mirror of https://github.com/status-im/consul.git
1598 lines
83 KiB
Plaintext
1598 lines
83 KiB
Plaintext
---
|
||
layout: docs
|
||
page_title: Helm Chart Configuration
|
||
sidebar_title: Helm Chart Configuration
|
||
description: Configuration for the Consul Helm chart.
|
||
---
|
||
|
||
# Helm Chart Configuration
|
||
|
||
## Configuration (Values)
|
||
|
||
The chart is highly customizable using
|
||
[Helm configuration values](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
|
||
Each value has a sane default tuned for an optimal getting started experience
|
||
with Consul. Before going into production, please review the parameters below
|
||
and consider if they're appropriate for your deployment.
|
||
|
||
<!-- DO NOT EDIT. The docs below are generated automatically. To change, edit
|
||
the consul-helm repo's values.yaml file -->
|
||
<!-- codegen: start -->
|
||
|
||
- `global` ((#v-global)) - Holds values that affect multiple components of the chart.
|
||
|
||
- `enabled` ((#v-global-enabled)) (`boolean: true`) - The main enabled/disabled setting. If true, servers,
|
||
clients, Consul DNS and the Consul UI will be enabled. Each component can override
|
||
this default via its component-specific "enabled" config. If false, no components
|
||
will be installed by default and per-component opt-in is required, such as by
|
||
setting `server.enabled` to true.
|
||
|
||
- `name` ((#v-global-name)) (`string: null`) - Set the prefix used for all resources in the Helm chart. If not set,
|
||
the prefix will be `<helm release name>-consul`.
|
||
|
||
- `domain` ((#v-global-domain)) (`string: consul`) - The domain Consul will answer DNS queries for
|
||
(see `-domain` (https://consul.io/docs/agent/options#_domain)) and the domain services synced from
|
||
Consul into Kubernetes will have, e.g. `service-name.service.consul`.
|
||
|
||
- `image` ((#v-global-image)) (`string: hashicorp/consul:<latest version>`) - The name (and tag) of the Consul Docker image for clients and servers.
|
||
This can be overridden per component. This should be pinned to a specific
|
||
version tag, otherwise you may inadvertently upgrade your Consul version.
|
||
|
||
Examples:
|
||
|
||
```yaml
|
||
# Consul 1.5.0
|
||
image: "consul:1.5.0"
|
||
# Consul Enterprise 1.5.0
|
||
image: "hashicorp/consul-enterprise:1.5.0-ent"
|
||
```
|
||
|
||
- `imagePullSecrets` ((#v-global-imagepullsecrets)) (`array<map>`) - Array of objects containing image pull secret names that will be applied to each service account.
|
||
This can be used to reference image pull secrets if using a custom consul or consul-k8s Docker image.
|
||
See https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry for reference.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
imagePullSecrets:
|
||
- name: pull-secret-name
|
||
- name: pull-secret-name-2
|
||
```
|
||
|
||
- `imageK8S` ((#v-global-imagek8s)) (`string: hashicorp/consul-k8s:<latest version>`) - The name (and tag) of the consul-k8s (https://github.com/hashicorp/consul-k8s)
|
||
Docker image that is used for functionality such the catalog sync.
|
||
This can be overridden per component.
|
||
|
||
- `datacenter` ((#v-global-datacenter)) (`string: dc1`) - The name of the datacenter that the agents should
|
||
register as. This can't be changed once the Consul cluster is up and running
|
||
since Consul doesn't support an automatic way to change this value currently:
|
||
https://github.com/hashicorp/consul/issues/1858.
|
||
|
||
- `enablePodSecurityPolicies` ((#v-global-enablepodsecuritypolicies)) (`boolean: false`) - Controls whether pod security policies are created for the Consul components
|
||
created by this chart. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/.
|
||
|
||
- `gossipEncryption` ((#v-global-gossipencryption)) - Configures which Kubernetes secret to retrieve Consul's
|
||
gossip encryption key from (see `-encrypt` (https://consul.io/docs/agent/options#_encrypt)). If secretName or
|
||
secretKey are not set, gossip encryption will not be enabled. The secret must
|
||
be in the same namespace that Consul is installed into.
|
||
|
||
The secret can be created by running:
|
||
|
||
```shell
|
||
$ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen)
|
||
```
|
||
|
||
To reference, use:
|
||
|
||
```yaml
|
||
global:
|
||
gossipEncryption:
|
||
secretName: consul-gossip-encryption-key
|
||
secretKey: key
|
||
```
|
||
|
||
- `secretName` ((#v-global-gossipencryption-secretname)) (`string: ""`) - secretName is the name of the Kubernetes secret that holds the gossip
|
||
encryption key. The secret must be in the same namespace that Consul is installed into.
|
||
|
||
- `secretKey` ((#v-global-gossipencryption-secretkey)) (`string: ""`) - secretKey is the key within the Kubernetes secret that holds the gossip
|
||
encryption key.
|
||
|
||
- `tls` ((#v-global-tls)) - Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure)
|
||
across the cluster to verify authenticity of the Consul servers and clients.
|
||
Requires Consul v1.4.1+ and consul-k8s v0.16.2+
|
||
|
||
- `enabled` ((#v-global-tls-enabled)) (`boolean: false`) - If true, the Helm chart will enable TLS for Consul
|
||
servers and clients and all consul-k8s components, as well as generate certificate
|
||
authority (optional) and server and client certificates.
|
||
|
||
- `enableAutoEncrypt` ((#v-global-tls-enableautoencrypt)) (`boolean: false`) - If true, turns on the auto-encrypt feature on clients and servers.
|
||
It also switches consul-k8s components to retrieve the CA from the servers
|
||
via the API. Requires Consul 1.7.1+ and consul-k8s 0.13.0
|
||
|
||
- `serverAdditionalDNSSANs` ((#v-global-tls-serveradditionaldnssans)) (`array<string>: []`) - A list of additional DNS names to set as Subject Alternative Names (SANs)
|
||
in the server certificate. This is useful when you need to access the
|
||
Consul server(s) externally, for example, if you're using the UI.
|
||
|
||
- `serverAdditionalIPSANs` ((#v-global-tls-serveradditionalipsans)) (`array<string>: []`) - A list of additional IP addresses to set as Subject Alternative Names (SANs)
|
||
in the server certificate. This is useful when you need to access the
|
||
Consul server(s) externally, for example, if you're using the UI.
|
||
|
||
- `verify` ((#v-global-tls-verify)) (`boolean: true`) - If true, `verify_outgoing`, `verify_server_hostname`,
|
||
and `verify_incoming_rpc` will be set to `true` for Consul servers and clients.
|
||
Set this to false to incrementally roll out TLS on an existing Consul cluster.
|
||
Please see https://consul.io/docs/k8s/operations/tls-on-existing-cluster
|
||
for more details.
|
||
|
||
- `httpsOnly` ((#v-global-tls-httpsonly)) (`boolean: true`) - If true, the Helm chart will configure Consul to disable the HTTP port on
|
||
both clients and servers and to only accept HTTPS connections.
|
||
|
||
- `caCert` ((#v-global-tls-cacert)) - A Kubernetes secret containing the certificate of the CA to use for
|
||
TLS communication within the Consul cluster. If you have generated the CA yourself
|
||
with the consul CLI, you could use the following command to create the secret
|
||
in Kubernetes:
|
||
|
||
```bash
|
||
kubectl create secret generic consul-ca-cert \
|
||
--from-file='tls.crt=./consul-agent-ca.pem'
|
||
```
|
||
|
||
- `secretName` ((#v-global-tls-cacert-secretname)) (`string: null`) - The name of the Kubernetes secret.
|
||
|
||
- `secretKey` ((#v-global-tls-cacert-secretkey)) (`string: null`) - The key of the Kubernetes secret.
|
||
|
||
- `caKey` ((#v-global-tls-cakey)) - A Kubernetes secret containing the private key of the CA to use for
|
||
TLS communication within the Consul cluster. If you have generated the CA yourself
|
||
with the consul CLI, you could use the following command to create the secret
|
||
in Kubernetes:
|
||
|
||
```bash
|
||
kubectl create secret generic consul-ca-key \
|
||
--from-file='tls.key=./consul-agent-ca-key.pem'
|
||
```
|
||
|
||
Note that we need the CA key so that we can generate server and client certificates.
|
||
It is particularly important for the client certificates since they need to have host IPs
|
||
as Subject Alternative Names. In the future, we may support bringing your own server
|
||
certificates.
|
||
|
||
- `secretName` ((#v-global-tls-cakey-secretname)) (`string: null`) - The name of the Kubernetes secret.
|
||
|
||
- `secretKey` ((#v-global-tls-cakey-secretkey)) (`string: null`) - The key of the Kubernetes secret.
|
||
|
||
- `enableConsulNamespaces` ((#v-global-enableconsulnamespaces)) (`boolean: false`) - <EnterpriseAlert inline /> `enableConsulNamespaces` indicates that you are running
|
||
Consul Enterprise v1.7+ with a valid Consul Enterprise license and would
|
||
like to make use of configuration beyond registering everything into
|
||
the `default` Consul namespace. Requires consul-k8s v0.12+. Additional configuration
|
||
options are found in the `consulNamespaces` section of both the catalog sync
|
||
and connect injector.
|
||
|
||
- `acls` ((#v-global-acls)) - Configure ACLs.
|
||
|
||
- `manageSystemACLs` ((#v-global-acls-managesystemacls)) (`boolean: false`) - If true, the Helm chart will automatically manage ACL tokens and policies
|
||
for all Consul and consul-k8s components.
|
||
This requires Consul >= 1.4 and consul-k8s >= 0.14.0.
|
||
|
||
- `bootstrapToken` ((#v-global-acls-bootstraptoken)) - A Kubernetes secret containing the bootstrap token to use for
|
||
creating policies and tokens for all Consul and consul-k8s components.
|
||
If set, we will skip ACL bootstrapping of the servers and will only
|
||
initialize ACLs for the Consul clients and consul-k8s system components.
|
||
Requires consul-k8s >= 0.14.0.
|
||
|
||
- `secretName` ((#v-global-acls-bootstraptoken-secretname)) (`string: null`) - The name of the Kubernetes secret.
|
||
|
||
- `secretKey` ((#v-global-acls-bootstraptoken-secretkey)) (`string: null`) - The key of the Kubernetes secret.
|
||
|
||
- `createReplicationToken` ((#v-global-acls-createreplicationtoken)) (`boolean: false`) - If true, an ACL token will be created that can be used in secondary
|
||
datacenters for replication. This should only be set to true in the
|
||
primary datacenter since the replication token must be created from that
|
||
datacenter.
|
||
In secondary datacenters, the secret needs to be imported from the primary
|
||
datacenter and referenced via `global.acls.replicationToken`.
|
||
Requires consul-k8s >= 0.13.0.
|
||
|
||
- `replicationToken` ((#v-global-acls-replicationtoken)) - replicationToken references a secret containing the replication ACL token.
|
||
This token will be used by secondary datacenters to perform ACL replication
|
||
and create ACL tokens and policies.
|
||
This value is ignored if `bootstrapToken` is also set.
|
||
Requires consul-k8s >= 0.13.0.
|
||
|
||
- `secretName` ((#v-global-acls-replicationtoken-secretname)) (`string: null`) - The name of the Kubernetes secret.
|
||
|
||
- `secretKey` ((#v-global-acls-replicationtoken-secretkey)) (`string: null`) - The key of the Kubernetes secret.
|
||
|
||
- `federation` ((#v-global-federation)) - Configure federation.
|
||
|
||
- `enabled` ((#v-global-federation-enabled)) (`boolean: false`) - If enabled, this datacenter will be federation-capable. Only federation
|
||
via mesh gateways is supported.
|
||
Mesh gateways and servers will be configured to allow federation.
|
||
Requires `global.tls.enabled`, `meshGateway.enabled` and `connectInject.enabled`
|
||
to be true. Requires Consul 1.8+.
|
||
|
||
- `createFederationSecret` ((#v-global-federation-createfederationsecret)) (`boolean: false`) - If true, the chart will create a Kubernetes secret that can be imported
|
||
into secondary datacenters so they can federate with this datacenter. The
|
||
secret contains all the information secondary datacenters need to contact
|
||
and authenticate with this datacenter. This should only be set to true
|
||
in your primary datacenter. The secret name is
|
||
`<global.name>-federation` (if setting `global.name`), otherwise
|
||
`<helm-release-name>-consul-federation`. Requires consul-k8s 0.15.0+.
|
||
|
||
- `metrics` ((#v-global-metrics)) - Configures metrics for Consul service mesh
|
||
|
||
- `enabled` ((#v-global-metrics-enabled)) (`boolean: false`) - Configures the Helm chart’s components
|
||
to expose Prometheus metrics for the Consul service mesh. By default
|
||
this includes gateway metrics and sidecar metrics.
|
||
|
||
- `enableAgentMetrics` ((#v-global-metrics-enableagentmetrics)) (`boolean: false`) - Configures consul agent metrics. Only applicable if
|
||
`global.metrics.enabled` is true.
|
||
|
||
- `agentMetricsRetentionTime` ((#v-global-metrics-agentmetricsretentiontime)) (`string: 1m`) - Configures the retention time for metrics in Consul clients and
|
||
servers. This must be greater than 0 for Consul clients and servers
|
||
to expose any metrics at all.
|
||
Only applicable if `global.metrics.enabled` is true.
|
||
|
||
- `enableGatewayMetrics` ((#v-global-metrics-enablegatewaymetrics)) (`boolean: true`) - If true, mesh, terminating, and ingress gateways will expose their
|
||
Envoy metrics on port `20200` at the `/metrics` path and all gateway pods
|
||
will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true.
|
||
|
||
- `consulSidecarContainer` ((#v-global-consulsidecarcontainer)) (`map`) - The consul sidecar ensures the Consul services
|
||
are always registered with their local Consul clients and is used by the
|
||
ingress/terminating/mesh gateways as well as with every Connect-injected service.
|
||
|
||
- `imageEnvoy` ((#v-global-imageenvoy)) (`string: envoyproxy/envoy-alpine:<latest supported version>`) - The name (and tag) of the Envoy Docker image used for the
|
||
connect-injected sidecar proxies and mesh, terminating, and ingress gateways.
|
||
See https://www.consul.io/docs/connect/proxies/envoy for full compatibility matrix between Consul and Envoy.
|
||
|
||
- `openshift` ((#v-global-openshift)) - Configuration for running this Helm chart on the Red Hat OpenShift platform.
|
||
This Helm chart currently supports OpenShift v4.x+.
|
||
|
||
- `enabled` ((#v-global-openshift-enabled)) (`boolean: false`) - If true, the Helm chart will create necessary configuration for running
|
||
its components on OpenShift.
|
||
|
||
- `server` ((#v-server)) - Server, when enabled, configures a server cluster to run. This should
|
||
be disabled if you plan on connecting to a Consul cluster external to
|
||
the Kube cluster.
|
||
|
||
- `enabled` ((#v-server-enabled)) (`boolean: global.enabled`) - If true, the chart will install all the resources necessary for a
|
||
Consul server cluster. If you're running Consul externally and want agents
|
||
within Kubernetes to join that cluster, this should probably be false.
|
||
|
||
- `image` ((#v-server-image)) (`string: null`) - The name of the Docker image (including any tag) for the containers running
|
||
Consul server agents.
|
||
|
||
- `replicas` ((#v-server-replicas)) (`integer: 3`) - The number of server agents to run. This determines the fault tolerance of
|
||
the cluster. Please see the deployment table (https://consul.io/docs/internals/consensus#deployment-table)
|
||
for more information.
|
||
|
||
- `bootstrapExpect` ((#v-server-bootstrapexpect)) (`int: null`) - The number of servers that are expected to be running.
|
||
It defaults to server.replicas.
|
||
In most cases the default should be used, however if there are more
|
||
servers in this datacenter than server.replicas it might make sense
|
||
to override the default. This would be the case if two kube clusters
|
||
were joined into the same datacenter and each cluster ran a certain number
|
||
of servers.
|
||
|
||
- `enterpriseLicense` ((#v-server-enterpriselicense)) - <EnterpriseAlert inline /> This value refers to a Kubernetes secret that you have created
|
||
that contains your enterprise license. It is required if you are using an
|
||
enterprise binary. Defining it here applies it to your cluster once a leader
|
||
has been elected. If you are not using an enterprise image or if you plan to
|
||
introduce the license key via another route, then set these fields to null.
|
||
Note: the job to apply license runs on both Helm installs and upgrades.
|
||
|
||
- `secretName` ((#v-server-enterpriselicense-secretname)) (`string: null`) - The name of the Kubernetes secret that holds the enterprise license.
|
||
The secret must be in the same namespace that Consul is installed into.
|
||
|
||
- `secretKey` ((#v-server-enterpriselicense-secretkey)) (`string: null`) - The key within the Kubernetes secret that holds the enterprise license.
|
||
|
||
- `exposeGossipAndRPCPorts` ((#v-server-exposegossipandrpcports)) (`boolean: false`) - Exposes the servers' gossip and RPC ports as hostPorts. To enable a client
|
||
agent outside of the k8s cluster to join the datacenter, you would need to
|
||
enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and
|
||
set `server.ports.serflan.port` to a port not being used on the host. Since
|
||
`client.exposeGossipPorts` uses the hostPort 8301,
|
||
`server.ports.serflan.port` must be set to something other than 8301.
|
||
|
||
- `ports` ((#v-server-ports)) - Configures ports for the consul servers.
|
||
|
||
- `serflan` ((#v-server-ports-serflan)) - Configures the LAN gossip port for the consul servers. If you choose to
|
||
enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`,
|
||
that will configure the LAN gossip ports on the servers and clients to be
|
||
hostPorts, so if you are running clients and servers on the same node the
|
||
ports will conflict if they are both 8301. When you enable
|
||
`server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must
|
||
change this from the default to an unused port on the host, e.g. 9301. By
|
||
default the LAN gossip port is 8301 and configured as a containerPort on
|
||
the consul server Pods.
|
||
|
||
- `port` ((#v-server-ports-serflan-port)) (`integer: 8301`)
|
||
|
||
- `storage` ((#v-server-storage)) (`string: 10Gi`) - This defines the disk size for configuring the
|
||
servers' StatefulSet storage. For dynamically provisioned storage classes, this is the
|
||
desired size. For manually defined persistent volumes, this should be set to
|
||
the disk size of the attached volume.
|
||
|
||
- `storageClass` ((#v-server-storageclass)) (`string: null`) - The StorageClass to use for the servers' StatefulSet storage. It must be
|
||
able to be dynamically provisioned if you want the storage
|
||
to be automatically created. For example, to use local
|
||
(https://kubernetes.io/docs/concepts/storage/storage-classes/#local)
|
||
storage classes, the PersistentVolumeClaims would need to be manually created.
|
||
A `null` value will use the Kubernetes cluster's default StorageClass. If a default
|
||
StorageClass does not exist, you will need to create one.
|
||
|
||
- `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable Connect (https://consul.io/docs/connect). Setting this to true
|
||
_will not_ automatically secure pod communication, this
|
||
setting will only enable usage of the feature. Consul will automatically initialize
|
||
a new CA and set of certificates. Additional Connect settings can be configured
|
||
by setting the `server.extraConfig` value.
|
||
|
||
- `resources` ((#v-server-resources)) (`map`) - The resource requests (CPU, memory, etc.)
|
||
for each of the server agents. This should be a YAML map corresponding to a Kubernetes
|
||
ResourceRequirements (https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core)
|
||
object. NOTE: The use of a YAML string is deprecated.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
resources:
|
||
requests:
|
||
memory: '100Mi'
|
||
cpu: '100m'
|
||
limits:
|
||
memory: '100Mi'
|
||
cpu: '100m'
|
||
```
|
||
|
||
- `securityContext` ((#v-server-securitycontext)) (`map`) - The security context for the server pods. This should be a YAML map corresponding to a
|
||
Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object.
|
||
By default, servers will run as non-root, with user ID `100` and group ID `1000`,
|
||
which correspond to the consul user and group created by the Consul docker image.
|
||
Note: if running on OpenShift, this setting is ignored because the user and group are set automatically
|
||
by the OpenShift platform.
|
||
|
||
- `updatePartition` ((#v-server-updatepartition)) (`integer: 0`) - This value is used to carefully
|
||
control a rolling update of Consul server agents. This value specifies the
|
||
partition (https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions)
|
||
for performing a rolling update. Please read the linked Kubernetes documentation
|
||
and https://www.consul.io/docs/k8s/upgrade#upgrading-consul-servers for more information.
|
||
|
||
- `disruptionBudget` ((#v-server-disruptionbudget)) - This configures the PodDisruptionBudget (https://kubernetes.io/docs/tasks/run-application/configure-pdb/)
|
||
for the server cluster.
|
||
|
||
- `enabled` ((#v-server-disruptionbudget-enabled)) (`boolean: true`) - This will enable/disable registering a PodDisruptionBudget for the server
|
||
cluster. If this is enabled, it will only register the budget so long as
|
||
the server cluster is enabled.
|
||
|
||
- `maxUnavailable` ((#v-server-disruptionbudget-maxunavailable)) (`integer: null`) - The maximum number of unavailable pods. By default, this will be
|
||
automatically computed based on the `server.replicas` value to be `(n/2)-1`.
|
||
If you need to set this to `0`, you will need to add a
|
||
--set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation
|
||
command because of a limitation in the Helm templating language.
|
||
|
||
- `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul
|
||
servers. This will be saved as-is into a ConfigMap that is read by the Consul
|
||
server agents. This can be used to add additional configuration that
|
||
isn't directly exposed by the chart.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
extraConfig: |
|
||
{
|
||
"log_level": "DEBUG"
|
||
}
|
||
```
|
||
|
||
This can also be set using Helm's `--set` flag using the following syntax:
|
||
|
||
```shell
|
||
--set 'server.extraConfig="{"log_level": "DEBUG"}"'
|
||
```
|
||
|
||
- `extraVolumes` ((#v-server-extravolumes)) (`array<map>`) - A list of extra volumes to mount for server agents. This
|
||
is useful for bringing in extra data that can be referenced by other configurations
|
||
at a well known path, such as TLS certificates or Gossip encryption keys. The
|
||
value of this should be a list of objects.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
extraVolumes:
|
||
- type: secret
|
||
name: consul-certs
|
||
load: false
|
||
```
|
||
|
||
Each object supports the following keys:
|
||
|
||
- `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive.
|
||
|
||
- `name` - Name of the configMap or secret to be mounted. This also controls
|
||
the path that it is mounted to. The volume will be mounted to `/consul/userconfig/<name>`.
|
||
|
||
- `load` - If true, then the agent will be
|
||
configured to automatically load HCL/JSON configuration files from this volume
|
||
with `-config-dir`. This defaults to false.
|
||
|
||
- `affinity` ((#v-server-affinity)) (`string`) - This value defines the affinity (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
|
||
for server pods. It defaults to allowing only a single server pod on each node, which
|
||
minimizes risk of the cluster becoming unusable if a node is lost. If you need
|
||
to run more pods per node (for example, testing on Minikube), set this value
|
||
to `null`.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
affinity: |
|
||
podAntiAffinity:
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
- labelSelector:
|
||
matchLabels:
|
||
app: {{ template "consul.name" . }}
|
||
release: "{{ .Release.Name }}"
|
||
component: server
|
||
topologyKey: kubernetes.io/hostname
|
||
```
|
||
|
||
- `tolerations` ((#v-server-tolerations)) (`string: ""`) - Toleration settings for server pods. This
|
||
should be a multi-line string matching the Tolerations
|
||
(https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec.
|
||
|
||
- `nodeSelector` ((#v-server-nodeselector)) (`string: null`) - This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
|
||
labels for server pod assignment, formatted as a multi-line string.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
nodeSelector: |
|
||
beta.kubernetes.io/arch: amd64
|
||
```
|
||
|
||
- `priorityClassName` ((#v-server-priorityclassname)) (`string: ""`) - This value references an existing
|
||
Kubernetes `priorityClassName` (https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority)
|
||
that can be assigned to server pods.
|
||
|
||
- `extraLabels` ((#v-server-extralabels)) (`map`) - Extra labels to attach to the server pods. This should be a YAML map.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
extraLabels:
|
||
labelKey: label-value
|
||
anotherLabelKey: another-label-value
|
||
```
|
||
|
||
- `annotations` ((#v-server-annotations)) (`string: null`) - This value defines additional annotations for
|
||
server pods. This should be formatted as a multi-line string.
|
||
|
||
```yaml
|
||
annotations: |
|
||
"sample/annotation1": "foo"
|
||
"sample/annotation2": "bar"
|
||
```
|
||
|
||
- `service` ((#v-server-service)) - Server service properties.
|
||
|
||
- `annotations` ((#v-server-service-annotations)) (`string: null`) - Annotations to apply to the server service.
|
||
|
||
```yaml
|
||
annotations: |
|
||
"annotation-key": "annotation-value"
|
||
```
|
||
|
||
- `extraEnvironmentVars` ((#v-server-extraenvironmentvars)) (`map`) - A list of extra environment variables to set within the stateful set.
|
||
These could be used to include proxy settings required for cloud auto-join
|
||
feature, in case kubernetes cluster is behind egress http proxies. Additionally,
|
||
it could be used to configure custom consul parameters.
|
||
|
||
- `externalServers` ((#v-externalservers)) - Configuration for Consul servers when the servers are running outside of Kubernetes.
|
||
When running external servers, configuring these values is recommended
|
||
if setting `global.tls.enableAutoEncrypt` to true (requires consul-k8s >= 0.13.0)
|
||
or `global.acls.manageSystemACLs` to true (requires consul-k8s >= 0.14.0).
|
||
|
||
- `enabled` ((#v-externalservers-enabled)) (`boolean: false`) - If true, the Helm chart will be configured to talk to the external servers.
|
||
If setting this to true, you must also set `server.enabled` to false.
|
||
|
||
- `hosts` ((#v-externalservers-hosts)) (`array<string>: []`) - An array of external Consul server hosts that are used to make
|
||
HTTPS connections from the components in this Helm chart.
|
||
Valid values include IPs, DNS names, or Cloud auto-join string.
|
||
The port must be provided separately below.
|
||
Note: `client.join` must also be set to the hosts that should be
|
||
used to join the cluster. In most cases, the `client.join` values
|
||
should be the same, however, they may be different if you
|
||
wish to use separate hosts for the HTTPS connections.
|
||
|
||
- `httpsPort` ((#v-externalservers-httpsport)) (`integer: 8501`) - The HTTPS port of the Consul servers.
|
||
|
||
- `tlsServerName` ((#v-externalservers-tlsservername)) (`string: null`) - The server name to use as the SNI host header when connecting with HTTPS.
|
||
|
||
- `useSystemRoots` ((#v-externalservers-usesystemroots)) (`boolean: false`) - If true, consul-k8s components will ignore the CA set in
|
||
`global.tls.caCert` when making HTTPS calls to Consul servers and
|
||
will instead use the consul-k8s image's system CAs for TLS verification.
|
||
If false, consul-k8s components will use `global.tls.caCert` when
|
||
making HTTPS calls to Consul servers.
|
||
**NOTE:** This does not affect Consul's internal RPC communication which will
|
||
always use `global.tls.caCert`.
|
||
|
||
- `k8sAuthMethodHost` ((#v-externalservers-k8sauthmethodhost)) (`string: null`) - If you are setting `global.acls.manageSystemACLs` and
|
||
`connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server.
|
||
This address must be reachable from the Consul servers.
|
||
Please see the Kubernetes Auth Method documentation (https://consul.io/docs/acl/auth-methods/kubernetes).
|
||
Requires consul-k8s >= 0.14.0.
|
||
|
||
You could retrieve this value from your `kubeconfig` by running:
|
||
|
||
```shell
|
||
kubectl config view \
|
||
-o jsonpath="{.clusters[?(@.name=='<your cluster name>')].cluster.server}"
|
||
```
|
||
|
||
- `client` ((#v-client)) - Values that configure running a Consul client on Kubernetes nodes.
|
||
|
||
- `enabled` ((#v-client-enabled)) (`boolean: global.enabled`) - If true, the chart will install all
|
||
the resources necessary for a Consul client on every Kubernetes node. This _does not_ require
|
||
`server.enabled`, since the agents can be configured to join an external cluster.
|
||
|
||
- `image` ((#v-client-image)) (`string: null`) - The name of the Docker image (including any tag) for the containers
|
||
running Consul client agents.
|
||
|
||
- `join` ((#v-client-join)) (`array<string>: null`) - A list of valid `-retry-join` values (https://consul.io/docs/agent/options#retry-join).
|
||
If this is `null` (default), then the clients will attempt to automatically
|
||
join the server cluster running within Kubernetes.
|
||
This means that with `server.enabled` set to true, clients will automatically
|
||
join that cluster. If `server.enabled` is not true, then a value must be
|
||
specified so the clients can join a valid cluster.
|
||
|
||
- `dataDirectoryHostPath` ((#v-client-datadirectoryhostpath)) (`string: null`) - An absolute path to a directory on the host machine to use as the Consul
|
||
client data directory. If set to the empty string or null, the Consul agent
|
||
will store its data in the Pod's local filesystem (which will
|
||
be lost if the Pod is deleted). Security Warning: If setting this, Pod Security
|
||
Policies _must_ be enabled on your cluster and in this Helm chart (via the
|
||
`global.enablePodSecurityPolicies` setting) to prevent other pods from
|
||
mounting the same host path and gaining access to all of Consul's data.
|
||
Consul's data is not encrypted at rest.
|
||
|
||
- `grpc` ((#v-client-grpc)) (`boolean: true`) - If true, agents will enable their GRPC listener on
|
||
port 8502 and expose it to the host. This will use slightly more resources, but is
|
||
required for Connect.
|
||
|
||
- `exposeGossipPorts` ((#v-client-exposegossipports)) (`boolean: false`) - If true, the Helm chart will expose the clients' gossip ports as hostPorts.
|
||
This is only necessary if pod IPs in the k8s cluster are not directly routable
|
||
and the Consul servers are outside of the k8s cluster.
|
||
This also changes the clients' advertised IP to the `hostIP` rather than `podIP`.
|
||
|
||
- `resources` ((#v-client-resources)) (`map`) - Resource settings for Client agents.
|
||
NOTE: The use of a YAML string is deprecated. Instead, set directly as a
|
||
YAML map.
|
||
|
||
- `securityContext` ((#v-client-securitycontext)) (`map`) - The security context for the client pods. This should be a YAML map corresponding to a
|
||
Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object.
|
||
By default, servers will run as non-root, with user ID `100` and group ID `1000`,
|
||
which correspond to the consul user and group created by the Consul docker image.
|
||
Note: if running on OpenShift, this setting is ignored because the user and group are set automatically
|
||
by the OpenShift platform.
|
||
|
||
- `extraConfig` ((#v-client-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul
|
||
clients. This will be saved as-is into a ConfigMap that is read by the Consul
|
||
client agents. This can be used to add additional configuration that
|
||
isn't directly exposed by the chart.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
extraConfig: |
|
||
{
|
||
"log_level": "DEBUG"
|
||
}
|
||
```
|
||
|
||
This can also be set using Helm's `--set` flag using the following syntax:
|
||
|
||
```shell
|
||
--set 'client.extraConfig="{"log_level": "DEBUG"}"'
|
||
```
|
||
|
||
- `extraVolumes` ((#v-client-extravolumes)) (`array<map>`) - A list of extra volumes to mount for client agents. This
|
||
is useful for bringing in extra data that can be referenced by other configurations
|
||
at a well known path, such as TLS certificates or Gossip encryption keys. The
|
||
value of this should be a list of objects.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
extraVolumes:
|
||
- type: secret
|
||
name: consul-certs
|
||
load: false
|
||
```
|
||
|
||
Each object supports the following keys:
|
||
|
||
- `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive.
|
||
|
||
- `name` - Name of the configMap or secret to be mounted. This also controls
|
||
the path that it is mounted to. The volume will be mounted to `/consul/userconfig/<name>`.
|
||
|
||
- `load` - If true, then the agent will be
|
||
configured to automatically load HCL/JSON configuration files from this volume
|
||
with `-config-dir`. This defaults to false.
|
||
|
||
- `tolerations` ((#v-client-tolerations)) (`string: ""`) - Toleration Settings for Client pods
|
||
This should be a multi-line string matching the Toleration array
|
||
in a PodSpec.
|
||
The example below will allow Client pods to run on every node
|
||
regardless of taints
|
||
|
||
```yaml
|
||
tolerations: |
|
||
- operator: Exists
|
||
```
|
||
|
||
- `nodeSelector` ((#v-client-nodeselector)) (`string: null`) - nodeSelector labels for client pod assignment, formatted as a multi-line string.
|
||
ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
nodeSelector: |
|
||
beta.kubernetes.io/arch: amd64
|
||
```
|
||
|
||
- `affinity` ((#v-client-affinity)) (`string: ""`) - Affinity Settings for Client pods, formatted as a multi-line YAML string.
|
||
ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
affinity: |
|
||
nodeAffinity:
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
nodeSelectorTerms:
|
||
- matchExpressions:
|
||
- key: node-role.kubernetes.io/master
|
||
operator: DoesNotExist
|
||
```
|
||
|
||
- `priorityClassName` ((#v-client-priorityclassname)) (`string: ""`) - This value references an existing
|
||
Kubernetes `priorityClassName` (https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority)
|
||
that can be assigned to client pods.
|
||
|
||
- `annotations` ((#v-client-annotations)) (`string: null`) - This value defines additional annotations for
|
||
client pods. This should be formatted as a multi-line string.
|
||
|
||
```yaml
|
||
annotations: |
|
||
"sample/annotation1": "foo"
|
||
"sample/annotation2": "bar"
|
||
```
|
||
|
||
- `extraLabels` ((#v-client-extralabels)) (`map`) - Extra labels to attach to the client pods. This should be a regular YAML map.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
extraLabels:
|
||
labelKey: label-value
|
||
anotherLabelKey: another-label-value
|
||
```
|
||
|
||
- `extraEnvironmentVars` ((#v-client-extraenvironmentvars)) (`map`) - A list of extra environment variables to set within the stateful set.
|
||
These could be used to include proxy settings required for cloud auto-join
|
||
feature, in case kubernetes cluster is behind egress http proxies. Additionally,
|
||
it could be used to configure custom consul parameters.
|
||
|
||
- `dnsPolicy` ((#v-client-dnspolicy)) (`string: null`) - This value defines the Pod DNS policy (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy)
|
||
for client pods to use.
|
||
|
||
- `hostNetwork` ((#v-client-hostnetwork)) (`boolean: false`) - hostNetwork defines whether or not we use host networking instead of hostPort in the event
|
||
that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended
|
||
as doing so gives the consul client unnecessary access to all network traffic on the host.
|
||
In most cases, pod network and host network are on different networks so this should be
|
||
combined with `dnsPolicy: ClusterFirstWithHostNet`
|
||
|
||
- `updateStrategy` ((#v-client-updatestrategy)) (`string: null`) - updateStrategy for the DaemonSet.
|
||
See https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy.
|
||
This should be a multi-line string mapping directly to the updateStrategy
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
updateStrategy: |
|
||
rollingUpdate:
|
||
maxUnavailable: 5
|
||
type: RollingUpdate
|
||
```
|
||
|
||
- `snapshotAgent` ((#v-client-snapshotagent)) - <EnterpriseAlert inline /> Values for setting up and running snapshot agents
|
||
(https://consul.io/commands/snapshot/agent)
|
||
within the Consul clusters. They are required to be co-located with Consul clients,
|
||
so will inherit the clients' nodeSelector, tolerations and affinity.
|
||
|
||
- `enabled` ((#v-client-snapshotagent-enabled)) (`boolean: false`) - If true, the chart will install resources necessary to run the snapshot agent.
|
||
|
||
- `replicas` ((#v-client-snapshotagent-replicas)) (`integer: 2`) - The number of snapshot agents to run.
|
||
|
||
- `configSecret` ((#v-client-snapshotagent-configsecret)) - A Kubernetes secret that should be manually created to contain the entire
|
||
config to be used on the snapshot agent.
|
||
This is the preferred method of configuration since there are usually storage
|
||
credentials present. Please see Snapshot agent config (https://consul.io/commands/snapshot/agent#config-file-options)
|
||
for details.
|
||
|
||
- `secretName` ((#v-client-snapshotagent-configsecret-secretname)) (`string: null`) - The name of the Kubernetes secret.
|
||
|
||
- `secretKey` ((#v-client-snapshotagent-configsecret-secretkey)) (`string: null`) - The key of the Kubernetes secret.
|
||
|
||
- `resources` ((#v-client-snapshotagent-resources)) (`map`) - Resource settings for snapshot agent pods.
|
||
|
||
- `caCert` ((#v-client-snapshotagent-cacert)) (`string: null`) - Optional PEM-encoded CA certificate that will be added to the trusted system CAs.
|
||
Useful if using an S3-compatible storage exposing a self-signed certificate.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
caCert: |
|
||
-----BEGIN CERTIFICATE-----
|
||
MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx
|
||
...
|
||
```
|
||
|
||
- `dns` ((#v-dns)) - Configuration for DNS configuration within the Kubernetes cluster.
|
||
This creates a service that routes to all agents (client or server)
|
||
for serving DNS requests. This DOES NOT automatically configure kube-dns
|
||
today, so you must still manually configure a `stubDomain` with kube-dns
|
||
for this to have any effect:
|
||
https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers
|
||
|
||
- `enabled` ((#v-dns-enabled)) (`boolean: -`)
|
||
|
||
- `type` ((#v-dns-type)) (`string: ClusterIP`) - Used to control the type of service created. For
|
||
example, setting this to "LoadBalancer" will create an external load
|
||
balancer (for supported K8S installations)
|
||
|
||
- `clusterIP` ((#v-dns-clusterip)) (`string: null`) - Set a predefined cluster IP for the DNS service.
|
||
Useful if you need to reference the DNS service's IP
|
||
address in CoreDNS config.
|
||
|
||
- `annotations` ((#v-dns-annotations)) (`string: null`) - Extra annotations to attach to the dns service
|
||
This should be a multi-line string of
|
||
annotations to apply to the dns Service
|
||
|
||
- `additionalSpec` ((#v-dns-additionalspec)) (`string: null`) - Additional ServiceSpec values
|
||
This should be a multi-line string mapping directly to a Kubernetes
|
||
ServiceSpec object.
|
||
|
||
- `ui` ((#v-ui)) - Values that configure the Consul UI.
|
||
|
||
- `enabled` ((#v-ui-enabled)) (`boolean: global.enabled`) - If true, the UI will be enabled. This will
|
||
only _enable_ the UI, it doesn't automatically register any service for external
|
||
access. The UI will only be enabled on server agents. If `server.enabled` is
|
||
false, then this setting has no effect. To expose the UI in some way, you must
|
||
configure `ui.service`.
|
||
|
||
- `service` ((#v-ui-service)) - Configure the service for the Consul UI.
|
||
|
||
- `enabled` ((#v-ui-service-enabled)) (`boolean: true`) - This will enable/disable registering a
|
||
Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is
|
||
true and taking effect.
|
||
|
||
- `type` ((#v-ui-service-type)) (`string: null`) - The service type to register.
|
||
|
||
- `annotations` ((#v-ui-service-annotations)) (`string: null`) - Annotations to apply to the UI service.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
annotations: |
|
||
'annotation-key': annotation-value
|
||
```
|
||
|
||
- `additionalSpec` ((#v-ui-service-additionalspec)) (`string: null`) - Additional ServiceSpec values
|
||
This should be a multi-line string mapping directly to a Kubernetes
|
||
ServiceSpec object.
|
||
|
||
- `ingress` ((#v-ui-ingress)) - Configure Ingress for the Consul UI.
|
||
If `global.tls.enabled` is set to `true`, the Ingress will expose
|
||
the port 443 on the UI service. Please ensure the Ingress Controller
|
||
supports SSL pass-through and it is enabled to ensure traffic forwarded
|
||
to port 443 has not been TLS terminated.
|
||
|
||
- `enabled` ((#v-ui-ingress-enabled)) (`boolean: false`) - This will create an Ingress resource for the Consul UI.
|
||
|
||
- `hosts` ((#v-ui-ingress-hosts)) (`array<map>`) - hosts is a list of host name to create Ingress rules.
|
||
|
||
```yaml
|
||
hosts:
|
||
- host: foo.bar
|
||
paths:
|
||
- /example
|
||
- /test
|
||
```
|
||
|
||
- `tls` ((#v-ui-ingress-tls)) (`array<map>`) - tls is a list of hosts and secret name in an Ingress
|
||
which tells the Ingress controller to secure the channel.
|
||
|
||
```yaml
|
||
tls:
|
||
- hosts:
|
||
- chart-example.local
|
||
secretName: testsecret-tls
|
||
```
|
||
|
||
- `annotations` ((#v-ui-ingress-annotations)) (`string: null`) - Annotations to apply to the UI ingress.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
annotations: |
|
||
'annotation-key': annotation-value
|
||
```
|
||
|
||
- `metrics` ((#v-ui-metrics)) - Configurations for displaying metrics in the UI.
|
||
|
||
- `enabled` ((#v-ui-metrics-enabled)) (`boolean: global.metrics.enabled`) - Enable displaying metrics in the UI. The default value of "-"
|
||
will inherit from `global.metrics.enabled` value.
|
||
|
||
- `provider` ((#v-ui-metrics-provider)) (`string: prometheus`) - Provider for metrics. See
|
||
https://www.consul.io/docs/agent/options#ui_config_metrics_provider
|
||
This value is only used if `ui.enabled` is set to true.
|
||
|
||
- `baseURL` ((#v-ui-metrics-baseurl)) (`string: http://prometheus-server`) - baseURL is the URL of the prometheus server, usually the service URL.
|
||
This value is only used if `ui.enabled` is set to true.
|
||
|
||
- `syncCatalog` ((#v-synccatalog)) - Configure the catalog sync process to sync K8S with Consul
|
||
services. This can run bidirectional (default) or unidirectionally (Consul
|
||
to K8S or K8S to Consul only).
|
||
|
||
This process assumes that a Consul agent is available on the host IP.
|
||
This is done automatically if clients are enabled. If clients are not
|
||
enabled then set the node selection so that it chooses a node with a
|
||
Consul agent.
|
||
|
||
- `enabled` ((#v-synccatalog-enabled)) (`boolean: false`) - True if you want to enable the catalog sync. Set to "-" to inherit from
|
||
global.enabled.
|
||
|
||
- `image` ((#v-synccatalog-image)) (`string: null`) - The name of the Docker image (including any tag) for consul-k8s
|
||
to run the sync program.
|
||
|
||
- `default` ((#v-synccatalog-default)) (`boolean: true`) - If true, all valid services in K8S are
|
||
synced by default. If false, the service must be annotated
|
||
(https://consul.io/docs/k8s/service-sync#sync-enable-disable) properly to sync.
|
||
In either case an annotation can override the default.
|
||
|
||
- `priorityClassName` ((#v-synccatalog-priorityclassname)) (`string: ""`) - Optional priorityClassName.
|
||
|
||
- `toConsul` ((#v-synccatalog-toconsul)) (`boolean: true`) - If true, will sync Kubernetes services to Consul. This can be disabled to
|
||
have a one-way sync.
|
||
|
||
- `toK8S` ((#v-synccatalog-tok8s)) (`boolean: true`) - If true, will sync Consul services to Kubernetes. This can be disabled to
|
||
have a one-way sync.
|
||
|
||
- `k8sPrefix` ((#v-synccatalog-k8sprefix)) (`string: null`) - Service prefix to prepend to services before registering
|
||
with Kubernetes. For example "consul-" will register all services
|
||
prepended with "consul-". (Consul -> Kubernetes sync)
|
||
|
||
- `k8sAllowNamespaces` ((#v-synccatalog-k8sallownamespaces)) (`array<string>: ["*"]`) - List of k8s namespaces to sync the k8s services from.
|
||
If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`,
|
||
services in that k8s namespace will not be synced even if they are explicitly
|
||
annotated. Use `["*"]` to automatically allow all k8s namespaces.
|
||
|
||
For example, `["namespace1", "namespace2"]` will only allow services in the k8s
|
||
namespaces `namespace1` and `namespace2` to be synced and registered
|
||
with Consul. All other k8s namespaces will be ignored.
|
||
|
||
To deny all namespaces, set this to `[]`.
|
||
|
||
Note: `k8sDenyNamespaces` takes precedence over values defined here.
|
||
Requires consul-k8s v0.12+
|
||
|
||
- `k8sDenyNamespaces` ((#v-synccatalog-k8sdenynamespaces)) (`array<string>: ["kube-system", "kube-public"]`) - List of k8s namespaces that should not have their
|
||
services synced. This list takes precedence over `k8sAllowNamespaces`.
|
||
`*` is not supported because then nothing would be allowed to sync.
|
||
Requires consul-k8s v0.12+.
|
||
|
||
For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is
|
||
`["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1`
|
||
and `namespace2` will be synced.
|
||
|
||
- `k8sSourceNamespace` ((#v-synccatalog-k8ssourcenamespace)) (`string: null`) - [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For
|
||
backwards compatibility, if both this and the allow/deny lists are set,
|
||
the allow/deny lists will be ignored.
|
||
k8sSourceNamespace is the Kubernetes namespace to watch for service
|
||
changes and sync to Consul. If this is not set then it will default
|
||
to all namespaces.
|
||
|
||
- `consulNamespaces` ((#v-synccatalog-consulnamespaces)) - <EnterpriseAlert inline /> These settings manage the catalog sync's interaction with
|
||
Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+).
|
||
Also, `global.enableConsulNamespaces` must be true.
|
||
|
||
- `consulDestinationNamespace` ((#v-synccatalog-consulnamespaces-consuldestinationnamespace)) (`string: default`) - Name of the Consul namespace to register all
|
||
k8s services into. If the Consul namespace does not already exist,
|
||
it will be created. This will be ignored if `mirroringK8S` is true.
|
||
|
||
- `mirroringK8S` ((#v-synccatalog-consulnamespaces-mirroringk8s)) (`boolean: false`) - If true, k8s services will be registered into a Consul namespace
|
||
of the same name as their k8s namespace, optionally prefixed if
|
||
`mirroringK8SPrefix` is set below. If the Consul namespace does not
|
||
already exist, it will be created. Turning this on overrides the
|
||
`consulDestinationNamespace` setting.
|
||
`addK8SNamespaceSuffix` may no longer be needed if enabling this option.
|
||
|
||
- `mirroringK8SPrefix` ((#v-synccatalog-consulnamespaces-mirroringk8sprefix)) (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace
|
||
to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a
|
||
service in the k8s `staging` namespace will be registered into the
|
||
`k8s-staging` Consul namespace.
|
||
|
||
- `addK8SNamespaceSuffix` ((#v-synccatalog-addk8snamespacesuffix)) (`boolean: true`) - Appends Kubernetes namespace suffix to
|
||
each service name synced to Consul, separated by a dash.
|
||
For example, for a service 'foo' in the default namespace,
|
||
the sync process will create a Consul service named 'foo-default'.
|
||
Set this flag to true to avoid registering services with the same name
|
||
but in different namespaces as instances for the same Consul service.
|
||
Namespace suffix is not added if 'annotationServiceName' is provided.
|
||
|
||
- `consulPrefix` ((#v-synccatalog-consulprefix)) (`string: null`) - Service prefix which prepends itself
|
||
to Kubernetes services registered within Consul
|
||
For example, "k8s-" will register all services prepended with "k8s-".
|
||
(Kubernetes -> Consul sync)
|
||
consulPrefix is ignored when 'annotationServiceName' is provided.
|
||
NOTE: Updating this property to a non-null value for an existing installation will result in deregistering
|
||
of existing services in Consul and registering them with a new name.
|
||
|
||
- `k8sTag` ((#v-synccatalog-k8stag)) (`string: null`) - Optional tag that is applied to all of the Kubernetes services
|
||
that are synced into Consul. If nothing is set, defaults to "k8s".
|
||
(Kubernetes -> Consul sync)
|
||
|
||
- `consulNodeName` ((#v-synccatalog-consulnodename)) (`string: k8s-sync`) - Defines the Consul synthetic node that all services
|
||
will be registered to.
|
||
NOTE: Changing the node name and upgrading the Helm chart will leave
|
||
all of the previously sync'd services registered with Consul and
|
||
register them again under the new Consul node name. The out-of-date
|
||
registrations will need to be explicitly removed.
|
||
|
||
- `syncClusterIPServices` ((#v-synccatalog-syncclusteripservices)) (`boolean: true`) - Syncs services of the ClusterIP type, which may
|
||
or may not be broadly accessible depending on your Kubernetes cluster.
|
||
Set this to false to skip syncing ClusterIP services.
|
||
|
||
- `nodePortSyncType` ((#v-synccatalog-nodeportsynctype)) (`string: ExternalFirst`) - Configures the type of syncing that happens for NodePort
|
||
services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst.
|
||
|
||
- ExternalOnly will only use a node's ExternalIP address for the sync
|
||
- InternalOnly use's the node's InternalIP address
|
||
- ExternalFirst will preferentially use the node's ExternalIP address, but
|
||
if it doesn't exist, it will use the node's InternalIP address instead.
|
||
|
||
- `aclSyncToken` ((#v-synccatalog-aclsynctoken)) - Refers to a Kubernetes secret that you have created that contains
|
||
an ACL token for your Consul cluster which allows the sync process the correct
|
||
permissions. This is only needed if ACLs are enabled on the Consul cluster.
|
||
|
||
- `secretName` ((#v-synccatalog-aclsynctoken-secretname)) (`string: null`) - The name of the Kubernetes secret.
|
||
|
||
- `secretKey` ((#v-synccatalog-aclsynctoken-secretkey)) (`string: null`) - The key of the Kubernetes secret.
|
||
|
||
- `nodeSelector` ((#v-synccatalog-nodeselector)) (`string: null`) - This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
|
||
labels for catalog sync pod assignment, formatted as a multi-line string.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
nodeSelector: |
|
||
beta.kubernetes.io/arch: amd64
|
||
```
|
||
|
||
- `affinity` ((#v-synccatalog-affinity)) (`string: null`) - Affinity Settings
|
||
This should be a multi-line string matching the affinity object
|
||
|
||
- `tolerations` ((#v-synccatalog-tolerations)) (`string: null`) - Toleration Settings
|
||
This should be a multi-line string matching the Toleration array
|
||
in a PodSpec.
|
||
|
||
- `resources` ((#v-synccatalog-resources)) (`map`) - Resource settings for sync catalog pods.
|
||
|
||
- `logLevel` ((#v-synccatalog-loglevel)) (`string: info`) - Log verbosity level. One of "trace", "debug", "info", "warn", or "error".
|
||
|
||
- `consulWriteInterval` ((#v-synccatalog-consulwriteinterval)) (`string: null`) - Override the default interval to perform syncing operations creating Consul services.
|
||
|
||
- `connectInject` ((#v-connectinject)) - Configures the automatic Connect sidecar injector.
|
||
|
||
- `enabled` ((#v-connectinject-enabled)) (`boolean: false`) - True if you want to enable connect injection. Set to "-" to inherit from
|
||
global.enabled.
|
||
|
||
- `image` ((#v-connectinject-image)) (`string: null`) - Image for consul-k8s that contains the injector
|
||
|
||
- `default` ((#v-connectinject-default)) (`boolean: false`) - If true, the injector will inject the
|
||
Connect sidecar into all pods by default. Otherwise, pods must specify the
|
||
injection annotation (https://consul.io/docs/k8s/connect#consul-hashicorp-com-connect-inject)
|
||
to opt-in to Connect injection. If this is true, pods can use the same annotation
|
||
to explicitly opt-out of injection.
|
||
|
||
- `healthChecks` ((#v-connectinject-healthchecks)) - Enables synchronization of Kubernetes health probe status with Consul.
|
||
NOTE: It is highly recommended to enable TLS with this feature because it requires
|
||
making calls to Consul clients across the cluster. Without TLS enabled, these calls
|
||
could leak ACL tokens should the cluster network become compromised.
|
||
|
||
- `enabled` ((#v-connectinject-healthchecks-enabled)) (`boolean: true`) - Enables the Consul Health Check controller which syncs the readiness status of
|
||
connect-injected pods with Consul.
|
||
|
||
- `reconcilePeriod` ((#v-connectinject-healthchecks-reconcileperiod)) (`string: 1m`) - If `healthChecks.enabled` is set to `true`, `reconcilePeriod` defines how often a full state
|
||
reconcile is done after the initial reconcile at startup is completed.
|
||
|
||
- `metrics` ((#v-connectinject-metrics)) - Configures metrics for Consul Connect services. All values are overridable
|
||
via annotations on a per-pod basis.
|
||
|
||
- `defaultEnabled` ((#v-connectinject-metrics-defaultenabled)) (`string: -`) - If true, the connect-injector will automatically
|
||
add prometheus annotations to connect-injected pods. It will also
|
||
add a listener on the Envoy sidecar to expose metrics. The exposed
|
||
metrics will depend on whether metrics merging is enabled:
|
||
- If metrics merging is enabled:
|
||
the Consul sidecar will run a merged metrics server
|
||
combining Envoy sidecar and Connect service metrics,
|
||
i.e. if your service exposes its own Prometheus metrics.
|
||
- If metrics merging is disabled:
|
||
the listener will just expose Envoy sidecar metrics.
|
||
This will inherit from `global.metrics.enabled`.
|
||
|
||
- `defaultEnableMerging` ((#v-connectinject-metrics-defaultenablemerging)) (`boolean: false`) - Configures the Consul sidecar to run a merged metrics server
|
||
to combine and serve both Envoy and Connect service metrics.
|
||
|
||
- `defaultMergedMetricsPort` ((#v-connectinject-metrics-defaultmergedmetricsport)) (`integer: 20100`) - Configures the port at which the Consul sidecar will listen on to return
|
||
combined metrics. This port only needs to be changed if it conflicts with
|
||
the application's ports.
|
||
|
||
- `defaultPrometheusScrapePort` ((#v-connectinject-metrics-defaultprometheusscrapeport)) (`integer: 20200`) - Configures the port Prometheus will scrape metrics from, by configuring
|
||
the Pod annotation `prometheus.io/port` and the corresponding listener in
|
||
the Envoy sidecar.
|
||
NOTE: This is *not* the port that your application exposes metrics on.
|
||
That can be configured with the
|
||
`consul.hashicorp.com/service-metrics-port` annotation.
|
||
|
||
- `defaultPrometheusScrapePath` ((#v-connectinject-metrics-defaultprometheusscrapepath)) (`string: /metrics`) - Configures the path Prometheus will scrape metrics from, by configuring the pod
|
||
annotation `prometheus.io/path` and the corresponding handler in the Envoy
|
||
sidecar.
|
||
NOTE: This is *not* the path that your application exposes metrics on.
|
||
That can be configured with the
|
||
`consul.hashicorp.com/service-metrics-path` annotation.
|
||
|
||
- `cleanupController` ((#v-connectinject-cleanupcontroller)) - Cleanup controller cleans up Consul service instances that remain registered
|
||
despite their pods no longer running. This could happen if the pod's `preStop`
|
||
hook failed to execute for some reason.
|
||
|
||
- `reconcilePeriod` ((#v-connectinject-cleanupcontroller-reconcileperiod)) (`string: 5m`) - How often to do a full reconcile where the controller looks at all pods
|
||
and service instances and ensure the state is correct.
|
||
The controller reacts to each delete event immediately but if it misses
|
||
an event due to being down or a network issue, the reconcile loop will
|
||
handle cleaning up any missed deleted pods.
|
||
|
||
- `envoyExtraArgs` ((#v-connectinject-envoyextraargs)) (`string: null`) - Used to pass arguments to the injected envoy sidecar.
|
||
Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli
|
||
e.g "--log-level debug --disable-hot-restart"
|
||
|
||
- `priorityClassName` ((#v-connectinject-priorityclassname)) (`string: ""`) - Optional priorityClassName.
|
||
|
||
- `imageConsul` ((#v-connectinject-imageconsul)) (`string: null`) - The Docker image for Consul to use when performing Connect injection.
|
||
Defaults to global.image.
|
||
|
||
- `logLevel` ((#v-connectinject-loglevel)) (`string: info`) - Log verbosity level. One of "debug", "info", "warn", or "error".
|
||
|
||
- `resources` ((#v-connectinject-resources)) (`map`) - Resource settings for connect inject pods.
|
||
|
||
- `namespaceSelector` ((#v-connectinject-namespaceselector)) (`string: null`) - Selector for restricting the webhook to only
|
||
specific namespaces. This should be set to a multiline string.
|
||
See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
|
||
for more details.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
namespaceSelector: |
|
||
matchLabels:
|
||
namespace-label: label-value
|
||
```
|
||
|
||
- `k8sAllowNamespaces` ((#v-connectinject-k8sallownamespaces)) (`array<string>: ["*"]`) - List of k8s namespaces to allow Connect sidecar
|
||
injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`,
|
||
pods in that k8s namespace will not be injected even if they are explicitly
|
||
annotated. Use `["*"]` to automatically allow all k8s namespaces.
|
||
|
||
For example, `["namespace1", "namespace2"]` will only allow pods in the k8s
|
||
namespaces `namespace1` and `namespace2` to have Connect sidecars injected
|
||
and registered with Consul. All other k8s namespaces will be ignored.
|
||
|
||
To deny all namespaces, set this to `[]`.
|
||
|
||
Note: `k8sDenyNamespaces` takes precedence over values defined here and
|
||
`namespaceSelector` takes precedence over both since it is applied first.
|
||
`kube-system` and `kube-public` are never injected, even if included here.
|
||
Requires consul-k8s v0.12+
|
||
|
||
- `k8sDenyNamespaces` ((#v-connectinject-k8sdenynamespaces)) (`array<string>: []`) - List of k8s namespaces that should not allow Connect
|
||
sidecar injection. This list takes precedence over `k8sAllowNamespaces`.
|
||
`*` is not supported because then nothing would be allowed to be injected.
|
||
|
||
For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is
|
||
`["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1"
|
||
and "namespace2" will be available for injection.
|
||
|
||
Note: `namespaceSelector` takes precedence over this since it is applied first.
|
||
`kube-system` and `kube-public` are never injected.
|
||
Requires consul-k8s v0.12+.
|
||
|
||
- `consulNamespaces` ((#v-connectinject-consulnamespaces)) - <EnterpriseAlert inline /> These settings manage the connect injector's interaction with
|
||
Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+).
|
||
Also, `global.enableConsulNamespaces` must be true.
|
||
|
||
- `consulDestinationNamespace` ((#v-connectinject-consulnamespaces-consuldestinationnamespace)) (`string: default`) - Name of the Consul namespace to register all
|
||
k8s pods into. If the Consul namespace does not already exist,
|
||
it will be created. This will be ignored if `mirroringK8S` is true.
|
||
|
||
- `mirroringK8S` ((#v-connectinject-consulnamespaces-mirroringk8s)) (`boolean: false`) - Causes k8s pods to be registered into a Consul namespace
|
||
of the same name as their k8s namespace, optionally prefixed if
|
||
`mirroringK8SPrefix` is set below. If the Consul namespace does not
|
||
already exist, it will be created. Turning this on overrides the
|
||
`consulDestinationNamespace` setting.
|
||
|
||
- `mirroringK8SPrefix` ((#v-connectinject-consulnamespaces-mirroringk8sprefix)) (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace
|
||
to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a
|
||
pod in the k8s `staging` namespace will be registered into the
|
||
`k8s-staging` Consul namespace.
|
||
|
||
- `certs` ((#v-connectinject-certs)) - The certs section configures how the webhook TLS certs are configured.
|
||
These are the TLS certs for the Kube apiserver communicating to the
|
||
webhook. By default, the injector will generate and manage its own certs,
|
||
but this requires the ability for the injector to update its own
|
||
MutatingWebhookConfiguration. In a production environment, custom certs
|
||
should probably be used. Configure the values below to enable this.
|
||
|
||
- `secretName` ((#v-connectinject-certs-secretname)) (`string: null`) - Name of the secret that has the TLS certificate and
|
||
private key to serve the injector webhook. If this is null, then the
|
||
injector will default to its automatic management mode that will assign
|
||
a service account to the injector to generate its own certificates.
|
||
|
||
- `caBundle` ((#v-connectinject-certs-cabundle)) (`string: ""`) - Base64-encoded PEM-encoded certificate bundle for the
|
||
CA that signed the TLS certificate that the webhook serves. This must
|
||
be set if secretName is non-null.
|
||
|
||
- `certName` ((#v-connectinject-certs-certname)) (`string: tls.crt`) - Name of the file within the secret for
|
||
the TLS cert.
|
||
|
||
- `keyName` ((#v-connectinject-certs-keyname)) (`string: tls.key`) - Name of the file within the secret for
|
||
the private TLS key.
|
||
|
||
- `nodeSelector` ((#v-connectinject-nodeselector)) (`string: null`) - Selector labels for connectInject pod assignment, formatted as a multi-line string.
|
||
ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
nodeSelector: |
|
||
beta.kubernetes.io/arch: amd64
|
||
```
|
||
|
||
- `affinity` ((#v-connectinject-affinity)) (`string: null`) - Affinity Settings
|
||
This should be a multi-line string matching the affinity object
|
||
|
||
- `tolerations` ((#v-connectinject-tolerations)) (`string: null`) - Toleration Settings
|
||
This should be a multi-line string matching the Toleration array
|
||
in a PodSpec.
|
||
|
||
- `aclBindingRuleSelector` ((#v-connectinject-aclbindingruleselector)) (`string: serviceaccount.name!=default`) - Query that defines which Service Accounts
|
||
can authenticate to Consul and receive an ACL token during Connect injection.
|
||
The default setting, i.e. serviceaccount.name!=default, prevents the
|
||
'default' Service Account from logging in.
|
||
If set to an empty string all service accounts can log in.
|
||
This only has effect if ACLs are enabled.
|
||
|
||
See https://www.consul.io/docs/acl/acl-auth-methods.html#binding-rules
|
||
and https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes
|
||
for more details.
|
||
Requires Consul >= v1.5 and consul-k8s >= v0.8.0.
|
||
|
||
- `overrideAuthMethodName` ((#v-connectinject-overrideauthmethodname)) (`string: ""`) - If you are not using global.acls.manageSystemACLs and instead manually setting up an
|
||
auth method for Connect inject, set this to the name of your auth method.
|
||
|
||
- `aclInjectToken` ((#v-connectinject-aclinjecttoken)) - Refers to a Kubernetes secret that you have created that contains
|
||
an ACL token for your Consul cluster which allows the Connect injector the correct
|
||
permissions. This is only needed if Consul namespaces <EnterpriseAlert inline /> and ACLs
|
||
are enabled on the Consul cluster and you are not setting
|
||
`global.acls.manageSystemACLs` to `true`.
|
||
This token needs to have `operator = "write"` privileges to be able to
|
||
create Consul namespaces.
|
||
|
||
- `secretName` ((#v-connectinject-aclinjecttoken-secretname)) (`string: null`) - The name of the Kubernetes secret.
|
||
|
||
- `secretKey` ((#v-connectinject-aclinjecttoken-secretkey)) (`string: null`) - The key of the Kubernetes secret.
|
||
|
||
- `sidecarProxy` ((#v-connectinject-sidecarproxy))
|
||
|
||
- `resources` ((#v-connectinject-sidecarproxy-resources)) (`map`) - Set default resources for sidecar proxy. If null, that resource won't
|
||
be set.
|
||
These settings can be overridden on a per-pod basis via these annotations:
|
||
|
||
- `consul.hashicorp.com/sidecar-proxy-cpu-limit`
|
||
- `consul.hashicorp.com/sidecar-proxy-cpu-request`
|
||
- `consul.hashicorp.com/sidecar-proxy-memory-limit`
|
||
- `consul.hashicorp.com/sidecar-proxy-memory-request`
|
||
|
||
- `requests` ((#v-connectinject-sidecarproxy-resources-requests))
|
||
|
||
- `memory` ((#v-connectinject-sidecarproxy-resources-requests-memory)) (`string: null`) - Recommended default: 100Mi
|
||
|
||
- `cpu` ((#v-connectinject-sidecarproxy-resources-requests-cpu)) (`string: null`) - Recommended default: 100m
|
||
|
||
- `limits` ((#v-connectinject-sidecarproxy-resources-limits))
|
||
|
||
- `memory` ((#v-connectinject-sidecarproxy-resources-limits-memory)) (`string: null`) - Recommended default: 100Mi
|
||
|
||
- `cpu` ((#v-connectinject-sidecarproxy-resources-limits-cpu)) (`string: null`) - Recommended default: 100m
|
||
|
||
- `initContainer` ((#v-connectinject-initcontainer)) (`map`) - Resource settings for the Connect injected init container.
|
||
|
||
- `controller` ((#v-controller)) - Controller handles config entry custom resources.
|
||
Requires consul >= 1.8.4.
|
||
ServiceIntentions require consul 1.9+.
|
||
|
||
- `enabled` ((#v-controller-enabled)) (`boolean: false`) - Enables the controller for managing custom resources.
|
||
|
||
- `replicas` ((#v-controller-replicas)) (`integer: 1`) - The number of deployment replicas.
|
||
|
||
- `logLevel` ((#v-controller-loglevel)) (`string: info`) - Log verbosity level. One of "debug", "info", "warn", or "error".
|
||
|
||
- `resources` ((#v-controller-resources)) (`map`) - Resource settings for controller pods.
|
||
|
||
- `nodeSelector` ((#v-controller-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config.
|
||
|
||
- `tolerations` ((#v-controller-tolerations)) (`string: null`) - Optional YAML string to specify tolerations.
|
||
|
||
- `affinity` ((#v-controller-affinity)) (`string: null`) - Affinity Settings
|
||
This should be a multi-line string matching the affinity object
|
||
|
||
- `priorityClassName` ((#v-controller-priorityclassname)) (`string: ""`) - Optional priorityClassName.
|
||
|
||
- `aclToken` ((#v-controller-acltoken)) - Refers to a Kubernetes secret that you have created that contains
|
||
an ACL token for your Consul cluster which grants the controller process the correct
|
||
permissions. This is only needed if you are managing ACLs yourself (i.e. not using
|
||
`global.acls.manageSystemACLs`).
|
||
|
||
If running Consul OSS, requires permissions:
|
||
```hcl
|
||
operator = "write"
|
||
service_prefix "" {
|
||
policy = "write"
|
||
intentions = "write"
|
||
}
|
||
```
|
||
If running Consul Enterprise, talk to your account manager for assistance.
|
||
|
||
- `secretName` ((#v-controller-acltoken-secretname)) (`string: null`) - The name of the Kubernetes secret.
|
||
|
||
- `secretKey` ((#v-controller-acltoken-secretkey)) (`string: null`) - The key of the Kubernetes secret.
|
||
|
||
- `meshGateway` ((#v-meshgateway)) - Mesh Gateways enable Consul Connect to work across Consul datacenters.
|
||
|
||
- `enabled` ((#v-meshgateway-enabled)) (`boolean: false`) - If mesh gateways are enabled, a Deployment will be created that runs
|
||
gateways and Consul Connect will be configured to use gateways.
|
||
See https://www.consul.io/docs/connect/mesh_gateway.html
|
||
Requirements: consul 1.6.0+ and consul-k8s 0.15.0+ if using
|
||
global.acls.manageSystemACLs.
|
||
|
||
- `replicas` ((#v-meshgateway-replicas)) (`integer: 2`) - Number of replicas for the Deployment.
|
||
|
||
- `wanAddress` ((#v-meshgateway-wanaddress)) - What gets registered as WAN address for the gateway.
|
||
|
||
- `source` ((#v-meshgateway-wanaddress-source)) (`string: Service`) - source configures where to retrieve the WAN address (and possibly port)
|
||
for the mesh gateway from.
|
||
Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`.
|
||
|
||
- `Service` - Determine the address based on the service type.
|
||
|
||
- If `service.type=LoadBalancer` use the external IP or hostname of
|
||
the service. Use the port set by `service.port`.
|
||
|
||
- If `service.type=NodePort` use the Node IP. The port will be set to
|
||
`service.nodePort` so `service.nodePort` cannot be null.
|
||
|
||
- If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to
|
||
`service.port`.
|
||
|
||
- `service.type=ExternalName` is not supported.
|
||
|
||
- `NodeIP` - The node IP as provided by the Kubernetes downward API.
|
||
|
||
- `NodeName` - The name of the node as provided by the Kubernetes downward
|
||
API. This is useful if the node names are DNS entries that
|
||
are routable from other datacenters.
|
||
|
||
- `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`.
|
||
|
||
- `port` ((#v-meshgateway-wanaddress-port)) (`integer: 443`) - Port that gets registered for WAN traffic.
|
||
If source is set to "Service" then this setting will have no effect.
|
||
See the documentation for source as to which port will be used in that
|
||
case.
|
||
|
||
- `static` ((#v-meshgateway-wanaddress-static)) (`string: ""`) - If source is set to "Static" then this value will be used as the WAN
|
||
address of the mesh gateways. This is useful if you've configured a
|
||
DNS entry to point to your mesh gateways.
|
||
|
||
- `service` ((#v-meshgateway-service)) - The service option configures the Service that fronts the Gateway Deployment.
|
||
|
||
- `enabled` ((#v-meshgateway-service-enabled)) (`boolean: true`) - Whether to create a Service or not.
|
||
|
||
- `type` ((#v-meshgateway-service-type)) (`string: LoadBalancer`) - Type of service, ex. LoadBalancer, ClusterIP.
|
||
|
||
- `port` ((#v-meshgateway-service-port)) (`integer: 443`) - Port that the service will be exposed on.
|
||
The targetPort will be set to meshGateway.containerPort.
|
||
|
||
- `nodePort` ((#v-meshgateway-service-nodeport)) (`integer: null`) - Optionally hardcode the nodePort of the service if using a NodePort service.
|
||
If not set and using a NodePort service, Kubernetes will automatically assign
|
||
a port.
|
||
|
||
- `annotations` ((#v-meshgateway-service-annotations)) (`string: null`) - Annotations to apply to the mesh gateway service.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
annotations: |
|
||
'annotation-key': annotation-value
|
||
```
|
||
|
||
- `additionalSpec` ((#v-meshgateway-service-additionalspec)) (`string: null`) - Optional YAML string that will be appended to the Service spec.
|
||
|
||
- `hostNetwork` ((#v-meshgateway-hostnetwork)) (`boolean: false`) - If set to true, gateway Pods will run on the host network.
|
||
|
||
- `dnsPolicy` ((#v-meshgateway-dnspolicy)) (`string: null`) - dnsPolicy to use.
|
||
|
||
- `consulServiceName` ((#v-meshgateway-consulservicename)) (`string: mesh-gateway`) - Consul service name for the mesh gateways.
|
||
Cannot be set to anything other than "mesh-gateway" if
|
||
global.acls.manageSystemACLs is true since the ACL token
|
||
generated is only for the name 'mesh-gateway'.
|
||
|
||
- `containerPort` ((#v-meshgateway-containerport)) (`integer: 8443`) - Port that the gateway will run on inside the container.
|
||
|
||
- `hostPort` ((#v-meshgateway-hostport)) (`integer: null`) - Optional hostPort for the gateway to be exposed on.
|
||
This can be used with wanAddress.port and wanAddress.useNodeIP
|
||
to expose the gateways directly from the node.
|
||
If hostNetwork is true, this must be null or set to the same port as
|
||
containerPort.
|
||
NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul
|
||
agent.
|
||
|
||
- `resources` ((#v-meshgateway-resources)) (`map`) - Resource settings for mesh gateway pods.
|
||
NOTE: The use of a YAML string is deprecated. Instead, set directly as a
|
||
YAML map.
|
||
|
||
- `initCopyConsulContainer` ((#v-meshgateway-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container.
|
||
|
||
- `affinity` ((#v-meshgateway-affinity)) (`string`) - By default, we set an anti-affinity so that two gateway pods won't be
|
||
on the same node. NOTE: Gateways require that Consul client agents are
|
||
also running on the nodes alongside each gateway pod.
|
||
|
||
- `tolerations` ((#v-meshgateway-tolerations)) (`string: null`) - Optional YAML string to specify tolerations.
|
||
|
||
- `nodeSelector` ((#v-meshgateway-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config.
|
||
|
||
- `priorityClassName` ((#v-meshgateway-priorityclassname)) (`string: ""`) - Optional priorityClassName.
|
||
|
||
- `annotations` ((#v-meshgateway-annotations)) (`string: null`) - Annotations to apply to the mesh gateway deployment.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
annotations: |
|
||
'annotation-key': annotation-value
|
||
```
|
||
|
||
- `ingressGateways` ((#v-ingressgateways)) - Configuration options for ingress gateways. Default values for all
|
||
ingress gateways are defined in `ingressGateways.defaults`. Any of
|
||
these values may be overridden in `ingressGateways.gateways` for a
|
||
specific gateway with the exception of annotations. Annotations will
|
||
include both the default annotations and any additional ones defined
|
||
for a specific gateway.
|
||
Requirements: consul >= 1.8.0 and consul-k8s >= 0.16.0 if using
|
||
global.acls.manageSystemACLs and consul-k8s >= 0.10.0 if not.
|
||
|
||
- `enabled` ((#v-ingressgateways-enabled)) (`boolean: false`) - Enable ingress gateway deployment. Requires `connectInject.enabled=true`
|
||
and `client.enabled=true`.
|
||
|
||
- `defaults` ((#v-ingressgateways-defaults)) - Defaults sets default values for all gateway fields. With the exception
|
||
of annotations, defining any of these values in the `gateways` list
|
||
will override the default values provided here. Annotations will
|
||
include both the default annotations and any additional ones defined
|
||
for a specific gateway.
|
||
|
||
- `replicas` ((#v-ingressgateways-defaults-replicas)) (`integer: 2`) - Number of replicas for each ingress gateway defined.
|
||
|
||
- `service` ((#v-ingressgateways-defaults-service)) - The service options configure the Service that fronts the gateway Deployment.
|
||
|
||
- `type` ((#v-ingressgateways-defaults-service-type)) (`string: ClusterIP`) - Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service
|
||
type, you must set the desired nodePorts in the `ports` setting below.
|
||
|
||
- `ports` ((#v-ingressgateways-defaults-service-ports)) (`array<map>: [{port: 8080, port: 8443}]`) - Ports that will be exposed on the service and gateway container. Any
|
||
ports defined as ingress listeners on the gateway's Consul configuration
|
||
entry should be included here. The first port will be used as part of
|
||
the Consul service registration for the gateway and be listed in its
|
||
SRV record. If using a NodePort service type, you must specify the
|
||
desired nodePort for each exposed port.
|
||
|
||
- `annotations` ((#v-ingressgateways-defaults-service-annotations)) (`string: null`) - Annotations to apply to the ingress gateway service. Annotations defined
|
||
here will be applied to all ingress gateway services in addition to any
|
||
service annotations defined for a specific gateway in `ingressGateways.gateways`.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
annotations: |
|
||
'annotation-key': annotation-value
|
||
```
|
||
|
||
- `additionalSpec` ((#v-ingressgateways-defaults-service-additionalspec)) (`string: null`) - Optional YAML string that will be appended to the Service spec.
|
||
|
||
- `resources` ((#v-ingressgateways-defaults-resources)) (`map`) - Resource limits for all ingress gateway pods
|
||
|
||
- `initCopyConsulContainer` ((#v-ingressgateways-defaults-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container.
|
||
|
||
- `affinity` ((#v-ingressgateways-defaults-affinity)) (`string`) - By default, we set an anti-affinity so that two of the same gateway pods
|
||
won't be on the same node. NOTE: Gateways require that Consul client agents are
|
||
also running on the nodes alongside each gateway pod.
|
||
|
||
- `tolerations` ((#v-ingressgateways-defaults-tolerations)) (`string: null`) - Optional YAML string to specify tolerations.
|
||
|
||
- `nodeSelector` ((#v-ingressgateways-defaults-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config.
|
||
|
||
- `priorityClassName` ((#v-ingressgateways-defaults-priorityclassname)) (`string: ""`) - Optional priorityClassName.
|
||
|
||
- `annotations` ((#v-ingressgateways-defaults-annotations)) (`string: null`) - Annotations to apply to the ingress gateway deployment. Annotations defined
|
||
here will be applied to all ingress gateway deployments in addition to any
|
||
annotations defined for a specific gateway in `ingressGateways.gateways`.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
annotations: |
|
||
"annotation-key": 'annotation-value'
|
||
```
|
||
|
||
- `consulNamespace` ((#v-ingressgateways-defaults-consulnamespace)) (`string: default`) - <EnterpriseAlert inline /> `consulNamespace` defines the Consul namespace to register
|
||
the gateway into. Requires `global.enableConsulNamespaces` to be true and
|
||
Consul Enterprise v1.7+ with a valid Consul Enterprise license.
|
||
Note: The Consul namespace MUST exist before the gateway is deployed.
|
||
|
||
- `gateways` ((#v-ingressgateways-gateways)) (`array<map>`) - Gateways is a list of gateway objects. The only required field for
|
||
each is `name`, though they can also contain any of the fields in
|
||
`defaults`. Values defined here override the defaults except in the
|
||
case of annotations where both will be applied.
|
||
|
||
- `name` ((#v-ingressgateways-gateways-name)) (`string: ingress-gateway`)
|
||
|
||
- `terminatingGateways` ((#v-terminatinggateways)) - Configuration options for terminating gateways. Default values for all
|
||
terminating gateways are defined in `terminatingGateways.defaults`. Any of
|
||
these values may be overridden in `terminatingGateways.gateways` for a
|
||
specific gateway with the exception of annotations. Annotations will
|
||
include both the default annotations and any additional ones defined
|
||
for a specific gateway.
|
||
Requirements: consul >= 1.8.0 and consul-k8s >= 0.16.0 if using
|
||
global.acls.manageSystemACLs and consul-k8s >= 0.10.0 if not.
|
||
|
||
- `enabled` ((#v-terminatinggateways-enabled)) (`boolean: false`) - Enable terminating gateway deployment. Requires `connectInject.enabled=true`
|
||
and `client.enabled=true`.
|
||
|
||
- `defaults` ((#v-terminatinggateways-defaults)) - Defaults sets default values for all gateway fields. With the exception
|
||
of annotations, defining any of these values in the `gateways` list
|
||
will override the default values provided here. Annotations will
|
||
include both the default annotations and any additional ones defined
|
||
for a specific gateway.
|
||
|
||
- `replicas` ((#v-terminatinggateways-defaults-replicas)) (`integer: 2`) - Number of replicas for each terminating gateway defined.
|
||
|
||
- `extraVolumes` ((#v-terminatinggateways-defaults-extravolumes)) (`array<map>`) - A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig/<name>/`.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
extraVolumes:
|
||
- type: secret
|
||
name: my-secret
|
||
items: # optional items array
|
||
- key: key
|
||
path: path # secret will now mount to /consul/userconfig/my-secret/path
|
||
```
|
||
|
||
- `resources` ((#v-terminatinggateways-defaults-resources)) (`map`) - Resource limits for all terminating gateway pods
|
||
|
||
- `initCopyConsulContainer` ((#v-terminatinggateways-defaults-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container.
|
||
|
||
- `affinity` ((#v-terminatinggateways-defaults-affinity)) (`string`) - By default, we set an anti-affinity so that two of the same gateway pods
|
||
won't be on the same node. NOTE: Gateways require that Consul client agents are
|
||
also running on the nodes alongside each gateway pod.
|
||
|
||
- `tolerations` ((#v-terminatinggateways-defaults-tolerations)) (`string: null`) - Optional YAML string to specify tolerations.
|
||
|
||
- `nodeSelector` ((#v-terminatinggateways-defaults-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config.
|
||
|
||
- `priorityClassName` ((#v-terminatinggateways-defaults-priorityclassname)) (`string: ""`) - Optional priorityClassName.
|
||
|
||
- `annotations` ((#v-terminatinggateways-defaults-annotations)) (`string: null`) - Annotations to apply to the terminating gateway deployment. Annotations defined
|
||
here will be applied to all terminating gateway deployments in addition to any
|
||
annotations defined for a specific gateway in `terminatingGateways.gateways`.
|
||
|
||
Example:
|
||
|
||
```yaml
|
||
annotations: |
|
||
'annotation-key': annotation-value
|
||
```
|
||
|
||
- `consulNamespace` ((#v-terminatinggateways-defaults-consulnamespace)) (`string: default`) - <EnterpriseAlert inline /> `consulNamespace` defines the Consul namespace to register
|
||
the gateway into. Requires `global.enableConsulNamespaces` to be true and
|
||
Consul Enterprise v1.7+ with a valid Consul Enterprise license.
|
||
Note: The Consul namespace MUST exist before the gateway is deployed.
|
||
|
||
- `gateways` ((#v-terminatinggateways-gateways)) (`array<map>`) - Gateways is a list of gateway objects. The only required field for
|
||
each is `name`, though they can also contain any of the fields in
|
||
`defaults`. Values defined here override the defaults except in the
|
||
case of annotations where both will be applied.
|
||
|
||
- `name` ((#v-terminatinggateways-gateways-name)) (`string: terminating-gateway`)
|
||
|
||
- `prometheus` ((#v-prometheus)) - Configures a demo Prometheus installation.
|
||
|
||
- `enabled` ((#v-prometheus-enabled)) (`boolean: false`) - When true, the Helm chart will install a demo Prometheus server instance
|
||
alongside Consul.
|
||
|
||
- `grafana` ((#v-grafana)) - Configures a demo Grafana installation.
|
||
|
||
- `enabled` ((#v-grafana-enabled)) (`boolean: false`) - When true, the Helm chart will install a demo Grafana instance
|
||
alongside Consul.
|
||
|
||
- `tests` ((#v-tests)) - Control whether a test Pod manifest is generated when running helm template.
|
||
When using helm install, the test Pod is not submitted to the cluster so this
|
||
is only useful when running helm template.
|
||
|
||
- `enabled` ((#v-tests-enabled)) (`boolean: true`)
|
||
<!-- codegen: end -->
|
||
|
||
## Helm Chart Examples
|
||
|
||
The below `config.yaml` results in a single server Consul cluster with a `LoadBalancer` to allow external access to the UI and API.
|
||
|
||
```yaml
|
||
# config.yaml
|
||
server:
|
||
replicas: 1
|
||
bootstrapExpect: 1
|
||
|
||
ui:
|
||
service:
|
||
type: LoadBalancer
|
||
```
|
||
|
||
The below `config.yaml` results in a three server Consul Enterprise cluster with 100GB of storage and automatic Connect injection.
|
||
|
||
Note, this would require a secret that contains the enterprise license key.
|
||
|
||
```yaml
|
||
# config.yaml
|
||
global:
|
||
image: 'hashicorp/consul-enterprise:1.4.2-ent'
|
||
|
||
server:
|
||
replicas: 3
|
||
bootstrapExpect: 3
|
||
enterpriseLicense:
|
||
secretName: 'consul-license'
|
||
secretKey: 'key'
|
||
storage: 100Gi
|
||
connect: true
|
||
|
||
client:
|
||
grpc: true
|
||
|
||
connectInject:
|
||
enabled: true
|
||
default: false
|
||
```
|
||
|
||
## Customizing the Helm Chart
|
||
|
||
Consul within Kubernetes is highly configurable and the Helm chart contains dozens
|
||
of the most commonly used configuration options.
|
||
If you need to extend the Helm chart with additional options, we recommend using a third-party tool,
|
||
such as [kustomize](https://github.com/kubernetes-sigs/kustomize) or [ship](https://github.com/replicatedhq/ship).
|
||
Note that the Helm chart heavily relies on Helm lifecycle hooks, and so features like bootstrapping ACLs or TLS
|
||
will not work as expected. Additionally, we can make changes to the internal implementation (e.g., renaming template files) that
|
||
may be backward incompatible with such customizations.
|