploy 1609030
+```shell
+$ consul event -name=web-deploy 1609030
+```
diff --git a/website/pages/docs/common-errors.mdx b/website/pages/docs/common-errors.mdx
index 8dd95ba8c3..d2b974fb79 100644
--- a/website/pages/docs/common-errors.mdx
+++ b/website/pages/docs/common-errors.mdx
@@ -15,7 +15,7 @@ If you are getting an error message you don't see listed on this page, please co
### Multiple network interfaces
-```
+```text
Multiple private IPv4 addresses found. Please configure one with 'bind' and/or 'advertise'.
```
@@ -25,21 +25,21 @@ Your server has multiple active network interfaces. Consul needs to know which i
### Configuration syntax errors
-```
+```text
Error parsing config.hcl: At 1:12: illegal char
```
-```
+```text
Error parsing config.hcl: At 1:32: key 'foo' expected start of object ('{') or assignment ('=')
```
-```
+```text
Error parsing server.json: invalid character '`' looking for beginning of value
```
There is a syntax error in your configuration file. If the error message doesn't identify the exact location in the file where the problem is, try using [jq] to find it, for example:
-```
+```shell
$ consul agent -server -config-file server.json
==> Error parsing server.json: invalid character '`' looking for beginning of value
$ cat server.json | jq .
@@ -48,7 +48,7 @@ parse error: Invalid numeric literal at line 3, column 29
## Invalid host name
-```
+```text
Node name "consul_client.internal" will not be discoverable via DNS due to invalid characters.
```
@@ -56,11 +56,11 @@ Add the [`node name`][node_name] option to your agent configuration and provide
## I/O timeouts
-```
+```text
Failed to join 10.0.0.99: dial tcp 10.0.0.99:8301: i/o timeout
```
-```
+```text
Failed to sync remote state: No cluster leader
```
@@ -70,7 +70,7 @@ If they are not on the same LAN, check the [`retry_join`][retry_join] settings i
## Deadline exceeded
-```
+```text
Error getting server health from "XXX": context deadline exceeded
```
@@ -78,11 +78,11 @@ These error messages indicate a general performance problem on the Consul server
## Too many open files
-```
+```text
Error accepting TCP connection: accept tcp [::]:8301: too many open files in system
```
-```
+```text
Get http://localhost:8500/: dial tcp 127.0.0.1:31643: socket: too many open files
```
@@ -100,7 +100,7 @@ This has been a [known issue](https://github.com/docker/libnetwork/issues/1204)
## ACL Not Found
-```
+```text
RPC error making call: rpc error making call: ACL not found
```
@@ -110,11 +110,11 @@ This indicates that you have ACL enabled in your cluster, but you aren't passing
### Incorrect certificate or certificate name
-```
+```text
Remote error: tls: bad certificate
```
-```
+```text
X509: certificate signed by unknown authority
```
@@ -124,11 +124,11 @@ If you generate your own certificates, make sure the server certificates include
### HTTP instead of HTTPS
-```
+```text
Error querying agent: malformed HTTP response
```
-```
+```text
Net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02"
```
@@ -140,7 +140,7 @@ If you are interacting with the API, change the URI scheme to "https".
## License warnings
-```
+```text
License: expiration time: YYYY-MM-DD HH:MM:SS -0500 EST, time left: 29m0s
```
diff --git a/website/pages/docs/connect/intentions.mdx b/website/pages/docs/connect/intentions.mdx
index a633b9fd66..5a928c0c29 100644
--- a/website/pages/docs/connect/intentions.mdx
+++ b/website/pages/docs/connect/intentions.mdx
@@ -29,9 +29,7 @@ is "deny all", then all Connect connections are denied by default.
## Intention Basics
-Intentions can be managed via the
-[API](#),
-[CLI](#),
+Intentions can be managed via the [API](#), [CLI](#),
or UI. Please see the respective documentation for each for full details
on options, flags, etc.
Below is an example of a basic intention to show the basic attributes
@@ -70,7 +68,7 @@ Arbitrary string key/value data may be associated with intentions. This
is unused by Consul but can be used by external systems or for visibility
in the UI.
-```
+```shell
$ consul intention create \
-deny \
-meta description='Hello there' \
diff --git a/website/pages/docs/connect/mesh_gateway.mdx b/website/pages/docs/connect/mesh_gateway.mdx
index c52f54d1bd..e4ed177464 100644
--- a/website/pages/docs/connect/mesh_gateway.mdx
+++ b/website/pages/docs/connect/mesh_gateway.mdx
@@ -9,10 +9,10 @@ description: >-
you can plug in a gateway of your choice.
---
--> **1.6.0+:** This feature is available in Consul versions 1.6.0 and newer.
-
# Mesh Gateways
+-> **1.6.0+:** This feature is available in Consul versions 1.6.0 and newer.
+
Mesh gateways enable routing of Connect traffic between different Consul datacenters. Those datacenters
can reside in different clouds or runtime environments where general interconnectivity between all services
in all datacenters isn't feasible. These gateways operate by sniffing the SNI header out of the Connect session
diff --git a/website/pages/docs/connect/native/index.mdx b/website/pages/docs/connect/native/index.mdx
index 54fb11e923..bd15f17551 100644
--- a/website/pages/docs/connect/native/index.mdx
+++ b/website/pages/docs/connect/native/index.mdx
@@ -43,9 +43,7 @@ An overview of the sequence is shown below. The diagram and the following
details may seem complex, but this is a _regular mutual TLS connection_ with
an API call to verify the incoming client certificate.
-
- 
-
+
Details on the steps are below:
diff --git a/website/pages/docs/connect/proxies/envoy.mdx b/website/pages/docs/connect/proxies/envoy.mdx
index c3a904a3e1..876d6430d4 100644
--- a/website/pages/docs/connect/proxies/envoy.mdx
+++ b/website/pages/docs/connect/proxies/envoy.mdx
@@ -42,8 +42,7 @@ compatible Envoy versions.
| 1.5.0, 1.5.1 | 1.9.1, 1.8.0† |
| 1.3.x, 1.4.x | 1.9.1, 1.8.0†, 1.7.0† |
-~> Note:
- † Envoy versions lower than 1.9.1 are vulnerable to
+~> **Note:** † Envoy versions lower than 1.9.1 are vulnerable to
[CVE-2019-9900](https://github.com/envoyproxy/envoy/issues/6434) and
[CVE-2019-9901](https://github.com/envoyproxy/envoy/issues/6435). Both are
related to HTTP request parsing and so only affect Consul Connect users if they
@@ -115,16 +114,15 @@ definition](/docs/connect/registration/service-registration.html) or
users can configure this property once in the [global `proxy-defaults`
configuration entry](/docs/agent/config-entries/proxy-defaults.html) for convenience. Currently, TCP is not supported.
- ~> **Note:** currently the url **must use an ip address** not a dns name due
- to the way Envoy is setup for StatsD.
-
- Users can also specify the whole parameter in the form `$ENV_VAR_NAME`, which
- will cause the `consul connect envoy` command to resolve the actual URL from
- the named environment variable when it runs. This, for example, allows each
- pod in a Kubernetes cluster to learn of a pod-specific IP address for StatsD
- when the Envoy instance is bootstrapped while still allowing global
- configuration of all proxies to use StatsD in the [global `proxy-defaults`
+ ~> **Note:** currently the url **must use an ip address** not a dns name due
+ to the way Envoy is setup for StatsD.
+ Users can also specify the whole parameter in the form `$ENV_VAR_NAME`, which
+ will cause the `consul connect envoy` command to resolve the actual URL from
+ the named environment variable when it runs. This, for example, allows each
+ pod in a Kubernetes cluster to learn of a pod-specific IP address for StatsD
+ when the Envoy instance is bootstrapped while still allowing global
+ configuration of all proxies to use StatsD in the [global `proxy-defaults`
configuration entry](/docs/agent/config-entries/proxy-defaults.html). The env variable must contain a full valid URL
value as specified above and nothing else. It is not currently possible to use
environment variables as only part of the URL.
diff --git a/website/pages/docs/guides/monitoring-telegraf.mdx b/website/pages/docs/guides/monitoring-telegraf.mdx
index d90cdc373b..402a6d059c 100644
--- a/website/pages/docs/guides/monitoring-telegraf.mdx
+++ b/website/pages/docs/guides/monitoring-telegraf.mdx
@@ -198,10 +198,7 @@ Telegraf.
Here is an example Grafana dashboard:
-
- [](/img/grafana-screenshot.png)
-
+[](/img/grafana-screenshot.png)
## Metric Aggregates and Alerting from Telegraf
diff --git a/website/pages/docs/k8s/ambassador.mdx b/website/pages/docs/k8s/ambassador.mdx
index 8c28cac6ce..1c482d8561 100644
--- a/website/pages/docs/k8s/ambassador.mdx
+++ b/website/pages/docs/k8s/ambassador.mdx
@@ -4,7 +4,7 @@ page_title: Ambassador Integration - Kubernetes
sidebar_title: 'Ambassador Integration'
sidebar_current: docs-platform-k8s-ambassador
description: |-
- Ambassador is a Kubernetes-native API gateway and ingress controller that
+ Ambassador is a Kubernetes-native API gateway and ingress controller that
integrates well with Consul Connect.
---
@@ -94,7 +94,6 @@ should display the output from the static service.
```bash
kubectl describe service ambassador
-
```
## Enabling end-to-end TLS
@@ -157,7 +156,9 @@ You should now be able to test the SSL connection from your browser.
When Ambassador is unable to establish an authenticated connection to the Connect proxy servers, browser connections will display this message:
- upstream connect error or disconnect/reset before headers
+```text
+upstream connect error or disconnect/reset before headers
+```
This error can have a number of different causes. Here are some things to check and troubleshooting steps you can take.
@@ -167,88 +168,112 @@ If you followed the above installation guide, Consul should have registered a se
To check whether Ambassador is allowed to connect, use the [`intention check`][intention-check] subcommand.
- $ consul intention check ambassador http-echo
- Allowed
+```shell
+$ consul intention check ambassador http-echo
+Allowed
+```
### Confirm upstream proxy sidecar is running
First, find the name of the pod that contains your service.
- $ kubectl get pods -l app=http-echo,role=server
- NAME READY STATUS RESTARTS AGE
- http-echo-7fb79566d6-jmccp 2/2 Running 0 1d
+```shell
+$ kubectl get pods -l app=http-echo,role=server
+NAME READY STATUS RESTARTS AGE
+http-echo-7fb79566d6-jmccp 2/2 Running 0 1d
+```
Then describe the pod to make sure that the sidecar is present and running.
- $ kubectl describe pod http-echo-7fb79566d6-jmccp
- [...]
- Containers:
- consul-connect-envoy-sidecar:
- [...]
- State: Running
- Ready: True
+```shell
+$ kubectl describe pod http-echo-7fb79566d6-jmccp
+[...]
+Containers:
+ consul-connect-envoy-sidecar:
+ [...]
+ State: Running
+ Ready: True
+```
### Start up a downstream proxy and try connecting to it
Log into one of your Consul server pods (or any pod that has a Consul binary in it).
- $ kubectl exec -ti consul-server-0 -- /bin/sh
+```shell
+$ kubectl exec -ti consul-server-0 -- /bin/sh
+```
Once inside the pod, try starting a test proxy. Use the name of your service in place of `http-echo`.
- # consul connect proxy -service=ambassador -upstream http-echo:1234
- ==> Consul Connect proxy starting...
- Configuration mode: Flags
- Service: http-echo-client
- Upstream: http-echo => :1234
- Public listener: Disabled
+```shell
+# consul connect proxy -service=ambassador -upstream http-echo:1234
+==> Consul Connect proxy starting...
+Configuration mode: Flags
+ Service: http-echo-client
+ Upstream: http-echo => :1234
+ Public listener: Disabled
+```
If the proxy starts successfully, try connecting to it. Verify the output is as you expect.
- # curl localhost:1234
- "hello world"
+```shell
+# curl localhost:1234
+"hello world"
+```
Don't forget to kill the test proxy when you're done.
- # kill %1
- ==> Consul Connect proxy shutdown
+```shell
+# kill %1
+==> Consul Connect proxy shutdown
- # exit
+# exit
+```
### Check Ambassador Connect sidecar logs
Find the name of the Connect Integration pod and make sure it is running.
- $ kubectl get pods -l app=ambassador-pro,component=consul-connect
- NAME READY STATUS RESTARTS AGE
- ambassador-pro-consul-connect-integration-f88fcb99f-hxk75 1/1 Running 0 1d
+```shell
+$ kubectl get pods -l app=ambassador-pro,component=consul-connect
+NAME READY STATUS RESTARTS AGE
+ambassador-pro-consul-connect-integration-f88fcb99f-hxk75 1/1 Running 0 1d
+```
Dump the logs from the integration pod. If the service is running correctly, there won't be much in there.
- $ kubectl logs ambassador-pro-consul-connect-integration-f88fcb99f-hxk75
+```shell
+$ kubectl logs ambassador-pro-consul-connect-integration-f88fcb99f-hxk75
- time="2019-03-13T19:42:12Z" level=info msg="Starting Consul Connect Integration" consul_host=10.142.0.21 consul_port=8500 version=0.2.3
- 2019/03/13 19:42:12 Watching CA leaf for ambassador
- time="2019-03-13T19:42:12Z" level=debug msg="Computed kubectl command and arguments" args="[kubectl apply -f -]"
- time="2019-03-13T19:42:14Z" level=info msg="Updating TLS certificate secret" namespace= secret=ambassador-consul-connect
+time="2019-03-13T19:42:12Z" level=info msg="Starting Consul Connect Integration" consul_host=10.142.0.21 consul_port=8500 version=0.2.3
+2019/03/13 19:42:12 Watching CA leaf for ambassador
+time="2019-03-13T19:42:12Z" level=debug msg="Computed kubectl command and arguments" args="[kubectl apply -f -]"
+time="2019-03-13T19:42:14Z" level=info msg="Updating TLS certificate secret" namespace= secret=ambassador-consul-connect
+```
### Check Ambassador logs
Make sure the Ambassador pod itself is running.
- $ kubectl get pods -l service=ambassador
- NAME READY STATUS RESTARTS AGE
- ambassador-655875b5d9-vpc2v 2/2 Running 0 1d
+```shell
+$ kubectl get pods -l service=ambassador
+NAME READY STATUS RESTARTS AGE
+ambassador-655875b5d9-vpc2v 2/2 Running 0 1d
+```
Finally, check the logs for the main Ambassador pod.
- $ kubectl logs ambassador-655875b5d9-vpc2v
+```shell
+$ kubectl logs ambassador-655875b5d9-vpc2v
+```
### Check Ambassador admin interface
Forward the admin port from the Ambassador pod to your local machine.
- $ kubectl port-forward pods/ambassador-655875b5d9-vpc2v 8877:8877
+```shell
+$ kubectl port-forward pods/ambassador-655875b5d9-vpc2v 8877:8877
+```
You should then be able to open http://localhost:8877/ambassador/v0/diag/ in your browser and view Ambassador's routing table. The table lists each URL mapping that has been set up. Service names will appear in green if Ambassador believes they are healthy, and red otherwise.
diff --git a/website/pages/docs/k8s/connect.mdx b/website/pages/docs/k8s/connect.mdx
index 12007aad50..9d48b8e58a 100644
--- a/website/pages/docs/k8s/connect.mdx
+++ b/website/pages/docs/k8s/connect.mdx
@@ -1,7 +1,7 @@
---
layout: docs
page_title: Connect Sidecar - Kubernetes
-sidebar_title: 'Kubernetes'
+sidebar_title: 'Connect Sidecar'
sidebar_current: docs-platform-k8s-connect
description: >-
Connect is a feature built into to Consul that enables automatic
@@ -441,19 +441,19 @@ There are three options available:
1. **Single Destination Namespace** – Register all Kubernetes pods, regardless of namespace,
into the same Consul namespace.
- This can be configured with:
+ This can be configured with:
- ```yaml
- global:
- enableConsulNamespaces: true
+ ```yaml
+ global:
+ enableConsulNamespaces: true
- connectInject:
- enabled: true
- consulNamespaces:
- consulDestinationNamespace: "my-consul-ns"
- ```
+ connectInject:
+ enabled: true
+ consulNamespaces:
+ consulDestinationNamespace: 'my-consul-ns'
+ ```
- -> **NOTE:** If the destination namespace does not exist we will create it.
+ -> **NOTE:** If the destination namespace does not exist we will create it.
1. **Mirror Namespaces** - Register each Kubernetes pod into a Consul namespace with the same name as its Kubernetes namespace.
For example, pod `foo` in Kubernetes namespace `ns-1` will be synced to the Consul namespace `ns-1`.
@@ -461,34 +461,32 @@ There are three options available:
This can be configured with:
- ````yaml
+ ```yaml
global:
- enableConsulNamespaces: true
+ enableConsulNamespaces: true
- connectInject:
- enabled: true
- consulNamespaces:
- mirroringK8S: true
- ```
-
- ````
+ connectInject:
+ enabled: true
+ consulNamespaces:
+ mirroringK8S: true
+ ```
1. **Mirror Namespaces With Prefix** - Register each Kubernetes pod into a Consul namespace with the same name as its Kubernetes
namespace **with a prefix**.
For example, given a prefix `k8s-`, pod `foo` in Kubernetes namespace `ns-1` will be synced to the Consul namespace `k8s-ns-1`.
- This can be configured with:
+ This can be configured with:
- ```yaml
- global:
- enableConsulNamespaces: true
+ ```yaml
+ global:
+ enableConsulNamespaces: true
- connectInject:
- enabled: true
- consulNamespaces:
- mirroringK8S: true
- mirroringK8SPrefix: "k8s-"
- ```
+ connectInject:
+ enabled: true
+ consulNamespaces:
+ mirroringK8S: true
+ mirroringK8SPrefix: 'k8s-'
+ ```
### Consul Enterprise Namespace Upstreams
diff --git a/website/pages/docs/k8s/helm.mdx b/website/pages/docs/k8s/helm.mdx
index 5a85c305b0..b13e9cd669 100644
--- a/website/pages/docs/k8s/helm.mdx
+++ b/website/pages/docs/k8s/helm.mdx
@@ -26,8 +26,7 @@ and consider if they're appropriate for your deployment.
- `name` ((#v-global-name)) (`string: null`) - Set the prefix used for all resources in the Helm chart. If not set, the prefix will be `-consul`.
- - `domain` ((#v-global-domain)) (`string: "consul"`) - The domain Consul will answer DNS queries for (see
- [-domain](/docs/agent/options.html#_domain)) and the domain services synced from
+ - `domain` ((#v-global-domain)) (`string: "consul"`) - The domain Consul will answer DNS queries for (see [-domain](/docs/agent/options.html#_domain)) and the domain services synced from
Consul into Kubernetes will have, e.g. `service-name.service.consul`.
- `image` ((#v-global-image)) (`string: "consul:"`) - The name (and tag) of the Consul Docker image for clients and servers. This can be overridden per component. This should be pinned to a specific version tag, otherwise you may inadvertently upgrade your Consul version.
@@ -59,7 +58,7 @@ and consider if they're appropriate for your deployment.
The secret can be created by running:
- ```bash
+ ```shell
$ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen)
# To reference, use:
# gossipEncryption:
@@ -130,98 +129,57 @@ and consider if they're appropriate for your deployment.
--from-file='tls.key=./consul-agent-ca-key.pem'
```
- -
- `secretName`
- (`string: null`) - The name of the Kubernetes secret.
+ - `secretName` ((#v-global-cakey-secretname)) (`string: null`) - The name of the Kubernetes secret.
- -
- `secretKey`
- (`string: null`) - The key of the Kubernetes secret.
+ - `secretKey` ((#v-global-cakey-secretkey)) (`string: null`) - The key of the Kubernetes secret.
--
- `server`
- - Values that configure running a Consul server within Kubernetes.
+- `server` ((#v-server)) - Values that configure running a Consul server within Kubernetes.
- -
- `enabled`
- (`boolean: global.enabled`) - If true, the chart will install all the resources
- necessary for a Consul server cluster. If you're running Consul externally and
+ - `enabled` ((#v-server-enabled)) (`boolean: global.enabled`) - If true, the chart will install all
+ the resources necessary for a Consul server cluster. If you're running Consul externally and
want agents within Kubernetes to join that cluster, this should probably be false.
- -
- `image`
- (`string: global.image`) - The name of the Docker image (including any tag)
- for the containers running Consul server agents.
+ - `image` ((#v-server-image)) (`string: global.image`) - The name of the Docker image (including any
+ tag) for the containers running Consul server agents.
- -
- `replicas`
- (`integer: 3`) -The number of server agents to run. This determines the
- fault tolerance of the cluster. Please see the [deployment table](/docs/internals/consensus.html#deployment-table)
+ - `replicas` ((#v-server-replicas)) (`integer: 3`) -The number of server agents to run. This
+ determines the fault tolerance of the cluster. Please see the [deployment table](/docs/internals/consensus.html#deployment-table)
for more information.
- -
- `bootstrapExpect`
- (`integer: 3`) - For new clusters, this is the number of servers to wait
- for before performing the initial leader election and bootstrap of the cluster.
- This must be less than or equal to `server.replicas`. This value is only used
+ - `bootstrapExpect` ((#v-server-bootstrapexpect)) (`integer: 3`) - For new clusters, this is the
+ number of servers to wait for before performing the initial leader election and bootstrap of the cluster. This must be less than or equal to `server.replicas`. This value is only used
when bootstrapping new clusters, it has no effect during ongoing cluster maintenance.
- -
- `enterpriseLicense`
- [Enterprise Only] - This value refers to a Kubernetes secret that you have
- created that contains your enterprise license. It is required if you are using
- an enterprise binary. Defining it here applies it to your cluster once a leader
+ - `enterpriseLicense` ((#v-server-enterpriselicense)) [Enterprise Only] - This value refers to a
+ Kubernetes secret that you have created that contains your enterprise license. It is required if you are using an enterprise binary. Defining it here applies it to your cluster once a leader
has been elected. If you are not using an enterprise image or if you plan to
introduce the license key via another route, then set these fields to null.
- -
- `secretName`
- (`string: null`) - The name of the Kubernetes secret that holds the enterprise
- license. The secret must be in the same namespace that Consul is installed
- into.
+ - `secretName` ((#v-global-enterpriselicense-secretname)) (`string: null`) - The name of the
+ Kubernetes secret that holds the enterprise license. The secret must be in the same namespace that Consul is installed into.
- -
- `secretKey`
- (`string: null`) - The key within the Kubernetes secret that holds the
- enterprise license.
+ - `secretKey` ((#v-global-enterpriselicense-secretkey)) (`string: null`) - The key within the
+ Kubernetes secret that holds the enterprise license.
- -
- `storage`
- (`string: 10Gi`) - This defines the disk size for configuring the servers'
- StatefulSet storage. For dynamically provisioned storage classes, this is the
+ - `storage` ((#v-server-storage)) (`string: 10Gi`) - This defines the disk size for configuring the
+ servers' StatefulSet storage. For dynamically provisioned storage classes, this is the
desired size. For manually defined persistent volumes, this should be set to
the disk size of the attached volume.
- -
- `storageClass`
- (`string: null`) - The StorageClass to use for the servers' StatefulSet
- storage. It must be able to be dynamically provisioned if you want the storage
+ - `storageClass` ((#v-server-storageclass)) (`string: null`) - The StorageClass to use for the
+ servers' StatefulSet storage. It must be able to be dynamically provisioned if you want the storage
to be automatically created. For example, to use [Local](https://kubernetes.io/docs/concepts/storage/storage-classes/#local)
storage classes, the PersistentVolumeClaims would need to be manually created.
A `null` value will use the Kubernetes cluster's default StorageClass. If a default
StorageClass does not exist, you will need to create one.
- -
- `connect`
- (`boolean: true`) - This will enable/disable [Connect](/docs/connect/index.html).
- Setting this to true _will not_ automatically secure pod communication, this
+ - `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable [Connect](/docs/connect/index.html). Setting this to true _will not_ automatically secure pod communication, this
setting will only enable usage of the feature. Consul will automatically initialize
a new CA and set of certificates. Additional Connect settings can be configured
by setting the `server.extraConfig` value.
- -
- `resources`
- (`string: null`) - The resource requests (CPU, memory, etc.) for each of
- the server agents. This should be a multi-line string mapping directly to a Kubernetes
+ - `resources` ((#v-server-resources)) (`string: null`) - The resource requests (CPU, memory, etc.)
+ for each of the server agents. This should be a multi-line string mapping directly to a Kubernetes
[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core)
object. If this isn't specified, then the pods won't request any specific amount
of resources. **Setting this is highly recommended.**
@@ -235,44 +193,22 @@ and consider if they're appropriate for your deployment.
memory: "10Gi"
```
- -
- `updatePartition`
- (`integer: 0`) - This value is used to carefully control a rolling update
- of Consul server agents. This value specifies the [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions)
+ - `updatePartition` ((#v-server-updatepartition)) (`integer: 0`) - This value is used to carefully
+ control a rolling update of Consul server agents. This value specifies the [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions)
for performing a rolling update. Please read the linked Kubernetes documentation
for more information.
- -
- `disruptionBudget`
- - This configures the [PodDisruptionBudget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/)
- for the server cluster.
+ - `disruptionBudget` ((#v-server-disruptionbudget)) - This configures the [PodDisruptionBudget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) for the server cluster.
- -
- `enabled`
- (`boolean: true`) - This will enable/disable registering a PodDisruptionBudget
- for the server cluster. If this is enabled, it will only register the budget
- so long as the server cluster is enabled.
+ - `enabled` ((#v-server-disruptionbudget-enabled)) (`boolean: true`) - This will enable/disable
+ registering a PodDisruptionBudget for the server cluster. If this is enabled, it will only register the budget so long as the server cluster is enabled.
- -
- `maxUnavailable`
- (`integer: null`) - The maximum number of unavailable pods. By default,
- this will be automatically computed based on the `server.replicas` value to
- be `(n/2)-1`. If you need to set this to `0`, you will need to add a `--set
- 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation
+ - `maxUnavailable` ((#v-server-disruptionbudget-maxunavailable)) (`integer: null`) - The maximum
+ number of unavailable pods. By default, this will be automatically computed based on the `server.replicas` value to be `(n/2)-1`. If you need to set this to `0`, you will need to add a `--set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation
command because of a limitation in the Helm templating language.
- -
- `extraConfig`
- (`string: "{}"`) - A raw string of extra JSON [configuration](/docs/agent/options.html)
- for Consul servers. This will be saved as-is into a ConfigMap that is read by
- the Consul server agents. This can be used to add additional configuration that
- isn't directly exposed by the chart.
+ - `extraConfig` ((#v-server-extraconfig)) (`string: "{}"`) - A raw string of extra JSON
+ [configuration](/docs/agent/options.html) for Consul servers. This will be saved as-is into a ConfigMap that is read by the Consul server agents. This can be used to add additional configuration that isn't directly exposed by the chart.
```yaml
# ExtraConfig values are formatted as a multi-line string:
@@ -288,31 +224,20 @@ and consider if they're appropriate for your deployment.
--set 'server.extraConfig="{"log_level": "DEBUG"}"'
```
- -
- `extraVolumes`
- (`array: []`) - A list of extra volumes to mount for server agents. This
+ - `extraVolumes` ((#v-server-extravolumes)) (`array: []`) - A list of extra volumes to mount for server agents. This
is useful for bringing in extra data that can be referenced by other configurations
at a well known path, such as TLS certificates or Gossip encryption keys. The
value of this should be a list of objects. Each object supports the following
keys:
- -
- `type`
- (`string: required`) - Type of the volume, must be one of "configMap"
- or "secret". Case sensitive.
+ - `type` ((#v-server-extravolumes-type)) (`string: required`) - Type of the volume, must be one of
+ "configMap" or "secret". Case sensitive.
- -
- `name`
- (`string: required`) -
+ - `name` ((#v-server-extravolumes-name)) (`string: required`) - Name of the configMap or secret to
+ be mounted. This also controls the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`.
- Name of the configMap or secret to be mounted. This also controls the path
- that it is mounted to. The volume will be mounted to `/consul/userconfig/`.
-
- -
- `load`
- (`boolean: false`) - If true, then the agent will be configured to automatically
- load HCL/JSON configuration files from this volume with `-config-dir`. This
- defaults to false.
+ - `load` ((#v-server-extravolumes-load)) (`boolean: false`) - If true, then the agent will be
+ configured to automatically load HCL/JSON configuration files from this volume with `-config-dir`. This defaults to false.
```yaml
extraVolumes:
@@ -321,9 +246,7 @@ and consider if they're appropriate for your deployment.
load: false
```
- -
- `affinity`
- (`string`) - This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
+ - `affinity` ((#v-server-affinity)) (`string`) - This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
for server pods. It defaults to allowing only a single pod on each node, which
minimizes risk of the cluster becoming unusable if a node is lost. If you need
to run more pods per node (for example, testing on Minikube), set this value
@@ -342,15 +265,10 @@ and consider if they're appropriate for your deployment.
topologyKey: kubernetes.io/hostname
```
- -
- `tolerations`
- (`string: ""`) - Toleration settings for server pods. This should be a multi-line
- string matching the [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)
- array in a Pod spec.
+ - `tolerations` ((#v-server-tolerations)) (`string: ""`) - Toleration settings for server pods. This
+ should be a multi-line string matching the [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec.
- -
- `nodeSelector`
- (`string: null`) - This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
+ - `nodeSelector` ((#v-server-nodeselector)) (`string: null`) - This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
labels for server pod assignment, formatted as a multi-line string.
```yaml
@@ -358,15 +276,11 @@ and consider if they're appropriate for your deployment.
beta.kubernetes.io/arch: amd64
```
- -
- `priorityClassName`
- (`string`) - This value references an existing Kubernetes [priorityClassName](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority)
- that can be assigned to server pods.
+ - `priorityClassName` ((#v-server-priorityclassname)) (`string`) - This value references an existing
+ Kubernetes [priorityClassName](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) that can be assigned to server pods.
- -
- `annotations`
- (`string`) - This value defines additional annotations for server pods.
- This should be a formatted as a multi-line string.
+ - `annotations` ((#v-server-annotations)) (`string`) - This value defines additional annotations for
+ server pods. This should be a formatted as a multi-line string.
```yaml
annotations: |
@@ -374,66 +288,42 @@ and consider if they're appropriate for your deployment.
"sample/annotation2": "bar"
```
- -
- `service`
- - Server service properties
+ - `service` ((#v-server-service)) - Server service properties
- -
- `annotations`
- Annotations to apply to the server service.
+ - `annotations` ((#v-server-service-annotations)) Annotations to apply to the server service.
```yaml
annotations: |
"annotation-key": "annotation-value"
```
--
- `client`
- - Values that configure running a Consul client on Kubernetes nodes.
+- `client` ((#v-client)) - Values that configure running a Consul client on Kubernetes nodes.
- -
- `enabled`
- (`boolean: global.enabled`) - If true, the chart will install all the resources
- necessary for a Consul client on every Kubernetes node. This _does not_ require
+ - `enabled` ((#v-client-enabled)) (`boolean: global.enabled`) - If true, the chart will install all
+ the resources necessary for a Consul client on every Kubernetes node. This _does not_ require
`server.enabled`, since the agents can be configured to join an external cluster.
- -
- `image`
- (`string: global.image`) - The name of the Docker image (including any tag)
- for the containers running Consul client agents.
+ - `image` ((#v-client-image)) (`string: global.image`) - The name of the Docker image (including any
+ tag) for the containers running Consul client agents.
- `join` ((#v-client-join)) (`array: null`) - A list of valid [`-retry-join` values](/docs/agent/options.html#retry-join). If this is `null` (default), then the clients will attempt to automatically join the server cluster running within Kubernetes. This means that with `server.enabled` set to true, clients will automatically join that cluster. If `server.enabled` is not true, then a value must be specified so the clients can join a valid cluster.
- -
- `dataDirectoryPath`
- (`string: null`) - An absolute path to a directory on the host machine to
- use as the Consul client data directory. If set to the empty string or null,
- the Consul agent will store its data in the Pod's local filesystem (which will
+ - `dataDirectoryPath` ((#v-client-datadirectorypath)) (`string: null`) - An absolute path to a
+ directory on the host machine to use as the Consul client data directory. If set to the empty string or null, the Consul agent will store its data in the Pod's local filesystem (which will
be lost if the Pod is deleted). Security Warning: If setting this, Pod Security
- Policies _must_ be enabled on your cluster and in this Helm chart (via the global.enablePodSecurityPolicies
- setting) to prevent other Pods from mounting the same host path and gaining access
- to all of Consul's data. Consul's data is not encrypted at rest.
+ Policies _must_ be enabled on your cluster and in this Helm chart (via the global.enablePodSecurityPolicies setting) to prevent other Pods from mounting the same host path and gaining access to all of Consul's data. Consul's data is not encrypted at rest.
- -
- `grpc`
- (`boolean: true`) - If true, agents will enable their GRPC listener on port
- 8502 and expose it to the host. This will use slightly more resources, but is
+ - `grpc` ((#v-client-grpc)) (`boolean: true`) - If true, agents will enable their GRPC listener on
+ port 8502 and expose it to the host. This will use slightly more resources, but is
required for [Connect](/docs/platform/k8s/connect.html).
- -
- `exposeGossipPorts`
- (`boolean: false`) - If true, the Helm chart will expose the clients' gossip
- ports as hostPorts. This is only necessary if pod IPs in the k8s cluster are
- not directly routable and the Consul servers are outside of the k8s cluster.
+ - `exposeGossipPorts` ((#v-client-exposegossipports)) (`boolean: false`) - If true, the Helm chart
+ will expose the clients' gossip ports as hostPorts. This is only necessary if pod IPs in the k8s cluster are not directly routable and the Consul servers are outside of the k8s cluster.
This also changes the clients' advertised IP to the `hostIP` rather than `podIP`.
- -
- `resources`
- (`string: null`) - The resource requests (CPU, memory, etc.) for each of
- the client agents. This should be a multi-line string mapping directly to a Kubernetes
- [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core)
- object. If this isn't specified, then the pods won't request any specific amount
- of resources.
+ - `resources` ((#v-client-resources)) (`string: null`) - The resource requests (CPU, memory, etc.)
+ for each of the client agents. This should be a multi-line string mapping directly to a Kubernetes
+ [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources.
```yaml
# Resources are defined as a formatted multi-line string:
@@ -444,12 +334,8 @@ and consider if they're appropriate for your deployment.
memory: "10Gi"
```
- -
- `extraConfig`
- (`string: "{}"`) - A raw string of extra JSON [configuration](/docs/agent/options.html)
- for Consul clients. This will be saved as-is into a ConfigMap that is read by
- the Consul agents. This can be used to add additional configuration that isn't
- directly exposed by the chart.
+ - `extraConfig` ((#v-client-extraconfig)) (`string: "{}"`) - A raw string of extra JSON
+ [configuration](/docs/agent/options.html) for Consul clients. This will be saved as-is into a ConfigMap that is read by the Consul agents. This can be used to add additional configuration that isn't directly exposed by the chart.
```yaml
# ExtraConfig values are formatted as a multi-line string:
@@ -465,31 +351,19 @@ and consider if they're appropriate for your deployment.
--set 'client.extraConfig="{"log_level": "DEBUG"}"'
```
- -
- `extraVolumes`
- (`array: []`) - A list of extra volumes to mount for client agents. This
- is useful for bringing in extra data that can be referenced by other configurations
- at a well known path, such as TLS certificates or Gossip encryption keys. The
+ - `extraVolumes` ((#v-client-extravolumes)) (`array: []`) - A list of extra volumes to mount for
+ client agents. This is useful for bringing in extra data that can be referenced by other configurations at a well known path, such as TLS certificates or Gossip encryption keys. The
value of this should be a list of objects. Each object supports the following
keys:
- -
- `type`
- (`string: required`) - Type of the volume, must be one of "configMap"
- or "secret". Case sensitive.
+ - `type` ((#v-client-extravolumes-type)) (`string: required`) - Type of the volume, must be one of
+ "configMap" or "secret". Case sensitive.
- -
- `name`
- (`string: required`) -
+ - `name` ((#v-client-extravolumes-name)) (`string: required`) - Name of the configMap or secret to
+ be mounted. This also controls the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`.
- Name of the configMap or secret to be mounted. This also controls the path
- that it is mounted to. The volume will be mounted to `/consul/userconfig/`.
-
- -
- `load`
- (`boolean: false`) - If true, then the agent will be configured to automatically
- load HCL/JSON configuration files from this volume with `-config-dir`. This
- defaults to false.
+ - `load` ((#v-client-extravolumes-load)) (`boolean: false`) - If true, then the agent will be
+ configured to automatically load HCL/JSON configuration files from this volume with `-config-dir`. This defaults to false.
```yaml
extraVolumes:
@@ -498,37 +372,27 @@ and consider if they're appropriate for your deployment.
load: false
```
- -
- `tolerations`
- (`string: ""`) - Toleration Settings for client pods. This should be a multi-line
- string matching the Toleration array in a Pod spec. The example below will allow
- client pods to run on every node regardless of taints.
+ - `tolerations` ((#v-client-tolerations)) (`string: ""`) - Toleration Settings for client pods. This
+ should be a multi-line string matching the Toleration array in a Pod spec. The example below will allow client pods to run on every node regardless of taints.
```yaml
tolerations: |
- operator: "Exists"
```
- -
- `nodeSelector`
- (`string: null`) - Labels for client pod assignment, formatted as a multi-line
- string. Please see [Kubernetes docs](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
- for more details.
+ - `nodeSelector` ((#v-client-nodeselector)) (`string: null`) - Labels for client pod assignment,
+ formatted as a multi-line string. Please see [Kubernetes docs](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more details.
```yaml
nodeSelector: |
beta.kubernetes.io/arch: amd64
```
- -
- `priorityClassName`
- (`string: ""`) - This value references an existing Kubernetes [priorityClassName](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority)
- that can be assigned to client pods.
+ - `priorityClassName` ((#v-client-priorityclassname)) (`string: ""`) - This value references an
+ existing Kubernetes [priorityClassName](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) that can be assigned to client pods.
- -
- `annotations`
- (`string: null`) - This value defines additional annotations for client
- pods. This should be a formatted as a multi-line string.
+ - `annotations` ((#v-client-annotations)) (`string: null`) - This value defines additional
+ annotations for client pods. This should be a formatted as a multi-line string.
```yaml
annotations: |
@@ -536,14 +400,10 @@ and consider if they're appropriate for your deployment.
"sample/annotation2": "bar"
```
- -
- `dnsPolicy`
- (`string: null`) - This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy)
+ - `dnsPolicy` ((#v-client-dnspolicy)) (`string: null`) - This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy)
for client pods to use.
- -
- `updateStrategy`
- (`string: null`) - The [update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy)
+ - `updateStrategy` ((#v-client-updatestrategy)) (`string: null`) - The [update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy)
for the client `DaemonSet`.
```yaml
@@ -553,365 +413,172 @@ and consider if they're appropriate for your deployment.
type: RollingUpdate
```
- -
- `snapshotAgent`
- [Enterprise Only] - Values for setting up and running [snapshot agents](https://www.consul.io/docs/commands/snapshot/agent.html)
+ - `snapshotAgent` ((#v-client-snapshotagent)) [Enterprise Only] - Values for setting up and running [snapshot agents](https://www.consul.io/docs/commands/snapshot/agent.html)
within the Consul clusters. They are required to be co-located with Consul clients,
so will inherit the clients' nodeSelector, tolerations and affinity.
- -
- `enabled`
- (`boolean: false`) - If true, the chart will install resources necessary
- to run the snapshot agent.
+ - `enabled` ((#v-client-snapshotagent-enabled)) (`boolean: false`) - If true, the chart will
+ install resources necessary to run the snapshot agent.
- -
- `replicas`
- (`integer: 2`) - The number of snapshot agents to run.
+ - `replicas` ((#v-client-snapshotagent-replicas)) (`integer: 2`) - The number of snapshot agents
+ to run.
- -
- `configSecret`
- - A Kubernetes secret that should be manually created to contain the entire
- config to be used on the snapshot agent. This is the preferred method of configuration
- since there are usually storage credentials present. Please see [Snapshot agent
- config](https://www.consul.io/docs/commands/snapshot/agent.html#config-file-options-)
- for details.
+ - `configSecret` ((#v-client-snapshotagent-configsecret)) - A Kubernetes secret that should be
+ manually created to contain the entire config to be used on the snapshot agent. This is the preferred method of configuration since there are usually storage credentials present. Please see [Snapshot agent config](https://www.consul.io/docs/commands/snapshot/agent.html#config-file-options-) for details.
- -
- secretName{' '}
-
- `(string: null)` - The name of the Kubernetes secret.
+ - secretName ((#v-client-snapshotagent-configsecret-secretname)) `(string: null)` - The name of the Kubernetes secret.
- -
- secretKey{' '}
-
- `(string: null)` - The key for the Kubernetes secret.
+ - secretKey ((#v-client-snapshotagent-configsecret-secretkey)) `(string: null)` - The key for the Kubernetes secret.
--
- `dns`
- - Values that configure Consul DNS service.
+- `dns` ((#v-dns)) - Values that configure Consul DNS service.
- -
- `enabled`
- (`boolean: global.enabled`) - If true, a `consul-dns` service will be created
- that exposes port 53 for TCP and UDP to the running Consul agents (servers and
+ - `enabled` ((#v-dns-enabled)) (`boolean: global.enabled`) - If true, a `consul-dns` service will be
+ created that exposes port 53 for TCP and UDP to the running Consul agents (servers and
clients). This can then be used to [configure kube-dns](/docs/platform/k8s/dns.html).
The Helm chart _does not_ automatically configure kube-dns.
- -
- `clusterIP`
- (`string: null`) - If defined, this value configures the cluster IP of the
- DNS service.
+ - `clusterIP` ((#v-dns-clusterip)) (`string: null`) - If defined, this value configures the cluster
+ IP of the DNS service.
- -
- `annotations`
- (`string: null`) - Extra annotations to attach to the DNS service. This
- should be a multi-line string of annotations to apply to the DNS service.
+ - `annotations` ((#v-dns-annotations)) (`string: null`) - Extra annotations to attach to the DNS
+ service. This should be a multi-line string of annotations to apply to the DNS service.
--
- `syncCatalog`
- - Values that configure the [service sync](/docs/platform/k8s/service-sync.html)
- process.
+- `syncCatalog` ((#v-synccatalog)) - Values that configure the [service sync](/docs/platform/k8s/service-sync.html) process.
- -
- `enabled`
- (`boolean: false`) - If true, the chart will install all the resources necessary
- for the catalog sync process to run.
+ - `enabled` ((#v-synccatalog-enabled)) (`boolean: false`) - If true, the chart will install all the
+ resources necessary for the catalog sync process to run.
- -
- `image`
- (`string: global.imageK8S`) - The name of the Docker image (including any
- tag) for [consul-k8s](/docs/platform/k8s/index.html#quot-consul-k8s-quot-project)
+ - `image` ((#v-synccatalog-image)) (`string: global.imageK8S`) - The name of the Docker image
+ (including any tag) for [consul-k8s](/docs/platform/k8s/index.html#quot-consul-k8s-quot-project)
to run the sync program.
- -
- `default`
- (`boolean: true`) - If true, all valid services in K8S are synced by default.
- If false, the service must be [annotated](/docs/platform/k8s/service-sync.html#sync-enable-disable)
- properly to sync. In either case an annotation can override the default.
+ - `default` ((#v-synccatalog-default)) (`boolean: true`) - If true, all valid services in K8S are
+ synced by default. If false, the service must be [annotated](/docs/platform/k8s/service-sync.html#sync-enable-disable) properly to sync. In either case an annotation can override the default.
- -
- `toConsul`
- (`boolean: true`) - If true, will sync Kubernetes services to Consul. This
- can be disabled to have a one-way sync.
+ - `toConsul` ((#v-synccatalog-toconsul)) (`boolean: true`) - If true, will sync Kubernetes services
+ to Consul. This can be disabled to have a one-way sync.
- -
- `toK8S`
- (`boolean: true`) - If true, will sync Consul services to Kubernetes. This
- can be disabled to have a one-way sync.
+ - `toK8S` ((#v-synccatalog-tok8s)) (`boolean: true`) - If true, will sync Consul services to
+ Kubernetes. This can be disabled to have a one-way sync.
- -
- `k8sPrefix`
- (`string: ""`) - A prefix to prepend to all services registered in Kubernetes
- from Consul. This defaults to `""` where no prefix is prepended; Consul services
- are synced with the same name to Kubernetes. (Consul -> Kubernetes sync only)
+ - `k8sPrefix` ((#v-synccatalog-k8sprefix)) (`string: ""`) - A prefix to prepend to all services
+ registered in Kubernetes from Consul. This defaults to `""` where no prefix is prepended; Consul services are synced with the same name to Kubernetes. (Consul -> Kubernetes sync only)
- -
- `k8sAllowNamespaces`
- (`[]string: ["*"]`) - list of k8s namespaces to sync the k8s services from.
- If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`,
- services in that k8s namespace will not be synced even if they are explicitly
- annotated. Use `["*"]` to automatically allow all k8s namespaces. For example,
+ - `k8sAllowNamespaces` ((#v-synccatalog-k8sallownamespaces)) (`[]string: ["*"]`) - list of k8s
+ namespaces to sync the k8s services from. If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, services in that k8s namespace will not be synced even if they are explicitly annotated. Use `["*"]` to automatically allow all k8s namespaces. For example,
`["namespace1", "namespace2"]` will only allow services in the k8s namespaces
`namespace1` and `namespace2` to be synced and registered with Consul. All other
k8s namespaces will be ignored. Note: `k8sDenyNamespaces` takes precedence over
values defined here. Requires consul-k8s v0.12+
- -
- `k8sDenyNamespaces`
- (`[]string: ["kube-system", "kube-public"]` - list of k8s namespaces that
- should not have their services synced. This list takes precedence over `k8sAllowNamespaces`.
- `*` is not supported because then nothing would be allowed to sync. Requires
- consul-k8s v0.12+.
+ - `k8sDenyNamespaces` ((#v-synccatalog-k8sdenynamespaces)) (`[]string: ["kube-system", "kube-public"]` - list of k8s namespaces that should not have their services synced. This list takes precedence over `k8sAllowNamespaces`. `*` is not supported because then nothing would be allowed to sync. Requires consul-k8s v0.12+.
For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` and `namespace2` will be synced.
- -
- `k8sSourceNamespace`
- (`string: ""`) - **[DEPRECATED] Use `k8sAllowNamespaces` and `k8sDenyNamespaces`
- instead.** `k8sSourceNamespace` is the Kubernetes namespace to watch for service
- changes and sync to Consul. If this is not set then it will default to all namespaces.
+ - `k8sSourceNamespace` ((#v-synccatalog-k8ssourcenamespace)) (`string: ""`) - **[DEPRECATED] Use
+ `k8sAllowNamespaces` and `k8sDenyNamespaces` instead.** `k8sSourceNamespace` is the Kubernetes namespace to watch for service changes and sync to Consul. If this is not set then it will default to all namespaces.
- -
- `consulNamespaces`
- - [Enterprise Only] These settings manage the catalog sync's interaction
- with Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). Also,
- `global.enableConsulNamespaces` must be true.
+ - `consulNamespaces` ((#v-synccatalog-consulnamespaces)) - [Enterprise Only] These settings manage
+ the catalog sync's interaction with Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). Also, `global.enableConsulNamespaces` must be true.
- -
- `consulDestinationNamespace`
- (`string: "default"`) - Name of the Consul namespace to register all k8s
+ - `consulDestinationNamespace` ((#v-synccatalog-consulnamespaces-consuldestinationnamespace)) (`string: "default"`) - Name of the Consul namespace to register all k8s
services into. If the Consul namespace does not already exist, it will be created.
This will be ignored if `mirroringK8S` is true.
- -
- `mirroringK8S`
- (`bool: false`) - causes k8s services to be registered into a Consul namespace
- of the same name as their k8s namespace, optionally prefixed if `mirroringK8SPrefix`
- is set below. If the Consul namespace does not already exist, it will be created.
- Turning this on overrides the `consulDestinationNamespace` setting. `addK8SNamespaceSuffix`
- may no longer be needed if enabling this option.
+ - `mirroringK8S` ((#v-synccatalog-consulnamespaces-mirroringk8s)) (`bool: false`) - causes k8s
+ services to be registered into a Consul namespace of the same name as their k8s namespace, optionally prefixed if `mirroringK8SPrefix` is set below. If the Consul namespace does not already exist, it will be created. Turning this on overrides the `consulDestinationNamespace` setting. `addK8SNamespaceSuffix` may no longer be needed if enabling this option.
- -
- `mirroringK8SPrefix`
- (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix`
- allows each Consul namespace to be given a prefix. For example, if `mirroringK8SPrefix`
- is set to `"k8s-"`, a service in the k8s `staging` namespace will be registered
- into the `k8s-staging` Consul namespace.
+ - `mirroringK8SPrefix` ((#v-synccatalog-consulnamespaces-mirroringk8sprefix)) (`string: ""`) - If
+ `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace to be given a prefix. For example, if `mirroringK8SPrefix` is set to `"k8s-"`, a service in the k8s `staging` namespace will be registered into the `k8s-staging` Consul namespace.
- -
- `addK8SNamespaceSuffix`
- (`boolean: true`) - If true, sync catalog will append Kubernetes namespace
- suffix to each service name synced to Consul, separated by a dash. For example,
- for a service `foo` in the `default` namespace, the sync process will create
- a Consul service named `foo-default`. Set this flag to true to avoid registering
- services with the same name but in different namespaces as instances for the
- same Consul service. Namespace suffix is not added if `annotationServiceName`
- is provided.
+ - `addK8SNamespaceSuffix` ((#v-synccatalog-addk8snamespacesuffix)) (`boolean: true`) - If true, sync catalog will append Kubernetes namespace suffix to each service name synced to Consul, separated by a dash. For example, for a service `foo` in the `default` namespace, the sync process will create a Consul service named `foo-default`. Set this flag to true to avoid registering services with the same name but in different namespaces as instances for the same Consul service. Namespace suffix is not added if `annotationServiceName` is provided.
- -
- `consulPrefix`
- (`string: ""`) - A prefix to prepend to all services registered in Consul
- from Kubernetes. This defaults to `""` where no prefix is prepended. Service
- names within Kubernetes remain unchanged. (Kubernetes -> Consul sync only) The
- prefix is ignored if `annotationServiceName` is provided.
+ - `consulPrefix` ((#v-synccatalog-consulPrefix)) (`string: ""`) - A prefix to prepend to all services registered in Consul from Kubernetes. This defaults to `""` where no prefix is prepended. Service names within Kubernetes remain unchanged. (Kubernetes -> Consul sync only) The prefix is ignored if `annotationServiceName` is provided.
- -
- `k8sTag`
- (`string: null`) - An optional tag that is applied to all of the Kubernetes
- services that are synced into Consul. If nothing is set, this defaults to "k8s".
- (Kubernetes -> Consul sync only)
+ - `k8sTag` ((#v-synccatalog-k8stag)) (`string: null`) - An optional tag that is applied to all of the Kubernetes services that are synced into Consul. If nothing is set, this defaults to "k8s". (Kubernetes -> Consul sync only)
- -
- `syncClusterIPServices`
- (`boolean: true`) - If true, will sync Kubernetes ClusterIP services to
- Consul. This can be disabled to have the sync ignore ClusterIP-type services.
+ - `syncClusterIPServices` ((#v-synccatalog-syncclusteripservices)) (`boolean: true`) - If true, will
+ sync Kubernetes ClusterIP services to Consul. This can be disabled to have the sync ignore ClusterIP-type services.
- -
- `nodePortSyncType`
- (`string: ExternalFirst`) - Configures the type of syncing that happens
- for NodePort services. The only valid options are: `ExternalOnly`, `InternalOnly`,
- and `ExternalFirst`. `ExternalOnly` will only use a node's ExternalIP address
+ - `nodePortSyncType` ((#v-synccatalog-nodeportsynctype)) (`string: ExternalFirst`) - Configures the
+ type of syncing that happens for NodePort services. The only valid options are: `ExternalOnly`, `InternalOnly`, and `ExternalFirst`. `ExternalOnly` will only use a node's ExternalIP address
for the sync, otherwise the service will not be synced. `InternalOnly` uses the
node's InternalIP address. `ExternalFirst` will preferentially use the node's
ExternalIP address, but if it doesn't exist, it will use the node's InternalIP
address instead.
- -
- `aclSyncToken`
- - references a Kubernetes [secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-your-own-secrets)
+ - `aclSyncToken` ((#v-synccatalog-acl-sync-token)) - references a Kubernetes [secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-your-own-secrets)
that contains an existing Consul ACL token. This will provide the sync process
the correct permissions. This is only needed if ACLs are enabled on the Consul
cluster.
- -
- secretName{' '}
-
- `(string: null)` - The name of the Kubernetes secret. This defaults to null.
+ - `secretName` ((#v-synccatalog-acl-sync-token-secret-name)) `(string: null)` - The name of the Kubernetes secret. This defaults to null.
- -
- secretKey{' '}
-
- `(string: null)` - The key for the Kubernetes secret. This defaults to null.
+ - `secretKey` ((#v-synccatalog-acl-sync-token-secret-key)) `(string: null)` - The key for the Kubernetes secret. This defaults to null.
- -
- `nodeSelector`
- (`string: null`) - This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
- labels for `syncCatalog` pod assignment, formatted as a multi-line string.
+ - `nodeSelector` ((#v-synccatalog-nodeselector)) (`string: null`) - This value defines
+ [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) labels for `syncCatalog` pod assignment, formatted as a multi-line string.
```yaml
nodeSelector: |
beta.kubernetes.io/arch: amd64
```
- -
- `logLevel`
- (`string: info`) - Log verbosity level. One of "trace", "debug", "info",
- "warn", or "error".
+ - `logLevel` ((#v-synccatalog-loglevel)) (`string: info`) - Log verbosity level. One of "trace",
+ "debug", "info", "warn", or "error".
- -
- `consulWriteInterval`
- (`string: null`) - Override the default interval to perform syncing operations
- creating Consul services.
+ - `consulWriteInterval` ((#v-synccatalog-consulwriteinterval)) (`string: null`) - Override the default interval to perform syncing operations creating Consul services.
--
- `ui`
- - Values that configure the Consul UI.
+- `ui` ((#v-ui)) - Values that configure the Consul UI.
- -
- `enabled`
- (`boolean: global.enabled`) - If true, the UI will be enabled. This will
+ - `enabled` ((#v-ui-enabled)) (`boolean: global.enabled`) - If true, the UI will be enabled. This will
only _enable_ the UI, it doesn't automatically register any service for external
access. The UI will only be enabled on server agents. If `server.enabled` is
false, then this setting has no effect. To expose the UI in some way, you must
configure `ui.service`.
- -
- `service`
- - This configures the `Service` resource registered for the Consul UI.
+ - `service` ((#v-ui-service)) - This configures the `Service` resource registered for the Consul UI.
- -
- `enabled`
- (`boolean: true`) - This will enable/disable registering a Kubernetes
- Service for the Consul UI. This value only takes effect if `ui.enabled` is
+ - `enabled` ((#v-ui-service-enabled)) (`boolean: true`) - This will enable/disable registering a
+ Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is
true and taking effect.
- -
- `type`
- (`string: null`) - The service type to register. This defaults to `null`
- which doesn't set an explicit service type, which typically is defaulted to
+ - `type` ((#v-ui-service-type)) (`string: null`) - The service type to register. This defaults to
+ `null` which doesn't set an explicit service type, which typically is defaulted to
"ClusterIP" by Kubernetes. The available service types are documented on [the
Kubernetes website](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types).
- -
- `annotations`
- (`string: null`) - Annotations to apply to the UI service.
+ - `annotations` ((#v-ui-service-annotations)) (`string: null`) - Annotations to apply to the UI
+ service.
```yaml
annotations: |
"annotation-key": "annotation-value"
```
- -
- `additionalSpec`
- (`string: null`) - Additional Service spec values. This should be a multi-line
- string mapping directly to a Kubernetes `Service` object.
+ - `additionalSpec` ((#v-ui-service-additionalspec)) (`string: null`) - Additional Service spec
+ values. This should be a multi-line string mapping directly to a Kubernetes `Service` object.
--
- `connectInject`
- - Values that configure running the [Connect injector](/docs/platform/k8s/connect.html).
+- `connectInject` ((#v-connectinject)) - Values that configure running the [Connect injector](/docs/platform/k8s/connect.html).
- -
- `enabled`
- (`boolean: false`) - If true, the chart will install all the resources necessary
- for the Connect injector process to run. This will enable the injector but will
+ - `enabled` ((#v-connectinject-enabled)) (`boolean: false`) - If true, the chart will install all the
+ resources necessary for the Connect injector process to run. This will enable the injector but will
require pods to opt-in with an annotation by default.
- -
- `image`
- (`string: global.imageK8S`) - The name of the Docker image (including any
- tag) for the [consul-k8s](https://github.com/hashicorp/consul-k8s) binary.
+ - `image` ((#v-connectinject-image)) (`string: global.imageK8S`) - The name of the Docker image
+ (including any tag) for the [consul-k8s](https://github.com/hashicorp/consul-k8s) binary.
- -
- `default`
- (`boolean: false`) - If true, the injector will inject the Connect sidecar
- into all pods by default. Otherwise, pods must specify the. [injection annotation](/docs/platform/k8s/connect.html#consul-hashicorp-com-connect-inject)
+ - `default` ((#v-connectinject-default)) (`boolean: false`) - If true, the injector will inject the
+ Connect sidecar into all pods by default. Otherwise, pods must specify the. [injection annotation](/docs/platform/k8s/connect.html#consul-hashicorp-com-connect-inject)
to opt-in to Connect injection. If this is true, pods can use the same annotation
to explicitly opt-out of injection.
- -
- `imageConsul`
- (`string: global.image`) - The name of the Docker image (including any tag)
- for Consul. This is used for proxy service registration, Envoy configuration,
- etc.
+ - `imageConsul` ((#v-connectinject-imageConsul)) (`string: global.image`) - The name of the Docker
+ image (including any tag) for Consul. This is used for proxy service registration, Envoy configuration, etc.
- -
- `imageEnvoy`
- (`string: ""`) - The name of the Docker image (including any tag) for the
- Envoy sidecar. `envoy` must be on the executable path within this image. This
- Envoy version must be compatible with the Consul version used by the injector.
- If not specified this defaults to letting the injector choose the Envoy image.
- Check [supported Envoy versions](/docs/connect/proxies/envoy.html#supported-versions)
- to ensure the version you are using is compatible with Consul.
+ - `imageEnvoy` ((#v-connectinject-imageEnvoy)) (`string: ""`) - The name of the Docker image (including any tag) for the Envoy sidecar. `envoy` must be on the executable path within this image. This Envoy version must be compatible with the Consul version used by the injector. If not specified this defaults to letting the injector choose the Envoy image. Check [supported Envoy versions](/docs/connect/proxies/envoy.html#supported-versions) to ensure the version you are using is compatible with Consul.
- -
- `namespaceSelector`
- (`string: ""`) - A [selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
+ - `namespaceSelector` ((#v-connectinject-namespaceselector)) (`string: ""`) - A [selector](https://
+ kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
for restricting injection to only matching namespaces. By default all namespaces
except `kube-system` and `kube-public` will have injection enabled.
@@ -921,116 +588,57 @@ and consider if they're appropriate for your deployment.
namespace-label: label-value
```
- -
- `k8sAllowNamespaces`
- - list of k8s namespaces to allow Connect sidecar injection in. If a k8s
- namespace is not included or is listed in `k8sDenyNamespaces`, pods in that k8s
- namespace will not be injected even if they are explicitly annotated. Use `["*"]`
- to automatically allow all k8s namespaces.
+ - `k8sAllowNamespaces` ((#v-connectinject-k8sallownamespaces)) - list of k8s namespaces to allow
+ Connect sidecar injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, pods in that k8s namespace will not be injected even if they are explicitly annotated. Use `["*"]` to automatically allow all k8s namespaces.
For example, `["namespace1", "namespace2"]` will only allow pods in the k8s namespaces `namespace1` and `namespace2` to have Connect sidecars injected and registered with Consul. All other k8s namespaces will be ignored.
Note: `k8sDenyNamespaces` takes precedence over values defined here and `namespaceSelector` takes precedence over both since it is applied first. `kube-system` and `kube-public` are never injected, even if included here. Requires consul-k8s v0.12+
- -
- `k8sDenyNamespaces`
- - list of k8s namespaces that should not allow Connect sidecar injection.
- This list takes precedence over `k8sAllowNamespaces`. `*` is not supported because
- then nothing would be allowed to be injected.
+ - `k8sDenyNamespaces` ((#v-connectinject-k8sdenynamespaces)) - list of k8s namespaces that should not
+ allow Connect sidecar injection. This list takes precedence over `k8sAllowNamespaces`. `*` is not supported because then nothing would be allowed to be injected.
For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` and `namespace2` will be injected.
Note: `namespaceSelector` takes precedence over this since it is applied first. `kube-system` and `kube-public` are never injected. Requires consul-k8s v0.12+.
- -
- `consulNamespaces`
- - [Enterprise Only] These settings manage the connect injector's interaction
- with Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). Also,
- `global.enableConsulNamespaces` must be true.
+ - `consulNamespaces` ((#v-connectinject-consulnamespaces)) - [Enterprise Only] These settings manage
+ the connect injector's interaction with Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). Also, `global.enableConsulNamespaces` must be true.
- -
- `consulDestinationNamespace`
- (`string: "default"`) - Name of the Consul namespace to register all k8s
- services into. If the Consul namespace does not already exist, it will be created.
+ - `consulDestinationNamespace` ((#v-connectinject-consulnamespaces-consuldestinationnamespace))
+ (`string: "default"`) - Name of the Consul namespace to register all k8s services into. If the Consul namespace does not already exist, it will be created.
This will be ignored if `mirroringK8S` is true.
- -
- `mirroringK8S`
- (`bool: false`) - causes k8s services to be registered into a Consul namespace
- of the same name as their k8s namespace, optionally prefixed if `mirroringK8SPrefix`
- is set below. If the Consul namespace does not already exist, it will be created.
- Turning this on overrides the `consulDestinationNamespace` setting.
+ - `mirroringK8S` ((#v-connectinject-consulnamespaces-mirroringk8s)) (`bool: false`) - causes k8s
+ services to be registered into a Consul namespace of the same name as their k8s namespace, optionally prefixed if `mirroringK8SPrefix` is set below. If the Consul namespace does not already exist, it will be created. Turning this on overrides the `consulDestinationNamespace` setting.
- -
- `mirroringK8SPrefix`
- (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix`
- allows each Consul namespace to be given a prefix. For example, if `mirroringK8SPrefix`
- is set to `"k8s-"`, a service in the k8s `staging` namespace will be registered
- into the `k8s-staging` Consul namespace.
+ - `mirroringK8SPrefix` ((#v-connectinject-consulnamespaces-mirroringk8sprefix)) (`string: ""`) - If
+ `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace to be given a prefix. For example, if `mirroringK8SPrefix` is set to `"k8s-"`, a service in the k8s `staging` namespace will be registered into the `k8s-staging` Consul namespace.
- -
- `certs`
- - The certs section configures how the webhook TLS certs are configured.
- These are the TLS certs for the Kube apiserver communicating to the webhook.
+ - `certs` ((#v-connectinject-certs)) - The certs section configures how the webhook TLS certs are
+ configured. These are the TLS certs for the Kube apiserver communicating to the webhook.
By default, the injector will generate and manage its own certs, but this requires
the ability for the injector to update its own `MutatingWebhookConfiguration`.
In a production environment, custom certs should probably be used. Configure
the values below to enable this.
- -
- `secretName`
- (`string: null`) - secretName is the name of the Kubernetes secret that
- has the TLS certificate and private key to serve the injector webhook. If this
- is null, then the injector will default to its automatic management mode.
+ - `secretName` ((#v-connectinject-certs-secretname)) (`string: null`) - secretName is the name of
+ the Kubernetes secret that has the TLS certificate and private key to serve the injector webhook. If this is null, then the injector will default to its automatic management mode.
- -
- `caBundle`
- (`string: ""`) - The PEM-encoded CA public certificate bundle for the
- TLS certificate served by the injector. This must be specified as a string
+ - `caBundle` ((#v-connectinject-cabundle)) (`string: ""`) - The PEM-encoded CA public certificate
+ bundle for the TLS certificate served by the injector. This must be specified as a string
and can't come from a secret because it must be statically configured on the
Kubernetes `MutatingAdmissionWebhook` resource. This only needs to be specified
if `secretName` is not null.
- -
- `certName`
- (`string: "tls.crt"`) - The name of the certificate file within the `secretName`
- secret.
+ - `certName` ((#v-connectinject-certs-certname)) (`string: "tls.crt"`) - The name of the
+ certificate file within the `secretName` secret.
- -
- `keyName`
- (`string: "tls.key"`) - The name of the private key for the certificate
- file within the `secretName` secret.
+ - `keyName` ((#v-connectinject-certs-keyname)) (`string: "tls.key"`) - The name of the private key
+ for the certificate file within the `secretName` secret.
- -
- `nodeSelector`
- (`string: null`) - This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
+ - `nodeSelector` ((#v-connectinject-nodeselector)) (`string: null`) - This value defines
+ [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
labels for `connectInject` pod assignment, formatted as a multi-line string.
```yaml
@@ -1038,89 +646,33 @@ and consider if they're appropriate for your deployment.
beta.kubernetes.io/arch: amd64
```
- -
- `aclBindingRuleSelector`
- (`string: "serviceaccount.name!=default"`) - A [selector](/docs/acl/acl-auth-methods.html#binding-rules)
+ - `aclBindingRuleSelector` ((#v-connectinject-acl-bindingrule-selector)) (`string: "serviceaccount.name!=default"`) - A [selector](/docs/acl/acl-auth-methods.html#binding-rules)
for restricting automatic injection to only matching services based on their
associated service account. By default, services using the `default` Kubernetes
service account will be prevented from logging in. This only has effect if ACLs
are enabled. Requires Consul 1.5+ and consul-k8s 0.8.0+.
- -
- `overrideAuthMethodName`
- (`string: ""`) - If not using `global.acls.manageSystemACLs` and instead
+ - `overrideAuthMethodName` ((#v-connectinject-overrideauthmethodname)) (`string: ""`) - If not using `global.acls.manageSystemACLs` and instead
manually setting up an auth method for Connect inject, set this to the name of
your Auth method.
- -
- `aclInjectToken`
- - Refers to a Kubernetes secret that you have created that contains an ACL
- token for your Consul cluster which allows the Connect injector the correct permissions.
- This is only needed if Consul namespaces and ACLs are enabled on the Consul cluster
- and you are not setting `global.acls.manageSystemACLs` to `true`. This token
- needs to have `operator = "write"` privileges so that it can create namespaces.
+ - `aclInjectToken` ((#v-connectinject-aclinjecttoken)) - Refers to a Kubernetes secret that you have created that contains an ACL token for your Consul cluster which allows the Connect injector the correct permissions. This is only needed if Consul namespaces and ACLs are enabled on the Consul cluster and you are not setting `global.acls.manageSystemACLs` to `true`. This token needs to have `operator = "write"` privileges so that it can create namespaces.
- -
- secretName{' '}
-
- `(string: null)` - The name of the Kubernetes secret.
+ - `secretName` ((#v-connectinject-aclinjecttoken-secretname)) `(string: null)` - The name of the Kubernetes secret.
- -
- secretKey{' '}
-
- `(string: null)` - The key within the Kubernetes secret that holds the acl
- token.
+ - `secretKey` ((#v-connectinject-aclinjecttoken-secretkey)) `(string: null)` - The key within the Kubernetes secret that holds the acl token.
- -
- `centralConfig`
- - Values that configure Consul's [central configuration](/docs/agent/config_entries.html)
+ - `centralConfig` ((#v-connectinject-centralconfig)) - Values that configure Consul's [central configuration](/docs/agent/config_entries.html)
feature (requires Consul v1.5+ and consul-k8s v0.8.1+).
- -
- `enabled`
- (`boolean: true`) - Turns on the central configuration feature. Pods that
- have a Connect proxy injected will have their service automatically registered
- in this central configuration.
+ - `enabled` ((#v-connectinject-centralconfig-enabled)) (`boolean: true`) - Turns on the central
+ configuration feature. Pods that have a Connect proxy injected will have their service automatically registered in this central configuration.
- -
- `defaultProtocol`
- (`string: null`) - If defined, this value will be used as the default
- protocol type for all services registered with the central configuration. This
- can be overridden by using the [protocol annotation](/docs/platform/k8s/connect.html#consul-hashicorp-com-connect-service-protocol)
- directly on any pod spec.
+ - `defaultProtocol` ((#v-connectinject-centralconfig-defaultprotocol)) (`string: null`) - If
+ defined, this value will be used as the default protocol type for all services registered with the central configuration. This can be overridden by using the [protocol annotation](/docs/platform/k8s/connect.html#consul-hashicorp-com-connect-service-protocol) directly on any pod spec.
- -
- `proxyDefaults`
- (`string: "{}"`) - This value is a raw json string that will be applied
- to all Connect proxy sidecar pods. It can include any valid configuration for
- the configured proxy.
+ - `proxyDefaults` ((#v-connectinject-centralconfig-proxydefaults)) (`string: "{}"`) - This value is
+ a raw json string that will be applied to all Connect proxy sidecar pods. It can include any valid configuration for the configured proxy.
```yaml
# proxyDefaults values are formatted as a multi-line string:
@@ -1130,14 +682,10 @@ and consider if they're appropriate for your deployment.
}
```
--
- `tests`
- - Control whether to enable a test for this Helm chart.
+- `tests` ((#v-tests)) - Control whether to enable a test for this Helm chart.
- -
- `enabled`
- (`boolean: true`) If true, the test Pod manifest will be generated to be
- used as a Helm test. The pod will be created when a `helm test` command is executed.
+ - `enabled` ((#v-tests-enabled)) (`boolean: true`) If true, the test Pod manifest will be generated
+ to be used as a Helm test. The pod will be created when a `helm test` command is executed.
## Helm Chart Examples
diff --git a/website/pages/docs/k8s/index.mdx b/website/pages/docs/k8s/index.mdx
index 4946889156..37df260552 100644
--- a/website/pages/docs/k8s/index.mdx
+++ b/website/pages/docs/k8s/index.mdx
@@ -51,18 +51,16 @@ Kubernetes can choose to leverage Consul.
There are several ways to try Consul with Kubernetes in different environments.
-Guides
+**Guides**
- The [Getting Started with Consul Service Mesh track](https://learn.hashicorp.com/consul/gs-consul-service-mesh/understand-consul-service-mesh?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
walks you through installing Consul as service mesh for Kubernetes using the Helm
chart, deploying services in the service mesh, and using intentions to secure service
communications.
-- The [Consul and minikube guide](https://learn.hashicorp.com/consul/
- getting-started-k8s/minikube?utm_source=consul.io&utm_medium=docs) is a quick walk through of how to deploy Consul with the official Helm chart on a local instance of Minikube.
+- The [Consul and minikube guide](https://learn.hashicorp.com/consul/getting-started-k8s/minikube?utm_source=consul.io&utm_medium=docs) is a quick walk through of how to deploy Consul with the official Helm chart on a local instance of Minikube.
-- The [Deploying Consul with Kubernetes guide](https://learn.hashicorp.com/
- consul/getting-started-k8s/minikube?utm_source=consul.io&utm_medium=docs)
+- The [Deploying Consul with Kubernetes guide](https://learn.hashicorp.com/consul/getting-started-k8s/minikube?utm_source=consul.io&utm_medium=docs)
walks you through deploying Consul on Kubernetes with the official Helm chart and can be applied to any Kubernetes installation type.
- Review production best practices and cloud-specific configurations for deploying Consul on managed Kubernetes runtimes.
@@ -76,7 +74,7 @@ Guides
- The [Consul and Kubernetes Deployment](https://learn.hashicorp.com/consul/day-1-operations/kubernetes-deployment-guide?utm_source=consul.io&utm_medium=docs) guide covers the necessary steps to install and configure a new Consul cluster on Kubernetes in production.
-Documentation
+**Documentation**
- [Installing Consul](/docs/platform/k8s/run.html) covers how to install Consul using the Helm chart.
- [Helm Chart Reference](/docs/platform/k8s/helm.html) describes the different options for configuring the Helm chart.
diff --git a/website/pages/docs/k8s/installation/predefined-pvcs.mdx b/website/pages/docs/k8s/installation/predefined-pvcs.mdx
index 269c5dd567..75fe02d866 100644
--- a/website/pages/docs/k8s/installation/predefined-pvcs.mdx
+++ b/website/pages/docs/k8s/installation/predefined-pvcs.mdx
@@ -10,7 +10,7 @@ description: Using predefined Persistent Volume Claims
The only way to use a pre-created PVC is to name them in the format Kubernetes expects:
-```
+```text
data---consul-server-
```
@@ -20,7 +20,7 @@ need as many PVCs as you have Consul servers. For example, given a Kubernetes
namespace of "vault," a release name of "consul," and 5 servers, you would need
to create PVCs with the following names:
-```
+```text
data-vault-consul-consul-server-0
data-vault-consul-consul-server-1
data-vault-consul-consul-server-2
diff --git a/website/pages/docs/k8s/operations/tls-on-existing-cluster.mdx b/website/pages/docs/k8s/operations/tls-on-existing-cluster.mdx
index e79f6a48d0..148bd32cfe 100644
--- a/website/pages/docs/k8s/operations/tls-on-existing-cluster.mdx
+++ b/website/pages/docs/k8s/operations/tls-on-existing-cluster.mdx
@@ -20,21 +20,20 @@ If you're **not using Consul Connect**, follow this process.
1. Run a Helm upgrade with the following config:
+ ```yaml
+ global:
+ tls:
+ enabled: true
+ # This configuration sets `verify_outgoing`, `verify_server_hostname`,
+ # and `verify_incoming` to `false` on servers and clients,
+ # which allows TLS-disabled nodes to join the cluster.
+ verify: false
+ server:
+ updatePartition:
+ ```
- ```yaml
- global:
- tls:
- enabled: true
- # This configuration sets `verify_outgoing`, `verify_server_hostname`,
- # and `verify_incoming` to `false` on servers and clients,
- # which allows TLS-disabled nodes to join the cluster.
- verify: false
- server:
- updatePartition:
- ```
-
- This upgrade will trigger a rolling update of the clients, as well as any
- other `consul-k8s` components, such as sync catalog or client snapshot deployments.
+This upgrade will trigger a rolling update of the clients, as well as any
+other `consul-k8s` components, such as sync catalog or client snapshot deployments.
1. Perform a rolling upgrade of the servers, as described in
[Upgrade Consul Servers](/docs/platform/k8s/upgrading.html#upgrading-consul-servers).
@@ -58,25 +57,24 @@ applications to it.
1. Create the following Helm config file for the upgrade:
+ ```yaml
+ global:
+ tls:
+ enabled: true
+ # This configuration sets `verify_outgoing`, `verify_server_hostname`,
+ # and `verify_incoming` to `false` on servers and clients,
+ # which allows TLS-disabled nodes to join the cluster.
+ verify: false
+ server:
+ updatePartition:
+ client:
+ updateStrategy: |
+ type: OnDelete
+ ```
- ```yaml
- global:
- tls:
- enabled: true
- # This configuration sets `verify_outgoing`, `verify_server_hostname`,
- # and `verify_incoming` to `false` on servers and clients,
- # which allows TLS-disabled nodes to join the cluster.
- verify: false
- server:
- updatePartition:
- client:
- updateStrategy: |
- type: OnDelete
- ```
-
- In this configuration, we're setting `server.updatePartition` to the number of
- server replicas as described in [Upgrade Consul Servers](/docs/platform/k8s/upgrading.html#upgrading-consul-servers)
- and `client.updateStrategy` to `OnDelete` to manually trigger an upgrade of the clients.
+ In this configuration, we're setting `server.updatePartition` to the number of
+ server replicas as described in [Upgrade Consul Servers](/docs/platform/k8s/upgrading.html#upgrading-consul-servers)
+ and `client.updateStrategy` to `OnDelete` to manually trigger an upgrade of the clients.
1. Run `helm upgrade` with the above config file. The upgrade will trigger an update of all
components except clients and servers, such as the Consul Connect webhook deployment
diff --git a/website/pages/docs/k8s/service-sync.mdx b/website/pages/docs/k8s/service-sync.mdx
index 04c43144bd..7e993a8859 100644
--- a/website/pages/docs/k8s/service-sync.mdx
+++ b/website/pages/docs/k8s/service-sync.mdx
@@ -313,56 +313,57 @@ There are three options available:
1. **Single Destination Namespace** – Sync all Kubernetes services, regardless of namespace,
into the same Consul namespace.
- This can be configured with:
+ This can be configured with:
- ```yaml
- global:
- enableConsulNamespaces: true
+ ```yaml
+ global:
+ enableConsulNamespaces: true
- syncCatalog:
- enabled: true
- consulNamespaces:
- consulDestinationNamespace: "my-consul-ns"
- ```
+ syncCatalog:
+ enabled: true
+ consulNamespaces:
+ consulDestinationNamespace: 'my-consul-ns'
+ ```
+
+1. **Mirror Namespaces** - Each Kubernetes service will be synced to a Consul namespace with the same
+ name as its Kubernetes namespace.
-1. **Mirror Namespaces** - Each Kubernetes service will be synced to a Consul namespace with the same name as its Kubernetes namespace.
For example, service `foo` in Kubernetes namespace `ns-1` will be synced to the Consul namespace `ns-1`.
If a mirrored namespace does not exist in Consul, it will be created.
This can be configured with:
- ````yaml
+ ```yaml
global:
- enableConsulNamespaces: true
+ enableConsulNamespaces: true
- syncCatalog:
- enabled: true
- consulNamespaces:
- mirroringK8S: true
+ syncCatalog:
+ enabled: true
+ consulNamespaces:
+ mirroringK8S: true
- addK8SNamespaceSuffix: false
- ```
+ addK8SNamespaceSuffix: false
+ ```
- ````
+1. **Mirror Namespaces With Prefix** - Each Kubernetes service will be synced to a Consul namespace
+ with the same name as its Kubernetes namespace **with a prefix**. For example, given a prefix
+ `k8s-`, service `foo` in Kubernetes namespace `ns-1` will be synced to the Consul namespace
+ `k8s-ns-1`.
-1. **Mirror Namespaces With Prefix** - Each Kubernetes service will be synced to a Consul namespace with the same name as its Kubernetes
- namespace **with a prefix**.
- For example, given a prefix `k8s-`, service `foo` in Kubernetes namespace `ns-1` will be synced to the Consul namespace `k8s-ns-1`.
+ This can be configured with:
- This can be configured with:
+ ```yaml
+ global:
+ enableConsulNamespaces: true
- ```yaml
- global:
- enableConsulNamespaces: true
+ syncCatalog:
+ enabled: true
+ consulNamespaces:
+ mirroringK8S: true
+ mirroringK8SPrefix: 'k8s-'
- syncCatalog:
- enabled: true
- consulNamespaces:
- mirroringK8S: true
- mirroringK8SPrefix: "k8s-"
-
- addK8SNamespaceSuffix: false
- ```
+ addK8SNamespaceSuffix: false
+ ```
-> Note that in both mirroring examples we're setting `addK8SNamespaceSuffix: false`. If set to `true`
(the default), the Kubernetes namespace will be added as a suffix to each
diff --git a/website/pages/docs/partnerships.mdx b/website/pages/docs/partnerships.mdx
index 8904731c8c..30c2ea6529 100644
--- a/website/pages/docs/partnerships.mdx
+++ b/website/pages/docs/partnerships.mdx
@@ -14,10 +14,7 @@ The HashiCorp Consul Integration Program enables vendors to build integrations w
By leveraging Consul’s RESTful HTTP API system, vendors are able to build extensible integrations at the data plane, platform, and the infrastructure layer to extend Consul’s functionalities. These integrations can be performed with the OSS (open source) version of Consul. Integrations with advanced network segmentation, advanced federation, and advanced read scalability need to be tested against Consul Enterprise, since these features are only supported by Consul Enterprise.
-
- [](/img/consul_ecosystem_diagram.png)
-
+[](/img/consul_ecosystem_diagram.png)
**Data Plane**: These integrations automate IP updates of load balancers by leveraging Consul service discovery, automate firewall security policy updates by leveraging Consul intentions within a centralized management tool, extend sidecar proxies to support Consul connect, and extend API gateways to allow Consul to route incoming traffic to the proxies for Connect-enabled services.