diff --git a/website/content/docs/k8s/connect/ingress-gateways.mdx b/website/content/docs/k8s/connect/ingress-gateways.mdx index 1b042a4e38..fa3cd1162f 100644 --- a/website/content/docs/k8s/connect/ingress-gateways.mdx +++ b/website/content/docs/k8s/connect/ingress-gateways.mdx @@ -84,13 +84,14 @@ spec: services: - name: static-server ``` + + + ~> **Note:** The 'name' field for the IngressGateway resource must match the name specified when creating the gateway in the Helm chart. In the above example, the name "ingress-gateway" is the [default name](/docs/k8s/helm#v-ingressgateways-gateways-name) used by the Helm chart when enabling ingress gateways. - - Apply the `IngressGateway` resource with `kubectl apply`: ```shell-session diff --git a/website/content/docs/k8s/helm.mdx b/website/content/docs/k8s/helm.mdx index 1b2295833e..2f4c167edf 100644 --- a/website/content/docs/k8s/helm.mdx +++ b/website/content/docs/k8s/helm.mdx @@ -28,6 +28,12 @@ and consider if they're appropriate for your deployment. will be installed by default and per-component opt-in is required, such as by setting `server.enabled` to true. + - `logLevel` ((#v-global-loglevel)) (`string: info`) - The default log level to apply to all components which do not otherwise override this setting. + It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity. + One of "debug", "info", "warn", or "error". + + - `logJSON` ((#v-global-logjson)) (`boolean: false`) - Enable all component logs to be output in JSON format. + - `name` ((#v-global-name)) (`string: null`) - Set the prefix used for all resources in the Helm chart. If not set, the prefix will be `-consul`. @@ -49,7 +55,7 @@ and consider if they're appropriate for your deployment. ``` - `imagePullSecrets` ((#v-global-imagepullsecrets)) (`array`) - Array of objects containing image pull secret names that will be applied to each service account. - This can be used to reference image pull secrets if using a custom consul or consul-k8s Docker image. + This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. See https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry for reference. Example: @@ -60,8 +66,8 @@ and consider if they're appropriate for your deployment. - name: pull-secret-name-2 ``` - - `imageK8S` ((#v-global-imagek8s)) (`string: hashicorp/consul-k8s:`) - The name (and tag) of the consul-k8s (https://github.com/hashicorp/consul-k8s) - Docker image that is used for functionality such the catalog sync. + - `imageK8S` ((#v-global-imagek8s)) (`string: hashicorp/consul-k8s-control-plane:`) - The name (and tag) of the consul-k8s-control-plane Docker + image that is used for functionality such as catalog sync. This can be overridden per component. - `datacenter` ((#v-global-datacenter)) (`string: dc1`) - The name of the datacenter that the agents should @@ -105,15 +111,15 @@ and consider if they're appropriate for your deployment. - `tls` ((#v-global-tls)) - Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure) across the cluster to verify authenticity of the Consul servers and clients. - Requires Consul v1.4.1+ and consul-k8s v0.16.2+ + Requires Consul v1.4.1+. - `enabled` ((#v-global-tls-enabled)) (`boolean: false`) - If true, the Helm chart will enable TLS for Consul - servers and clients and all consul-k8s components, as well as generate certificate + servers and clients and all consul-k8s-control-plane components, as well as generate certificate authority (optional) and server and client certificates. - `enableAutoEncrypt` ((#v-global-tls-enableautoencrypt)) (`boolean: false`) - If true, turns on the auto-encrypt feature on clients and servers. - It also switches consul-k8s components to retrieve the CA from the servers - via the API. Requires Consul 1.7.1+ and consul-k8s 0.13.0 + It also switches consul-k8s-control-plane components to retrieve the CA from the servers + via the API. Requires Consul 1.7.1+. - `serverAdditionalDNSSANs` ((#v-global-tls-serveradditionaldnssans)) (`array: []`) - A list of additional DNS names to set as Subject Alternative Names (SANs) in the server certificate. This is useful when you need to access the @@ -168,21 +174,20 @@ and consider if they're appropriate for your deployment. - `enableConsulNamespaces` ((#v-global-enableconsulnamespaces)) (`boolean: false`) - `enableConsulNamespaces` indicates that you are running Consul Enterprise v1.7+ with a valid Consul Enterprise license and would like to make use of configuration beyond registering everything into - the `default` Consul namespace. Requires consul-k8s v0.12+. Additional configuration + the `default` Consul namespace. Additional configuration options are found in the `consulNamespaces` section of both the catalog sync and connect injector. - `acls` ((#v-global-acls)) - Configure ACLs. - `manageSystemACLs` ((#v-global-acls-managesystemacls)) (`boolean: false`) - If true, the Helm chart will automatically manage ACL tokens and policies - for all Consul and consul-k8s components. - This requires Consul >= 1.4 and consul-k8s >= 0.14.0. + for all Consul and consul-k8s-control-plane components. + This requires Consul >= 1.4. - `bootstrapToken` ((#v-global-acls-bootstraptoken)) - A Kubernetes secret containing the bootstrap token to use for - creating policies and tokens for all Consul and consul-k8s components. + creating policies and tokens for all Consul and consul-k8s-control-plane components. If set, we will skip ACL bootstrapping of the servers and will only - initialize ACLs for the Consul clients and consul-k8s system components. - Requires consul-k8s >= 0.14.0. + initialize ACLs for the Consul clients and consul-k8s-control-plane system components. - `secretName` ((#v-global-acls-bootstraptoken-secretname)) (`string: null`) - The name of the Kubernetes secret. @@ -194,13 +199,11 @@ and consider if they're appropriate for your deployment. datacenter. In secondary datacenters, the secret needs to be imported from the primary datacenter and referenced via `global.acls.replicationToken`. - Requires consul-k8s >= 0.13.0. - `replicationToken` ((#v-global-acls-replicationtoken)) - replicationToken references a secret containing the replication ACL token. This token will be used by secondary datacenters to perform ACL replication and create ACL tokens and policies. This value is ignored if `bootstrapToken` is also set. - Requires consul-k8s >= 0.13.0. - `secretName` ((#v-global-acls-replicationtoken-secretname)) (`string: null`) - The name of the Kubernetes secret. @@ -220,7 +223,7 @@ and consider if they're appropriate for your deployment. and authenticate with this datacenter. This should only be set to true in your primary datacenter. The secret name is `-federation` (if setting `global.name`), otherwise - `-consul-federation`. Requires consul-k8s 0.15.0+. + `-consul-federation`. - `metrics` ((#v-global-metrics)) - Configures metrics for Consul service mesh @@ -240,9 +243,8 @@ and consider if they're appropriate for your deployment. Envoy metrics on port `20200` at the `/metrics` path and all gateway pods will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true. - - `consulSidecarContainer` ((#v-global-consulsidecarcontainer)) (`map`) - The consul sidecar ensures the Consul services - are always registered with their local Consul clients and is used by the - ingress/terminating/mesh gateways as well as with every Connect-injected service. + - `consulSidecarContainer` ((#v-global-consulsidecarcontainer)) (`map`) - For connect-injected pods, the consul sidecar is responsible for metrics merging. For ingress/mesh/terminating + gateways, it additionally ensures the Consul services are always registered with their local Consul client. - `imageEnvoy` ((#v-global-imageenvoy)) (`string: envoyproxy/envoy-alpine:`) - The name (and tag) of the Envoy Docker image used for the connect-injected sidecar proxies and mesh, terminating, and ingress gateways. @@ -293,6 +295,33 @@ and consider if they're appropriate for your deployment. - `enableLicenseAutoload` ((#v-server-enterpriselicense-enablelicenseautoload)) (`boolean: true`) - Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. + - `serverCert` ((#v-server-servercert)) - A Kubernetes secret containing a certificate & key for the server agents to use + for TLS communication within the Consul cluster. Cert needs to be provided with + additional DNS name SANs so that it will work within the Kubernetes cluster: + + ```bash + consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \ + -key=consul-agent-ca-key.pem -dc={{datacenter}} \ + -additional-dnsname="{{fullname}}-server" \ + -additional-dnsname="*.{{fullname}}-server" \ + -additional-dnsname="*.{{fullname}}-server.{{namespace}}" \ + -additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \ + -additional-dnsname="*.server.{{datacenter}}.{{domain}}" \ + -additional-dnsname="server.{{datacenter}}.{{domain}}" + ``` + + If you have generated the + server-cert yourself with the consul CLI, you could use the following command + to create the secret in Kubernetes: + + ```bash + kubectl create secret generic consul-server-cert \ + --from-file='tls.crt=./dc1-server-consul-0.pem' + --from-file='tls.key=./dc1-server-consul-0-key.pem' + ``` + + - `secretName` ((#v-server-servercert-secretname)) (`string: null`) - The name of the Kubernetes secret. + - `exposeGossipAndRPCPorts` ((#v-server-exposegossipandrpcports)) (`boolean: false`) - Exposes the servers' gossip and RPC ports as hostPorts. To enable a client agent outside of the k8s cluster to join the datacenter, you would need to enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and @@ -527,8 +556,8 @@ and consider if they're appropriate for your deployment. - `externalServers` ((#v-externalservers)) - Configuration for Consul servers when the servers are running outside of Kubernetes. When running external servers, configuring these values is recommended - if setting `global.tls.enableAutoEncrypt` to true (requires consul-k8s >= 0.13.0) - or `global.acls.manageSystemACLs` to true (requires consul-k8s >= 0.14.0). + if setting `global.tls.enableAutoEncrypt` to true + or `global.acls.manageSystemACLs` to true. - `enabled` ((#v-externalservers-enabled)) (`boolean: false`) - If true, the Helm chart will be configured to talk to the external servers. If setting this to true, you must also set `server.enabled` to false. @@ -546,10 +575,10 @@ and consider if they're appropriate for your deployment. - `tlsServerName` ((#v-externalservers-tlsservername)) (`string: null`) - The server name to use as the SNI host header when connecting with HTTPS. - - `useSystemRoots` ((#v-externalservers-usesystemroots)) (`boolean: false`) - If true, consul-k8s components will ignore the CA set in + - `useSystemRoots` ((#v-externalservers-usesystemroots)) (`boolean: false`) - If true, consul-k8s-control-plane components will ignore the CA set in `global.tls.caCert` when making HTTPS calls to Consul servers and - will instead use the consul-k8s image's system CAs for TLS verification. - If false, consul-k8s components will use `global.tls.caCert` when + will instead use the consul-k8s-control-plane image's system CAs for TLS verification. + If false, consul-k8s-control-plane components will use `global.tls.caCert` when making HTTPS calls to Consul servers. **NOTE:** This does not affect Consul's internal RPC communication which will always use `global.tls.caCert`. @@ -558,7 +587,6 @@ and consider if they're appropriate for your deployment. `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. This address must be reachable from the Consul servers. Please see the Kubernetes Auth Method documentation (https://consul.io/docs/acl/auth-methods/kubernetes). - Requires consul-k8s >= 0.14.0. You could retrieve this value from your `kubeconfig` by running: @@ -598,6 +626,13 @@ and consider if they're appropriate for your deployment. port 8502 and expose it to the host. This will use slightly more resources, but is required for Connect. + - `nodeMeta` ((#v-client-nodemeta)) - nodeMeta specifies an arbitrary metadata key/value pair to associate with the node + (see https://www.consul.io/docs/agent/options.html#_node_meta) + + - `pod-name` ((#v-client-nodemeta-pod-name)) (`string: ${HOSTNAME}`) + + - `host-ip` ((#v-client-nodemeta-host-ip)) (`string: ${HOST_IP}`) + - `exposeGossipPorts` ((#v-client-exposegossipports)) (`boolean: false`) - If true, the Helm chart will expose the clients' gossip ports as hostPorts. This is only necessary if pod IPs in the k8s cluster are not directly routable and the Consul servers are outside of the k8s cluster. @@ -874,6 +909,8 @@ and consider if they're appropriate for your deployment. - `enabled` ((#v-ui-ingress-enabled)) (`boolean: false`) - This will create an Ingress resource for the Consul UI. + - `pathType` ((#v-ui-ingress-pathtype)) (`string: Prefix`) - pathType override - see: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types + - `hosts` ((#v-ui-ingress-hosts)) (`array`) - hosts is a list of host name to create Ingress rules. ```yaml @@ -890,7 +927,7 @@ and consider if they're appropriate for your deployment. ```yaml tls: - hosts: - - chart-example.local + - chart-example.local secretName: testsecret-tls ``` @@ -929,7 +966,7 @@ and consider if they're appropriate for your deployment. - `enabled` ((#v-synccatalog-enabled)) (`boolean: false`) - True if you want to enable the catalog sync. Set to "-" to inherit from global.enabled. - - `image` ((#v-synccatalog-image)) (`string: null`) - The name of the Docker image (including any tag) for consul-k8s + - `image` ((#v-synccatalog-image)) (`string: null`) - The name of the Docker image (including any tag) for consul-k8s-control-plane to run the sync program. - `default` ((#v-synccatalog-default)) (`boolean: true`) - If true, all valid services in K8S are @@ -961,12 +998,10 @@ and consider if they're appropriate for your deployment. To deny all namespaces, set this to `[]`. Note: `k8sDenyNamespaces` takes precedence over values defined here. - Requires consul-k8s v0.12+ - `k8sDenyNamespaces` ((#v-synccatalog-k8sdenynamespaces)) (`array: ["kube-system", "kube-public"]`) - List of k8s namespaces that should not have their services synced. This list takes precedence over `k8sAllowNamespaces`. `*` is not supported because then nothing would be allowed to sync. - Requires consul-k8s v0.12+. For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` @@ -980,7 +1015,7 @@ and consider if they're appropriate for your deployment. to all namespaces. - `consulNamespaces` ((#v-synccatalog-consulnamespaces)) - These settings manage the catalog sync's interaction with - Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). + Consul namespaces (requires consul-ent v1.7+). Also, `global.enableConsulNamespaces` must be true. - `consulDestinationNamespace` ((#v-synccatalog-consulnamespaces-consuldestinationnamespace)) (`string: default`) - Name of the Consul namespace to register all @@ -1076,7 +1111,7 @@ and consider if they're appropriate for your deployment. - `resources` ((#v-synccatalog-resources)) (`map`) - Resource settings for sync catalog pods. - - `logLevel` ((#v-synccatalog-loglevel)) (`string: info`) - Log verbosity level. One of "trace", "debug", "info", "warn", or "error". + - `logLevel` ((#v-synccatalog-loglevel)) (`string: ""`) - Override global log verbosity level. One of "debug", "info", "warn", or "error". - `consulWriteInterval` ((#v-synccatalog-consulwriteinterval)) (`string: null`) - Override the default interval to perform syncing operations creating Consul services. @@ -1097,7 +1132,9 @@ and consider if they're appropriate for your deployment. - `enabled` ((#v-connectinject-enabled)) (`boolean: false`) - True if you want to enable connect injection. Set to "-" to inherit from global.enabled. - - `image` ((#v-connectinject-image)) (`string: null`) - Image for consul-k8s that contains the injector + - `replicas` ((#v-connectinject-replicas)) (`integer: 2`) - The number of deployment replicas. + + - `image` ((#v-connectinject-image)) (`string: null`) - Image for consul-k8s-control-plane that contains the injector. - `default` ((#v-connectinject-default)) (`boolean: false`) - If true, the injector will inject the Connect sidecar into all pods by default. Otherwise, pods must specify the @@ -1106,7 +1143,7 @@ and consider if they're appropriate for your deployment. to explicitly opt-out of injection. - `transparentProxy` ((#v-connectinject-transparentproxy)) - Configures Transparent Proxy for Consul Service mesh services. - Using this feature requires Consul 1.10.0-beta1+ and consul-k8s 0.26.0-beta1+. + Using this feature requires Consul 1.10.0-beta1+. - `defaultEnabled` ((#v-connectinject-transparentproxy-defaultenabled)) (`boolean: true`) - If true, then all Consul Service mesh will run with transparent proxy enabled by default, i.e. we enforce that all traffic within the pod will go through the proxy. @@ -1126,14 +1163,13 @@ and consider if they're appropriate for your deployment. add prometheus annotations to connect-injected pods. It will also add a listener on the Envoy sidecar to expose metrics. The exposed metrics will depend on whether metrics merging is enabled: - - - If metrics merging is enabled: - the Consul sidecar will run a merged metrics server - combining Envoy sidecar and Connect service metrics, - i.e. if your service exposes its own Prometheus metrics. - - If metrics merging is disabled: - the listener will just expose Envoy sidecar metrics. - This will inherit from `global.metrics.enabled`. + - If metrics merging is enabled: + the Consul sidecar will run a merged metrics server + combining Envoy sidecar and Connect service metrics, + i.e. if your service exposes its own Prometheus metrics. + - If metrics merging is disabled: + the listener will just expose Envoy sidecar metrics. + This will inherit from `global.metrics.enabled`. - `defaultEnableMerging` ((#v-connectinject-metrics-defaultenablemerging)) (`boolean: false`) - Configures the Consul sidecar to run a merged metrics server to combine and serve both Envoy and Connect service metrics. @@ -1146,14 +1182,14 @@ and consider if they're appropriate for your deployment. - `defaultPrometheusScrapePort` ((#v-connectinject-metrics-defaultprometheusscrapeport)) (`integer: 20200`) - Configures the port Prometheus will scrape metrics from, by configuring the Pod annotation `prometheus.io/port` and the corresponding listener in the Envoy sidecar. - NOTE: This is _not_ the port that your application exposes metrics on. + NOTE: This is *not* the port that your application exposes metrics on. That can be configured with the `consul.hashicorp.com/service-metrics-port` annotation. - `defaultPrometheusScrapePath` ((#v-connectinject-metrics-defaultprometheusscrapepath)) (`string: /metrics`) - Configures the path Prometheus will scrape metrics from, by configuring the pod annotation `prometheus.io/path` and the corresponding handler in the Envoy sidecar. - NOTE: This is _not_ the path that your application exposes metrics on. + NOTE: This is *not* the path that your application exposes metrics on. That can be configured with the `consul.hashicorp.com/service-metrics-path` annotation. @@ -1166,7 +1202,7 @@ and consider if they're appropriate for your deployment. - `imageConsul` ((#v-connectinject-imageconsul)) (`string: null`) - The Docker image for Consul to use when performing Connect injection. Defaults to global.image. - - `logLevel` ((#v-connectinject-loglevel)) (`string: info`) - Log verbosity level. One of "debug", "info", "warn", or "error". + - `logLevel` ((#v-connectinject-loglevel)) (`string: ""`) - Override global log verbosity level. One of "debug", "info", "warn", or "error". - `serviceAccount` ((#v-connectinject-serviceaccount)) @@ -1181,6 +1217,13 @@ and consider if they're appropriate for your deployment. - `resources` ((#v-connectinject-resources)) (`map`) - Resource settings for connect inject pods. + - `failurePolicy` ((#v-connectinject-failurepolicy)) (`string: Fail`) - Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook + is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. + Once the webhook is back online the pod will be scheduled. + In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running + which can lead to hangs. In these environments it is recommend to use "Ignore" instead. + This setting can be safely disabled by setting to "Ignore". + - `namespaceSelector` ((#v-connectinject-namespaceselector)) (`string: null`) - Selector for restricting the webhook to only specific namespaces. This should be set to a multiline string. See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector @@ -1208,7 +1251,6 @@ and consider if they're appropriate for your deployment. Note: `k8sDenyNamespaces` takes precedence over values defined here and `namespaceSelector` takes precedence over both since it is applied first. `kube-system` and `kube-public` are never injected, even if included here. - Requires consul-k8s v0.12+ - `k8sDenyNamespaces` ((#v-connectinject-k8sdenynamespaces)) (`array: []`) - List of k8s namespaces that should not allow Connect sidecar injection. This list takes precedence over `k8sAllowNamespaces`. @@ -1220,10 +1262,9 @@ and consider if they're appropriate for your deployment. Note: `namespaceSelector` takes precedence over this since it is applied first. `kube-system` and `kube-public` are never injected. - Requires consul-k8s v0.12+. - `consulNamespaces` ((#v-connectinject-consulnamespaces)) - These settings manage the connect injector's interaction with - Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). + Consul namespaces (requires consul-ent v1.7+). Also, `global.enableConsulNamespaces` must be true. - `consulDestinationNamespace` ((#v-connectinject-consulnamespaces-consuldestinationnamespace)) (`string: default`) - Name of the Consul namespace to register all @@ -1268,7 +1309,7 @@ and consider if they're appropriate for your deployment. See https://www.consul.io/docs/acl/acl-auth-methods.html#binding-rules and https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes for more details. - Requires Consul >= v1.5 and consul-k8s >= v0.8.0. + Requires Consul >= v1.5. - `overrideAuthMethodName` ((#v-connectinject-overrideauthmethodname)) (`string: ""`) - If you are not using global.acls.manageSystemACLs and instead manually setting up an auth method for Connect inject, set this to the name of your auth method. @@ -1320,7 +1361,7 @@ and consider if they're appropriate for your deployment. - `replicas` ((#v-controller-replicas)) (`integer: 1`) - The number of deployment replicas. - - `logLevel` ((#v-controller-loglevel)) (`string: info`) - Log verbosity level. One of "debug", "info", "warn", or "error". + - `logLevel` ((#v-controller-loglevel)) (`string: ""`) - Log verbosity level. One of "debug", "info", "warn", or "error". - `serviceAccount` ((#v-controller-serviceaccount)) @@ -1350,7 +1391,6 @@ and consider if they're appropriate for your deployment. `global.acls.manageSystemACLs`). If running Consul OSS, requires permissions: - ```hcl operator = "write" service_prefix "" { @@ -1358,7 +1398,6 @@ and consider if they're appropriate for your deployment. intentions = "write" } ``` - If running Consul Enterprise, talk to your account manager for assistance. - `secretName` ((#v-controller-acltoken-secretname)) (`string: null`) - The name of the Kubernetes secret. @@ -1372,7 +1411,7 @@ and consider if they're appropriate for your deployment. - `enabled` ((#v-meshgateway-enabled)) (`boolean: false`) - If mesh gateways are enabled, a Deployment will be created that runs gateways and Consul Connect will be configured to use gateways. See https://www.consul.io/docs/connect/mesh_gateway.html - Requirements: consul 1.6.0+ and consul-k8s 0.15.0+ if using + Requirements: consul 1.6.0+ if using global.acls.manageSystemACLs. - `replicas` ((#v-meshgateway-replicas)) (`integer: 2`) - Number of replicas for the Deployment. @@ -1500,8 +1539,7 @@ and consider if they're appropriate for your deployment. specific gateway with the exception of annotations. Annotations will include both the default annotations and any additional ones defined for a specific gateway. - Requirements: consul >= 1.8.0 and consul-k8s >= 0.16.0 if using - global.acls.manageSystemACLs and consul-k8s >= 0.10.0 if not. + Requirements: consul >= 1.8.0 - `enabled` ((#v-ingressgateways-enabled)) (`boolean: false`) - Enable ingress gateway deployment. Requires `connectInject.enabled=true` and `client.enabled=true`. @@ -1595,8 +1633,7 @@ and consider if they're appropriate for your deployment. specific gateway with the exception of annotations. Annotations will include both the default annotations and any additional ones defined for a specific gateway. - Requirements: consul >= 1.8.0 and consul-k8s >= 0.16.0 if using - global.acls.manageSystemACLs and consul-k8s >= 0.10.0 if not. + Requirements: consul >= 1.8.0 - `enabled` ((#v-terminatinggateways-enabled)) (`boolean: false`) - Enable terminating gateway deployment. Requires `connectInject.enabled=true` and `client.enabled=true`.