mirror of https://github.com/status-im/consul.git
Update docs for consul-k8s v0.35.0 (#11349)
This commit is contained in:
parent
f801662f5c
commit
f9e6831fa2
|
@ -131,25 +131,20 @@ Use these links to navigate to a particular top-level stanza.
|
|||
- `enablePodSecurityPolicies` ((#v-global-enablepodsecuritypolicies)) (`boolean: false`) - Controls whether pod security policies are created for the Consul components
|
||||
created by this chart. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/.
|
||||
|
||||
- `gossipEncryption` ((#v-global-gossipencryption)) - Configures which Kubernetes secret to retrieve Consul's
|
||||
gossip encryption key from (see `-encrypt` (https://consul.io/docs/agent/options#_encrypt)). If secretName or
|
||||
secretKey are not set, gossip encryption will not be enabled. The secret must
|
||||
be in the same namespace that Consul is installed into.
|
||||
- `gossipEncryption` ((#v-global-gossipencryption)) - Configures Consul's gossip encryption key, set as a Kubernetes secret
|
||||
(see `-encrypt` (https://consul.io/docs/agent/options#_encrypt)).
|
||||
By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually.
|
||||
The recommended method is to automatically generate the key.
|
||||
To automatically generate and set a gossip encryption key, set autoGenerate to true.
|
||||
Values for secretName and secretKey should not be set if autoGenerate is true.
|
||||
To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate
|
||||
a Kubernetes secret referencing these values.
|
||||
|
||||
The secret can be created by running:
|
||||
|
||||
```shell
|
||||
```
|
||||
$ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen)
|
||||
```
|
||||
|
||||
To reference, use:
|
||||
|
||||
```yaml
|
||||
global:
|
||||
gossipEncryption:
|
||||
secretName: consul-gossip-encryption-key
|
||||
secretKey: key
|
||||
```
|
||||
- `autoGenerate` ((#v-global-gossipencryption-autogenerate)) (`boolean: false`) - Automatically generate a gossip encryption key and save it to a Kubernetes secret.
|
||||
|
||||
- `secretName` ((#v-global-gossipencryption-secretname)) (`string: ""`) - secretName is the name of the Kubernetes secret that holds the gossip
|
||||
encryption key. The secret must be in the same namespace that Consul is installed into.
|
||||
|
@ -450,7 +445,7 @@ Use these links to navigate to a particular top-level stanza.
|
|||
Note: if running on OpenShift, this setting is ignored because the user and group are set automatically
|
||||
by the OpenShift platform.
|
||||
|
||||
- `containerSecurityContext` ((#v-server-containersecuritycontext)) (`map`) - The container securityContext for each container in the server pods. In
|
||||
- `containerSecurityContext` ((#v-server-containersecuritycontext)) (`map`) - The container securityContext for each container in the server pods. In
|
||||
addition to the Pod's SecurityContext this can
|
||||
set the capabilities of processes running in the container and ensure the
|
||||
root file systems in the container is read-only.
|
||||
|
@ -521,6 +516,17 @@ Use these links to navigate to a particular top-level stanza.
|
|||
configured to automatically load HCL/JSON configuration files from this volume
|
||||
with `-config-dir`. This defaults to false.
|
||||
|
||||
- `extraContainers` ((#v-server-extracontainers)) (`array<map>`) - A list of sidecar containers.
|
||||
Example:
|
||||
|
||||
```yaml
|
||||
extraContainers:
|
||||
- name: extra-container
|
||||
image: example-image:latest
|
||||
command:
|
||||
- ...
|
||||
```
|
||||
|
||||
- `affinity` ((#v-server-affinity)) (`string`) - This value defines the affinity (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
|
||||
for server pods. It defaults to allowing only a single server pod on each node, which
|
||||
minimizes risk of the cluster becoming unusable if a node is lost. If you need
|
||||
|
@ -720,7 +726,7 @@ Use these links to navigate to a particular top-level stanza.
|
|||
Note: if running on OpenShift, this setting is ignored because the user and group are set automatically
|
||||
by the OpenShift platform.
|
||||
|
||||
- `containerSecurityContext` ((#v-client-containersecuritycontext)) (`map`) - The container securityContext for each container in the client pods. In
|
||||
- `containerSecurityContext` ((#v-client-containersecuritycontext)) (`map`) - The container securityContext for each container in the client pods. In
|
||||
addition to the Pod's SecurityContext this can
|
||||
set the capabilities of processes running in the container and ensure the
|
||||
root file systems in the container is read-only.
|
||||
|
@ -776,6 +782,17 @@ Use these links to navigate to a particular top-level stanza.
|
|||
configured to automatically load HCL/JSON configuration files from this volume
|
||||
with `-config-dir`. This defaults to false.
|
||||
|
||||
- `extraContainers` ((#v-client-extracontainers)) (`array<map>`) - A list of sidecar containers.
|
||||
Example:
|
||||
|
||||
```yaml
|
||||
extraContainers:
|
||||
- name: extra-container
|
||||
image: example-image:latest
|
||||
command:
|
||||
- ...
|
||||
```
|
||||
|
||||
- `tolerations` ((#v-client-tolerations)) (`string: ""`) - Toleration Settings for Client pods
|
||||
This should be a multi-line string matching the Toleration array
|
||||
in a PodSpec.
|
||||
|
@ -1004,7 +1021,7 @@ Use these links to navigate to a particular top-level stanza.
|
|||
```yaml
|
||||
tls:
|
||||
- hosts:
|
||||
- chart-example.local
|
||||
- chart-example.local
|
||||
secretName: testsecret-tls
|
||||
```
|
||||
|
||||
|
@ -1240,14 +1257,13 @@ Use these links to navigate to a particular top-level stanza.
|
|||
add prometheus annotations to connect-injected pods. It will also
|
||||
add a listener on the Envoy sidecar to expose metrics. The exposed
|
||||
metrics will depend on whether metrics merging is enabled:
|
||||
|
||||
- If metrics merging is enabled:
|
||||
the Consul sidecar will run a merged metrics server
|
||||
combining Envoy sidecar and Connect service metrics,
|
||||
i.e. if your service exposes its own Prometheus metrics.
|
||||
- If metrics merging is disabled:
|
||||
the listener will just expose Envoy sidecar metrics.
|
||||
This will inherit from `global.metrics.enabled`.
|
||||
- If metrics merging is enabled:
|
||||
the Consul sidecar will run a merged metrics server
|
||||
combining Envoy sidecar and Connect service metrics,
|
||||
i.e. if your service exposes its own Prometheus metrics.
|
||||
- If metrics merging is disabled:
|
||||
the listener will just expose Envoy sidecar metrics.
|
||||
This will inherit from `global.metrics.enabled`.
|
||||
|
||||
- `defaultEnableMerging` ((#v-connectinject-metrics-defaultenablemerging)) (`boolean: false`) - Configures the Consul sidecar to run a merged metrics server
|
||||
to combine and serve both Envoy and Connect service metrics.
|
||||
|
@ -1260,14 +1276,14 @@ Use these links to navigate to a particular top-level stanza.
|
|||
- `defaultPrometheusScrapePort` ((#v-connectinject-metrics-defaultprometheusscrapeport)) (`integer: 20200`) - Configures the port Prometheus will scrape metrics from, by configuring
|
||||
the Pod annotation `prometheus.io/port` and the corresponding listener in
|
||||
the Envoy sidecar.
|
||||
NOTE: This is _not_ the port that your application exposes metrics on.
|
||||
NOTE: This is *not* the port that your application exposes metrics on.
|
||||
That can be configured with the
|
||||
`consul.hashicorp.com/service-metrics-port` annotation.
|
||||
|
||||
- `defaultPrometheusScrapePath` ((#v-connectinject-metrics-defaultprometheusscrapepath)) (`string: /metrics`) - Configures the path Prometheus will scrape metrics from, by configuring the pod
|
||||
annotation `prometheus.io/path` and the corresponding handler in the Envoy
|
||||
sidecar.
|
||||
NOTE: This is _not_ the path that your application exposes metrics on.
|
||||
NOTE: This is *not* the path that your application exposes metrics on.
|
||||
That can be configured with the
|
||||
`consul.hashicorp.com/service-metrics-path` annotation.
|
||||
|
||||
|
@ -1302,7 +1318,7 @@ Use these links to navigate to a particular top-level stanza.
|
|||
which can lead to hangs. In these environments it is recommend to use "Ignore" instead.
|
||||
This setting can be safely disabled by setting to "Ignore".
|
||||
|
||||
- `namespaceSelector` ((#v-connectinject-namespaceselector)) (`string: null`) - Selector for restricting the webhook to only specific namespaces.
|
||||
- `namespaceSelector` ((#v-connectinject-namespaceselector)) (`string: null`) - Selector for restricting the webhook to only specific namespaces.
|
||||
Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string.
|
||||
See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
|
||||
for more details.
|
||||
|
@ -1469,7 +1485,6 @@ Use these links to navigate to a particular top-level stanza.
|
|||
`global.acls.manageSystemACLs`).
|
||||
|
||||
If running Consul OSS, requires permissions:
|
||||
|
||||
```hcl
|
||||
operator = "write"
|
||||
service_prefix "" {
|
||||
|
@ -1477,7 +1492,6 @@ Use these links to navigate to a particular top-level stanza.
|
|||
intentions = "write"
|
||||
}
|
||||
```
|
||||
|
||||
If running Consul Enterprise, talk to your account manager for assistance.
|
||||
|
||||
- `secretName` ((#v-controller-acltoken-secretname)) (`string: null`) - The name of the Kubernetes secret.
|
||||
|
@ -1592,6 +1606,8 @@ Use these links to navigate to a particular top-level stanza.
|
|||
|
||||
- `initCopyConsulContainer` ((#v-meshgateway-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container.
|
||||
|
||||
- `initServiceInitContainer` ((#v-meshgateway-initserviceinitcontainer)) (`map`) - Resource settings for the `service-init` init container.
|
||||
|
||||
- `affinity` ((#v-meshgateway-affinity)) (`string`) - By default, we set an anti-affinity so that two gateway pods won't be
|
||||
on the same node. NOTE: Gateways require that Consul client agents are
|
||||
also running on the nodes alongside each gateway pod.
|
||||
|
|
Loading…
Reference in New Issue