mirror of https://github.com/status-im/consul.git
Update helm reference (#10939)
* Update helm reference * Fix docs issue breaking build * Remove keys that aren't yet in the release
This commit is contained in:
parent
d2e50fd130
commit
dda8efc612
|
@ -84,13 +84,14 @@ spec:
|
||||||
services:
|
services:
|
||||||
- name: static-server
|
- name: static-server
|
||||||
```
|
```
|
||||||
|
|
||||||
|
</CodeBlockConfig>
|
||||||
|
|
||||||
~> **Note:** The 'name' field for the IngressGateway resource must match the name
|
~> **Note:** The 'name' field for the IngressGateway resource must match the name
|
||||||
specified when creating the gateway in the Helm chart. In the above example, the
|
specified when creating the gateway in the Helm chart. In the above example, the
|
||||||
name "ingress-gateway" is the [default name](/docs/k8s/helm#v-ingressgateways-gateways-name)
|
name "ingress-gateway" is the [default name](/docs/k8s/helm#v-ingressgateways-gateways-name)
|
||||||
used by the Helm chart when enabling ingress gateways.
|
used by the Helm chart when enabling ingress gateways.
|
||||||
|
|
||||||
</CodeBlockConfig>
|
|
||||||
|
|
||||||
Apply the `IngressGateway` resource with `kubectl apply`:
|
Apply the `IngressGateway` resource with `kubectl apply`:
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
|
|
|
@ -28,6 +28,12 @@ and consider if they're appropriate for your deployment.
|
||||||
will be installed by default and per-component opt-in is required, such as by
|
will be installed by default and per-component opt-in is required, such as by
|
||||||
setting `server.enabled` to true.
|
setting `server.enabled` to true.
|
||||||
|
|
||||||
|
- `logLevel` ((#v-global-loglevel)) (`string: info`) - The default log level to apply to all components which do not otherwise override this setting.
|
||||||
|
It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity.
|
||||||
|
One of "debug", "info", "warn", or "error".
|
||||||
|
|
||||||
|
- `logJSON` ((#v-global-logjson)) (`boolean: false`) - Enable all component logs to be output in JSON format.
|
||||||
|
|
||||||
- `name` ((#v-global-name)) (`string: null`) - Set the prefix used for all resources in the Helm chart. If not set,
|
- `name` ((#v-global-name)) (`string: null`) - Set the prefix used for all resources in the Helm chart. If not set,
|
||||||
the prefix will be `<helm release name>-consul`.
|
the prefix will be `<helm release name>-consul`.
|
||||||
|
|
||||||
|
@ -49,7 +55,7 @@ and consider if they're appropriate for your deployment.
|
||||||
```
|
```
|
||||||
|
|
||||||
- `imagePullSecrets` ((#v-global-imagepullsecrets)) (`array<map>`) - Array of objects containing image pull secret names that will be applied to each service account.
|
- `imagePullSecrets` ((#v-global-imagepullsecrets)) (`array<map>`) - Array of objects containing image pull secret names that will be applied to each service account.
|
||||||
This can be used to reference image pull secrets if using a custom consul or consul-k8s Docker image.
|
This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image.
|
||||||
See https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry for reference.
|
See https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry for reference.
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
|
@ -60,8 +66,8 @@ and consider if they're appropriate for your deployment.
|
||||||
- name: pull-secret-name-2
|
- name: pull-secret-name-2
|
||||||
```
|
```
|
||||||
|
|
||||||
- `imageK8S` ((#v-global-imagek8s)) (`string: hashicorp/consul-k8s:<latest version>`) - The name (and tag) of the consul-k8s (https://github.com/hashicorp/consul-k8s)
|
- `imageK8S` ((#v-global-imagek8s)) (`string: hashicorp/consul-k8s-control-plane:<latest version>`) - The name (and tag) of the consul-k8s-control-plane Docker
|
||||||
Docker image that is used for functionality such the catalog sync.
|
image that is used for functionality such as catalog sync.
|
||||||
This can be overridden per component.
|
This can be overridden per component.
|
||||||
|
|
||||||
- `datacenter` ((#v-global-datacenter)) (`string: dc1`) - The name of the datacenter that the agents should
|
- `datacenter` ((#v-global-datacenter)) (`string: dc1`) - The name of the datacenter that the agents should
|
||||||
|
@ -105,15 +111,15 @@ and consider if they're appropriate for your deployment.
|
||||||
|
|
||||||
- `tls` ((#v-global-tls)) - Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure)
|
- `tls` ((#v-global-tls)) - Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure)
|
||||||
across the cluster to verify authenticity of the Consul servers and clients.
|
across the cluster to verify authenticity of the Consul servers and clients.
|
||||||
Requires Consul v1.4.1+ and consul-k8s v0.16.2+
|
Requires Consul v1.4.1+.
|
||||||
|
|
||||||
- `enabled` ((#v-global-tls-enabled)) (`boolean: false`) - If true, the Helm chart will enable TLS for Consul
|
- `enabled` ((#v-global-tls-enabled)) (`boolean: false`) - If true, the Helm chart will enable TLS for Consul
|
||||||
servers and clients and all consul-k8s components, as well as generate certificate
|
servers and clients and all consul-k8s-control-plane components, as well as generate certificate
|
||||||
authority (optional) and server and client certificates.
|
authority (optional) and server and client certificates.
|
||||||
|
|
||||||
- `enableAutoEncrypt` ((#v-global-tls-enableautoencrypt)) (`boolean: false`) - If true, turns on the auto-encrypt feature on clients and servers.
|
- `enableAutoEncrypt` ((#v-global-tls-enableautoencrypt)) (`boolean: false`) - If true, turns on the auto-encrypt feature on clients and servers.
|
||||||
It also switches consul-k8s components to retrieve the CA from the servers
|
It also switches consul-k8s-control-plane components to retrieve the CA from the servers
|
||||||
via the API. Requires Consul 1.7.1+ and consul-k8s 0.13.0
|
via the API. Requires Consul 1.7.1+.
|
||||||
|
|
||||||
- `serverAdditionalDNSSANs` ((#v-global-tls-serveradditionaldnssans)) (`array<string>: []`) - A list of additional DNS names to set as Subject Alternative Names (SANs)
|
- `serverAdditionalDNSSANs` ((#v-global-tls-serveradditionaldnssans)) (`array<string>: []`) - A list of additional DNS names to set as Subject Alternative Names (SANs)
|
||||||
in the server certificate. This is useful when you need to access the
|
in the server certificate. This is useful when you need to access the
|
||||||
|
@ -168,21 +174,20 @@ and consider if they're appropriate for your deployment.
|
||||||
- `enableConsulNamespaces` ((#v-global-enableconsulnamespaces)) (`boolean: false`) - <EnterpriseAlert inline /> `enableConsulNamespaces` indicates that you are running
|
- `enableConsulNamespaces` ((#v-global-enableconsulnamespaces)) (`boolean: false`) - <EnterpriseAlert inline /> `enableConsulNamespaces` indicates that you are running
|
||||||
Consul Enterprise v1.7+ with a valid Consul Enterprise license and would
|
Consul Enterprise v1.7+ with a valid Consul Enterprise license and would
|
||||||
like to make use of configuration beyond registering everything into
|
like to make use of configuration beyond registering everything into
|
||||||
the `default` Consul namespace. Requires consul-k8s v0.12+. Additional configuration
|
the `default` Consul namespace. Additional configuration
|
||||||
options are found in the `consulNamespaces` section of both the catalog sync
|
options are found in the `consulNamespaces` section of both the catalog sync
|
||||||
and connect injector.
|
and connect injector.
|
||||||
|
|
||||||
- `acls` ((#v-global-acls)) - Configure ACLs.
|
- `acls` ((#v-global-acls)) - Configure ACLs.
|
||||||
|
|
||||||
- `manageSystemACLs` ((#v-global-acls-managesystemacls)) (`boolean: false`) - If true, the Helm chart will automatically manage ACL tokens and policies
|
- `manageSystemACLs` ((#v-global-acls-managesystemacls)) (`boolean: false`) - If true, the Helm chart will automatically manage ACL tokens and policies
|
||||||
for all Consul and consul-k8s components.
|
for all Consul and consul-k8s-control-plane components.
|
||||||
This requires Consul >= 1.4 and consul-k8s >= 0.14.0.
|
This requires Consul >= 1.4.
|
||||||
|
|
||||||
- `bootstrapToken` ((#v-global-acls-bootstraptoken)) - A Kubernetes secret containing the bootstrap token to use for
|
- `bootstrapToken` ((#v-global-acls-bootstraptoken)) - A Kubernetes secret containing the bootstrap token to use for
|
||||||
creating policies and tokens for all Consul and consul-k8s components.
|
creating policies and tokens for all Consul and consul-k8s-control-plane components.
|
||||||
If set, we will skip ACL bootstrapping of the servers and will only
|
If set, we will skip ACL bootstrapping of the servers and will only
|
||||||
initialize ACLs for the Consul clients and consul-k8s system components.
|
initialize ACLs for the Consul clients and consul-k8s-control-plane system components.
|
||||||
Requires consul-k8s >= 0.14.0.
|
|
||||||
|
|
||||||
- `secretName` ((#v-global-acls-bootstraptoken-secretname)) (`string: null`) - The name of the Kubernetes secret.
|
- `secretName` ((#v-global-acls-bootstraptoken-secretname)) (`string: null`) - The name of the Kubernetes secret.
|
||||||
|
|
||||||
|
@ -194,13 +199,11 @@ and consider if they're appropriate for your deployment.
|
||||||
datacenter.
|
datacenter.
|
||||||
In secondary datacenters, the secret needs to be imported from the primary
|
In secondary datacenters, the secret needs to be imported from the primary
|
||||||
datacenter and referenced via `global.acls.replicationToken`.
|
datacenter and referenced via `global.acls.replicationToken`.
|
||||||
Requires consul-k8s >= 0.13.0.
|
|
||||||
|
|
||||||
- `replicationToken` ((#v-global-acls-replicationtoken)) - replicationToken references a secret containing the replication ACL token.
|
- `replicationToken` ((#v-global-acls-replicationtoken)) - replicationToken references a secret containing the replication ACL token.
|
||||||
This token will be used by secondary datacenters to perform ACL replication
|
This token will be used by secondary datacenters to perform ACL replication
|
||||||
and create ACL tokens and policies.
|
and create ACL tokens and policies.
|
||||||
This value is ignored if `bootstrapToken` is also set.
|
This value is ignored if `bootstrapToken` is also set.
|
||||||
Requires consul-k8s >= 0.13.0.
|
|
||||||
|
|
||||||
- `secretName` ((#v-global-acls-replicationtoken-secretname)) (`string: null`) - The name of the Kubernetes secret.
|
- `secretName` ((#v-global-acls-replicationtoken-secretname)) (`string: null`) - The name of the Kubernetes secret.
|
||||||
|
|
||||||
|
@ -220,7 +223,7 @@ and consider if they're appropriate for your deployment.
|
||||||
and authenticate with this datacenter. This should only be set to true
|
and authenticate with this datacenter. This should only be set to true
|
||||||
in your primary datacenter. The secret name is
|
in your primary datacenter. The secret name is
|
||||||
`<global.name>-federation` (if setting `global.name`), otherwise
|
`<global.name>-federation` (if setting `global.name`), otherwise
|
||||||
`<helm-release-name>-consul-federation`. Requires consul-k8s 0.15.0+.
|
`<helm-release-name>-consul-federation`.
|
||||||
|
|
||||||
- `metrics` ((#v-global-metrics)) - Configures metrics for Consul service mesh
|
- `metrics` ((#v-global-metrics)) - Configures metrics for Consul service mesh
|
||||||
|
|
||||||
|
@ -240,9 +243,8 @@ and consider if they're appropriate for your deployment.
|
||||||
Envoy metrics on port `20200` at the `/metrics` path and all gateway pods
|
Envoy metrics on port `20200` at the `/metrics` path and all gateway pods
|
||||||
will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true.
|
will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true.
|
||||||
|
|
||||||
- `consulSidecarContainer` ((#v-global-consulsidecarcontainer)) (`map`) - The consul sidecar ensures the Consul services
|
- `consulSidecarContainer` ((#v-global-consulsidecarcontainer)) (`map`) - For connect-injected pods, the consul sidecar is responsible for metrics merging. For ingress/mesh/terminating
|
||||||
are always registered with their local Consul clients and is used by the
|
gateways, it additionally ensures the Consul services are always registered with their local Consul client.
|
||||||
ingress/terminating/mesh gateways as well as with every Connect-injected service.
|
|
||||||
|
|
||||||
- `imageEnvoy` ((#v-global-imageenvoy)) (`string: envoyproxy/envoy-alpine:<latest supported version>`) - The name (and tag) of the Envoy Docker image used for the
|
- `imageEnvoy` ((#v-global-imageenvoy)) (`string: envoyproxy/envoy-alpine:<latest supported version>`) - The name (and tag) of the Envoy Docker image used for the
|
||||||
connect-injected sidecar proxies and mesh, terminating, and ingress gateways.
|
connect-injected sidecar proxies and mesh, terminating, and ingress gateways.
|
||||||
|
@ -293,6 +295,33 @@ and consider if they're appropriate for your deployment.
|
||||||
|
|
||||||
- `enableLicenseAutoload` ((#v-server-enterpriselicense-enablelicenseautoload)) (`boolean: true`) - Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+.
|
- `enableLicenseAutoload` ((#v-server-enterpriselicense-enablelicenseautoload)) (`boolean: true`) - Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+.
|
||||||
|
|
||||||
|
- `serverCert` ((#v-server-servercert)) - A Kubernetes secret containing a certificate & key for the server agents to use
|
||||||
|
for TLS communication within the Consul cluster. Cert needs to be provided with
|
||||||
|
additional DNS name SANs so that it will work within the Kubernetes cluster:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \
|
||||||
|
-key=consul-agent-ca-key.pem -dc={{datacenter}} \
|
||||||
|
-additional-dnsname="{{fullname}}-server" \
|
||||||
|
-additional-dnsname="*.{{fullname}}-server" \
|
||||||
|
-additional-dnsname="*.{{fullname}}-server.{{namespace}}" \
|
||||||
|
-additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \
|
||||||
|
-additional-dnsname="*.server.{{datacenter}}.{{domain}}" \
|
||||||
|
-additional-dnsname="server.{{datacenter}}.{{domain}}"
|
||||||
|
```
|
||||||
|
|
||||||
|
If you have generated the
|
||||||
|
server-cert yourself with the consul CLI, you could use the following command
|
||||||
|
to create the secret in Kubernetes:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
kubectl create secret generic consul-server-cert \
|
||||||
|
--from-file='tls.crt=./dc1-server-consul-0.pem'
|
||||||
|
--from-file='tls.key=./dc1-server-consul-0-key.pem'
|
||||||
|
```
|
||||||
|
|
||||||
|
- `secretName` ((#v-server-servercert-secretname)) (`string: null`) - The name of the Kubernetes secret.
|
||||||
|
|
||||||
- `exposeGossipAndRPCPorts` ((#v-server-exposegossipandrpcports)) (`boolean: false`) - Exposes the servers' gossip and RPC ports as hostPorts. To enable a client
|
- `exposeGossipAndRPCPorts` ((#v-server-exposegossipandrpcports)) (`boolean: false`) - Exposes the servers' gossip and RPC ports as hostPorts. To enable a client
|
||||||
agent outside of the k8s cluster to join the datacenter, you would need to
|
agent outside of the k8s cluster to join the datacenter, you would need to
|
||||||
enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and
|
enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and
|
||||||
|
@ -527,8 +556,8 @@ and consider if they're appropriate for your deployment.
|
||||||
|
|
||||||
- `externalServers` ((#v-externalservers)) - Configuration for Consul servers when the servers are running outside of Kubernetes.
|
- `externalServers` ((#v-externalservers)) - Configuration for Consul servers when the servers are running outside of Kubernetes.
|
||||||
When running external servers, configuring these values is recommended
|
When running external servers, configuring these values is recommended
|
||||||
if setting `global.tls.enableAutoEncrypt` to true (requires consul-k8s >= 0.13.0)
|
if setting `global.tls.enableAutoEncrypt` to true
|
||||||
or `global.acls.manageSystemACLs` to true (requires consul-k8s >= 0.14.0).
|
or `global.acls.manageSystemACLs` to true.
|
||||||
|
|
||||||
- `enabled` ((#v-externalservers-enabled)) (`boolean: false`) - If true, the Helm chart will be configured to talk to the external servers.
|
- `enabled` ((#v-externalservers-enabled)) (`boolean: false`) - If true, the Helm chart will be configured to talk to the external servers.
|
||||||
If setting this to true, you must also set `server.enabled` to false.
|
If setting this to true, you must also set `server.enabled` to false.
|
||||||
|
@ -546,10 +575,10 @@ and consider if they're appropriate for your deployment.
|
||||||
|
|
||||||
- `tlsServerName` ((#v-externalservers-tlsservername)) (`string: null`) - The server name to use as the SNI host header when connecting with HTTPS.
|
- `tlsServerName` ((#v-externalservers-tlsservername)) (`string: null`) - The server name to use as the SNI host header when connecting with HTTPS.
|
||||||
|
|
||||||
- `useSystemRoots` ((#v-externalservers-usesystemroots)) (`boolean: false`) - If true, consul-k8s components will ignore the CA set in
|
- `useSystemRoots` ((#v-externalservers-usesystemroots)) (`boolean: false`) - If true, consul-k8s-control-plane components will ignore the CA set in
|
||||||
`global.tls.caCert` when making HTTPS calls to Consul servers and
|
`global.tls.caCert` when making HTTPS calls to Consul servers and
|
||||||
will instead use the consul-k8s image's system CAs for TLS verification.
|
will instead use the consul-k8s-control-plane image's system CAs for TLS verification.
|
||||||
If false, consul-k8s components will use `global.tls.caCert` when
|
If false, consul-k8s-control-plane components will use `global.tls.caCert` when
|
||||||
making HTTPS calls to Consul servers.
|
making HTTPS calls to Consul servers.
|
||||||
**NOTE:** This does not affect Consul's internal RPC communication which will
|
**NOTE:** This does not affect Consul's internal RPC communication which will
|
||||||
always use `global.tls.caCert`.
|
always use `global.tls.caCert`.
|
||||||
|
@ -558,7 +587,6 @@ and consider if they're appropriate for your deployment.
|
||||||
`connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server.
|
`connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server.
|
||||||
This address must be reachable from the Consul servers.
|
This address must be reachable from the Consul servers.
|
||||||
Please see the Kubernetes Auth Method documentation (https://consul.io/docs/acl/auth-methods/kubernetes).
|
Please see the Kubernetes Auth Method documentation (https://consul.io/docs/acl/auth-methods/kubernetes).
|
||||||
Requires consul-k8s >= 0.14.0.
|
|
||||||
|
|
||||||
You could retrieve this value from your `kubeconfig` by running:
|
You could retrieve this value from your `kubeconfig` by running:
|
||||||
|
|
||||||
|
@ -598,6 +626,13 @@ and consider if they're appropriate for your deployment.
|
||||||
port 8502 and expose it to the host. This will use slightly more resources, but is
|
port 8502 and expose it to the host. This will use slightly more resources, but is
|
||||||
required for Connect.
|
required for Connect.
|
||||||
|
|
||||||
|
- `nodeMeta` ((#v-client-nodemeta)) - nodeMeta specifies an arbitrary metadata key/value pair to associate with the node
|
||||||
|
(see https://www.consul.io/docs/agent/options.html#_node_meta)
|
||||||
|
|
||||||
|
- `pod-name` ((#v-client-nodemeta-pod-name)) (`string: ${HOSTNAME}`)
|
||||||
|
|
||||||
|
- `host-ip` ((#v-client-nodemeta-host-ip)) (`string: ${HOST_IP}`)
|
||||||
|
|
||||||
- `exposeGossipPorts` ((#v-client-exposegossipports)) (`boolean: false`) - If true, the Helm chart will expose the clients' gossip ports as hostPorts.
|
- `exposeGossipPorts` ((#v-client-exposegossipports)) (`boolean: false`) - If true, the Helm chart will expose the clients' gossip ports as hostPorts.
|
||||||
This is only necessary if pod IPs in the k8s cluster are not directly routable
|
This is only necessary if pod IPs in the k8s cluster are not directly routable
|
||||||
and the Consul servers are outside of the k8s cluster.
|
and the Consul servers are outside of the k8s cluster.
|
||||||
|
@ -874,6 +909,8 @@ and consider if they're appropriate for your deployment.
|
||||||
|
|
||||||
- `enabled` ((#v-ui-ingress-enabled)) (`boolean: false`) - This will create an Ingress resource for the Consul UI.
|
- `enabled` ((#v-ui-ingress-enabled)) (`boolean: false`) - This will create an Ingress resource for the Consul UI.
|
||||||
|
|
||||||
|
- `pathType` ((#v-ui-ingress-pathtype)) (`string: Prefix`) - pathType override - see: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types
|
||||||
|
|
||||||
- `hosts` ((#v-ui-ingress-hosts)) (`array<map>`) - hosts is a list of host name to create Ingress rules.
|
- `hosts` ((#v-ui-ingress-hosts)) (`array<map>`) - hosts is a list of host name to create Ingress rules.
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
|
@ -890,7 +927,7 @@ and consider if they're appropriate for your deployment.
|
||||||
```yaml
|
```yaml
|
||||||
tls:
|
tls:
|
||||||
- hosts:
|
- hosts:
|
||||||
- chart-example.local
|
- chart-example.local
|
||||||
secretName: testsecret-tls
|
secretName: testsecret-tls
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -929,7 +966,7 @@ and consider if they're appropriate for your deployment.
|
||||||
- `enabled` ((#v-synccatalog-enabled)) (`boolean: false`) - True if you want to enable the catalog sync. Set to "-" to inherit from
|
- `enabled` ((#v-synccatalog-enabled)) (`boolean: false`) - True if you want to enable the catalog sync. Set to "-" to inherit from
|
||||||
global.enabled.
|
global.enabled.
|
||||||
|
|
||||||
- `image` ((#v-synccatalog-image)) (`string: null`) - The name of the Docker image (including any tag) for consul-k8s
|
- `image` ((#v-synccatalog-image)) (`string: null`) - The name of the Docker image (including any tag) for consul-k8s-control-plane
|
||||||
to run the sync program.
|
to run the sync program.
|
||||||
|
|
||||||
- `default` ((#v-synccatalog-default)) (`boolean: true`) - If true, all valid services in K8S are
|
- `default` ((#v-synccatalog-default)) (`boolean: true`) - If true, all valid services in K8S are
|
||||||
|
@ -961,12 +998,10 @@ and consider if they're appropriate for your deployment.
|
||||||
To deny all namespaces, set this to `[]`.
|
To deny all namespaces, set this to `[]`.
|
||||||
|
|
||||||
Note: `k8sDenyNamespaces` takes precedence over values defined here.
|
Note: `k8sDenyNamespaces` takes precedence over values defined here.
|
||||||
Requires consul-k8s v0.12+
|
|
||||||
|
|
||||||
- `k8sDenyNamespaces` ((#v-synccatalog-k8sdenynamespaces)) (`array<string>: ["kube-system", "kube-public"]`) - List of k8s namespaces that should not have their
|
- `k8sDenyNamespaces` ((#v-synccatalog-k8sdenynamespaces)) (`array<string>: ["kube-system", "kube-public"]`) - List of k8s namespaces that should not have their
|
||||||
services synced. This list takes precedence over `k8sAllowNamespaces`.
|
services synced. This list takes precedence over `k8sAllowNamespaces`.
|
||||||
`*` is not supported because then nothing would be allowed to sync.
|
`*` is not supported because then nothing would be allowed to sync.
|
||||||
Requires consul-k8s v0.12+.
|
|
||||||
|
|
||||||
For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is
|
For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is
|
||||||
`["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1`
|
`["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1`
|
||||||
|
@ -980,7 +1015,7 @@ and consider if they're appropriate for your deployment.
|
||||||
to all namespaces.
|
to all namespaces.
|
||||||
|
|
||||||
- `consulNamespaces` ((#v-synccatalog-consulnamespaces)) - <EnterpriseAlert inline /> These settings manage the catalog sync's interaction with
|
- `consulNamespaces` ((#v-synccatalog-consulnamespaces)) - <EnterpriseAlert inline /> These settings manage the catalog sync's interaction with
|
||||||
Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+).
|
Consul namespaces (requires consul-ent v1.7+).
|
||||||
Also, `global.enableConsulNamespaces` must be true.
|
Also, `global.enableConsulNamespaces` must be true.
|
||||||
|
|
||||||
- `consulDestinationNamespace` ((#v-synccatalog-consulnamespaces-consuldestinationnamespace)) (`string: default`) - Name of the Consul namespace to register all
|
- `consulDestinationNamespace` ((#v-synccatalog-consulnamespaces-consuldestinationnamespace)) (`string: default`) - Name of the Consul namespace to register all
|
||||||
|
@ -1076,7 +1111,7 @@ and consider if they're appropriate for your deployment.
|
||||||
|
|
||||||
- `resources` ((#v-synccatalog-resources)) (`map`) - Resource settings for sync catalog pods.
|
- `resources` ((#v-synccatalog-resources)) (`map`) - Resource settings for sync catalog pods.
|
||||||
|
|
||||||
- `logLevel` ((#v-synccatalog-loglevel)) (`string: info`) - Log verbosity level. One of "trace", "debug", "info", "warn", or "error".
|
- `logLevel` ((#v-synccatalog-loglevel)) (`string: ""`) - Override global log verbosity level. One of "debug", "info", "warn", or "error".
|
||||||
|
|
||||||
- `consulWriteInterval` ((#v-synccatalog-consulwriteinterval)) (`string: null`) - Override the default interval to perform syncing operations creating Consul services.
|
- `consulWriteInterval` ((#v-synccatalog-consulwriteinterval)) (`string: null`) - Override the default interval to perform syncing operations creating Consul services.
|
||||||
|
|
||||||
|
@ -1097,7 +1132,9 @@ and consider if they're appropriate for your deployment.
|
||||||
- `enabled` ((#v-connectinject-enabled)) (`boolean: false`) - True if you want to enable connect injection. Set to "-" to inherit from
|
- `enabled` ((#v-connectinject-enabled)) (`boolean: false`) - True if you want to enable connect injection. Set to "-" to inherit from
|
||||||
global.enabled.
|
global.enabled.
|
||||||
|
|
||||||
- `image` ((#v-connectinject-image)) (`string: null`) - Image for consul-k8s that contains the injector
|
- `replicas` ((#v-connectinject-replicas)) (`integer: 2`) - The number of deployment replicas.
|
||||||
|
|
||||||
|
- `image` ((#v-connectinject-image)) (`string: null`) - Image for consul-k8s-control-plane that contains the injector.
|
||||||
|
|
||||||
- `default` ((#v-connectinject-default)) (`boolean: false`) - If true, the injector will inject the
|
- `default` ((#v-connectinject-default)) (`boolean: false`) - If true, the injector will inject the
|
||||||
Connect sidecar into all pods by default. Otherwise, pods must specify the
|
Connect sidecar into all pods by default. Otherwise, pods must specify the
|
||||||
|
@ -1106,7 +1143,7 @@ and consider if they're appropriate for your deployment.
|
||||||
to explicitly opt-out of injection.
|
to explicitly opt-out of injection.
|
||||||
|
|
||||||
- `transparentProxy` ((#v-connectinject-transparentproxy)) - Configures Transparent Proxy for Consul Service mesh services.
|
- `transparentProxy` ((#v-connectinject-transparentproxy)) - Configures Transparent Proxy for Consul Service mesh services.
|
||||||
Using this feature requires Consul 1.10.0-beta1+ and consul-k8s 0.26.0-beta1+.
|
Using this feature requires Consul 1.10.0-beta1+.
|
||||||
|
|
||||||
- `defaultEnabled` ((#v-connectinject-transparentproxy-defaultenabled)) (`boolean: true`) - If true, then all Consul Service mesh will run with transparent proxy enabled by default,
|
- `defaultEnabled` ((#v-connectinject-transparentproxy-defaultenabled)) (`boolean: true`) - If true, then all Consul Service mesh will run with transparent proxy enabled by default,
|
||||||
i.e. we enforce that all traffic within the pod will go through the proxy.
|
i.e. we enforce that all traffic within the pod will go through the proxy.
|
||||||
|
@ -1126,14 +1163,13 @@ and consider if they're appropriate for your deployment.
|
||||||
add prometheus annotations to connect-injected pods. It will also
|
add prometheus annotations to connect-injected pods. It will also
|
||||||
add a listener on the Envoy sidecar to expose metrics. The exposed
|
add a listener on the Envoy sidecar to expose metrics. The exposed
|
||||||
metrics will depend on whether metrics merging is enabled:
|
metrics will depend on whether metrics merging is enabled:
|
||||||
|
- If metrics merging is enabled:
|
||||||
- If metrics merging is enabled:
|
the Consul sidecar will run a merged metrics server
|
||||||
the Consul sidecar will run a merged metrics server
|
combining Envoy sidecar and Connect service metrics,
|
||||||
combining Envoy sidecar and Connect service metrics,
|
i.e. if your service exposes its own Prometheus metrics.
|
||||||
i.e. if your service exposes its own Prometheus metrics.
|
- If metrics merging is disabled:
|
||||||
- If metrics merging is disabled:
|
the listener will just expose Envoy sidecar metrics.
|
||||||
the listener will just expose Envoy sidecar metrics.
|
This will inherit from `global.metrics.enabled`.
|
||||||
This will inherit from `global.metrics.enabled`.
|
|
||||||
|
|
||||||
- `defaultEnableMerging` ((#v-connectinject-metrics-defaultenablemerging)) (`boolean: false`) - Configures the Consul sidecar to run a merged metrics server
|
- `defaultEnableMerging` ((#v-connectinject-metrics-defaultenablemerging)) (`boolean: false`) - Configures the Consul sidecar to run a merged metrics server
|
||||||
to combine and serve both Envoy and Connect service metrics.
|
to combine and serve both Envoy and Connect service metrics.
|
||||||
|
@ -1146,14 +1182,14 @@ and consider if they're appropriate for your deployment.
|
||||||
- `defaultPrometheusScrapePort` ((#v-connectinject-metrics-defaultprometheusscrapeport)) (`integer: 20200`) - Configures the port Prometheus will scrape metrics from, by configuring
|
- `defaultPrometheusScrapePort` ((#v-connectinject-metrics-defaultprometheusscrapeport)) (`integer: 20200`) - Configures the port Prometheus will scrape metrics from, by configuring
|
||||||
the Pod annotation `prometheus.io/port` and the corresponding listener in
|
the Pod annotation `prometheus.io/port` and the corresponding listener in
|
||||||
the Envoy sidecar.
|
the Envoy sidecar.
|
||||||
NOTE: This is _not_ the port that your application exposes metrics on.
|
NOTE: This is *not* the port that your application exposes metrics on.
|
||||||
That can be configured with the
|
That can be configured with the
|
||||||
`consul.hashicorp.com/service-metrics-port` annotation.
|
`consul.hashicorp.com/service-metrics-port` annotation.
|
||||||
|
|
||||||
- `defaultPrometheusScrapePath` ((#v-connectinject-metrics-defaultprometheusscrapepath)) (`string: /metrics`) - Configures the path Prometheus will scrape metrics from, by configuring the pod
|
- `defaultPrometheusScrapePath` ((#v-connectinject-metrics-defaultprometheusscrapepath)) (`string: /metrics`) - Configures the path Prometheus will scrape metrics from, by configuring the pod
|
||||||
annotation `prometheus.io/path` and the corresponding handler in the Envoy
|
annotation `prometheus.io/path` and the corresponding handler in the Envoy
|
||||||
sidecar.
|
sidecar.
|
||||||
NOTE: This is _not_ the path that your application exposes metrics on.
|
NOTE: This is *not* the path that your application exposes metrics on.
|
||||||
That can be configured with the
|
That can be configured with the
|
||||||
`consul.hashicorp.com/service-metrics-path` annotation.
|
`consul.hashicorp.com/service-metrics-path` annotation.
|
||||||
|
|
||||||
|
@ -1166,7 +1202,7 @@ and consider if they're appropriate for your deployment.
|
||||||
- `imageConsul` ((#v-connectinject-imageconsul)) (`string: null`) - The Docker image for Consul to use when performing Connect injection.
|
- `imageConsul` ((#v-connectinject-imageconsul)) (`string: null`) - The Docker image for Consul to use when performing Connect injection.
|
||||||
Defaults to global.image.
|
Defaults to global.image.
|
||||||
|
|
||||||
- `logLevel` ((#v-connectinject-loglevel)) (`string: info`) - Log verbosity level. One of "debug", "info", "warn", or "error".
|
- `logLevel` ((#v-connectinject-loglevel)) (`string: ""`) - Override global log verbosity level. One of "debug", "info", "warn", or "error".
|
||||||
|
|
||||||
- `serviceAccount` ((#v-connectinject-serviceaccount))
|
- `serviceAccount` ((#v-connectinject-serviceaccount))
|
||||||
|
|
||||||
|
@ -1181,6 +1217,13 @@ and consider if they're appropriate for your deployment.
|
||||||
|
|
||||||
- `resources` ((#v-connectinject-resources)) (`map`) - Resource settings for connect inject pods.
|
- `resources` ((#v-connectinject-resources)) (`map`) - Resource settings for connect inject pods.
|
||||||
|
|
||||||
|
- `failurePolicy` ((#v-connectinject-failurepolicy)) (`string: Fail`) - Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook
|
||||||
|
is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline.
|
||||||
|
Once the webhook is back online the pod will be scheduled.
|
||||||
|
In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running
|
||||||
|
which can lead to hangs. In these environments it is recommend to use "Ignore" instead.
|
||||||
|
This setting can be safely disabled by setting to "Ignore".
|
||||||
|
|
||||||
- `namespaceSelector` ((#v-connectinject-namespaceselector)) (`string: null`) - Selector for restricting the webhook to only
|
- `namespaceSelector` ((#v-connectinject-namespaceselector)) (`string: null`) - Selector for restricting the webhook to only
|
||||||
specific namespaces. This should be set to a multiline string.
|
specific namespaces. This should be set to a multiline string.
|
||||||
See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
|
See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
|
||||||
|
@ -1208,7 +1251,6 @@ and consider if they're appropriate for your deployment.
|
||||||
Note: `k8sDenyNamespaces` takes precedence over values defined here and
|
Note: `k8sDenyNamespaces` takes precedence over values defined here and
|
||||||
`namespaceSelector` takes precedence over both since it is applied first.
|
`namespaceSelector` takes precedence over both since it is applied first.
|
||||||
`kube-system` and `kube-public` are never injected, even if included here.
|
`kube-system` and `kube-public` are never injected, even if included here.
|
||||||
Requires consul-k8s v0.12+
|
|
||||||
|
|
||||||
- `k8sDenyNamespaces` ((#v-connectinject-k8sdenynamespaces)) (`array<string>: []`) - List of k8s namespaces that should not allow Connect
|
- `k8sDenyNamespaces` ((#v-connectinject-k8sdenynamespaces)) (`array<string>: []`) - List of k8s namespaces that should not allow Connect
|
||||||
sidecar injection. This list takes precedence over `k8sAllowNamespaces`.
|
sidecar injection. This list takes precedence over `k8sAllowNamespaces`.
|
||||||
|
@ -1220,10 +1262,9 @@ and consider if they're appropriate for your deployment.
|
||||||
|
|
||||||
Note: `namespaceSelector` takes precedence over this since it is applied first.
|
Note: `namespaceSelector` takes precedence over this since it is applied first.
|
||||||
`kube-system` and `kube-public` are never injected.
|
`kube-system` and `kube-public` are never injected.
|
||||||
Requires consul-k8s v0.12+.
|
|
||||||
|
|
||||||
- `consulNamespaces` ((#v-connectinject-consulnamespaces)) - <EnterpriseAlert inline /> These settings manage the connect injector's interaction with
|
- `consulNamespaces` ((#v-connectinject-consulnamespaces)) - <EnterpriseAlert inline /> These settings manage the connect injector's interaction with
|
||||||
Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+).
|
Consul namespaces (requires consul-ent v1.7+).
|
||||||
Also, `global.enableConsulNamespaces` must be true.
|
Also, `global.enableConsulNamespaces` must be true.
|
||||||
|
|
||||||
- `consulDestinationNamespace` ((#v-connectinject-consulnamespaces-consuldestinationnamespace)) (`string: default`) - Name of the Consul namespace to register all
|
- `consulDestinationNamespace` ((#v-connectinject-consulnamespaces-consuldestinationnamespace)) (`string: default`) - Name of the Consul namespace to register all
|
||||||
|
@ -1268,7 +1309,7 @@ and consider if they're appropriate for your deployment.
|
||||||
See https://www.consul.io/docs/acl/acl-auth-methods.html#binding-rules
|
See https://www.consul.io/docs/acl/acl-auth-methods.html#binding-rules
|
||||||
and https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes
|
and https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes
|
||||||
for more details.
|
for more details.
|
||||||
Requires Consul >= v1.5 and consul-k8s >= v0.8.0.
|
Requires Consul >= v1.5.
|
||||||
|
|
||||||
- `overrideAuthMethodName` ((#v-connectinject-overrideauthmethodname)) (`string: ""`) - If you are not using global.acls.manageSystemACLs and instead manually setting up an
|
- `overrideAuthMethodName` ((#v-connectinject-overrideauthmethodname)) (`string: ""`) - If you are not using global.acls.manageSystemACLs and instead manually setting up an
|
||||||
auth method for Connect inject, set this to the name of your auth method.
|
auth method for Connect inject, set this to the name of your auth method.
|
||||||
|
@ -1320,7 +1361,7 @@ and consider if they're appropriate for your deployment.
|
||||||
|
|
||||||
- `replicas` ((#v-controller-replicas)) (`integer: 1`) - The number of deployment replicas.
|
- `replicas` ((#v-controller-replicas)) (`integer: 1`) - The number of deployment replicas.
|
||||||
|
|
||||||
- `logLevel` ((#v-controller-loglevel)) (`string: info`) - Log verbosity level. One of "debug", "info", "warn", or "error".
|
- `logLevel` ((#v-controller-loglevel)) (`string: ""`) - Log verbosity level. One of "debug", "info", "warn", or "error".
|
||||||
|
|
||||||
- `serviceAccount` ((#v-controller-serviceaccount))
|
- `serviceAccount` ((#v-controller-serviceaccount))
|
||||||
|
|
||||||
|
@ -1350,7 +1391,6 @@ and consider if they're appropriate for your deployment.
|
||||||
`global.acls.manageSystemACLs`).
|
`global.acls.manageSystemACLs`).
|
||||||
|
|
||||||
If running Consul OSS, requires permissions:
|
If running Consul OSS, requires permissions:
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
operator = "write"
|
operator = "write"
|
||||||
service_prefix "" {
|
service_prefix "" {
|
||||||
|
@ -1358,7 +1398,6 @@ and consider if they're appropriate for your deployment.
|
||||||
intentions = "write"
|
intentions = "write"
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
If running Consul Enterprise, talk to your account manager for assistance.
|
If running Consul Enterprise, talk to your account manager for assistance.
|
||||||
|
|
||||||
- `secretName` ((#v-controller-acltoken-secretname)) (`string: null`) - The name of the Kubernetes secret.
|
- `secretName` ((#v-controller-acltoken-secretname)) (`string: null`) - The name of the Kubernetes secret.
|
||||||
|
@ -1372,7 +1411,7 @@ and consider if they're appropriate for your deployment.
|
||||||
- `enabled` ((#v-meshgateway-enabled)) (`boolean: false`) - If mesh gateways are enabled, a Deployment will be created that runs
|
- `enabled` ((#v-meshgateway-enabled)) (`boolean: false`) - If mesh gateways are enabled, a Deployment will be created that runs
|
||||||
gateways and Consul Connect will be configured to use gateways.
|
gateways and Consul Connect will be configured to use gateways.
|
||||||
See https://www.consul.io/docs/connect/mesh_gateway.html
|
See https://www.consul.io/docs/connect/mesh_gateway.html
|
||||||
Requirements: consul 1.6.0+ and consul-k8s 0.15.0+ if using
|
Requirements: consul 1.6.0+ if using
|
||||||
global.acls.manageSystemACLs.
|
global.acls.manageSystemACLs.
|
||||||
|
|
||||||
- `replicas` ((#v-meshgateway-replicas)) (`integer: 2`) - Number of replicas for the Deployment.
|
- `replicas` ((#v-meshgateway-replicas)) (`integer: 2`) - Number of replicas for the Deployment.
|
||||||
|
@ -1500,8 +1539,7 @@ and consider if they're appropriate for your deployment.
|
||||||
specific gateway with the exception of annotations. Annotations will
|
specific gateway with the exception of annotations. Annotations will
|
||||||
include both the default annotations and any additional ones defined
|
include both the default annotations and any additional ones defined
|
||||||
for a specific gateway.
|
for a specific gateway.
|
||||||
Requirements: consul >= 1.8.0 and consul-k8s >= 0.16.0 if using
|
Requirements: consul >= 1.8.0
|
||||||
global.acls.manageSystemACLs and consul-k8s >= 0.10.0 if not.
|
|
||||||
|
|
||||||
- `enabled` ((#v-ingressgateways-enabled)) (`boolean: false`) - Enable ingress gateway deployment. Requires `connectInject.enabled=true`
|
- `enabled` ((#v-ingressgateways-enabled)) (`boolean: false`) - Enable ingress gateway deployment. Requires `connectInject.enabled=true`
|
||||||
and `client.enabled=true`.
|
and `client.enabled=true`.
|
||||||
|
@ -1595,8 +1633,7 @@ and consider if they're appropriate for your deployment.
|
||||||
specific gateway with the exception of annotations. Annotations will
|
specific gateway with the exception of annotations. Annotations will
|
||||||
include both the default annotations and any additional ones defined
|
include both the default annotations and any additional ones defined
|
||||||
for a specific gateway.
|
for a specific gateway.
|
||||||
Requirements: consul >= 1.8.0 and consul-k8s >= 0.16.0 if using
|
Requirements: consul >= 1.8.0
|
||||||
global.acls.manageSystemACLs and consul-k8s >= 0.10.0 if not.
|
|
||||||
|
|
||||||
- `enabled` ((#v-terminatinggateways-enabled)) (`boolean: false`) - Enable terminating gateway deployment. Requires `connectInject.enabled=true`
|
- `enabled` ((#v-terminatinggateways-enabled)) (`boolean: false`) - Enable terminating gateway deployment. Requires `connectInject.enabled=true`
|
||||||
and `client.enabled=true`.
|
and `client.enabled=true`.
|
||||||
|
|
Loading…
Reference in New Issue