update helm docs for sync catalog and vault (#14733)
This commit is contained in:
parent
d0903c581d
commit
3eb708e964
|
@ -226,14 +226,14 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
```
|
```
|
||||||
and check the name of `metadata.name`.
|
and check the name of `metadata.name`.
|
||||||
|
|
||||||
- `controllerRole` ((#v-global-secretsbackend-vault-controllerrole)) (`string: ""`) - The Vault role to read Consul controller's webhook's
|
- `controllerRole` ((#v-global-secretsbackend-vault-controllerrole)) (`string: ""`) - The Vault role to read Consul controller's webhook's
|
||||||
CA and issue a certificate and private key.
|
CA and issue a certificate and private key.
|
||||||
A Vault policy must be created which grants issue capabilities to
|
A Vault policy must be created which grants issue capabilities to
|
||||||
`global.secretsBackend.vault.controller.tlsCert.secretName`.
|
`global.secretsBackend.vault.controller.tlsCert.secretName`.
|
||||||
|
|
||||||
- `connectInjectRole` ((#v-global-secretsbackend-vault-connectinjectrole)) (`string: ""`) - The Vault role to read Consul connect-injector webhook's CA
|
- `connectInjectRole` ((#v-global-secretsbackend-vault-connectinjectrole)) (`string: ""`) - The Vault role to read Consul connect-injector webhook's CA
|
||||||
and issue a certificate and private key.
|
and issue a certificate and private key.
|
||||||
A Vault policy must be created which grants issue capabilities to
|
A Vault policy must be created which grants issue capabilities to
|
||||||
`global.secretsBackend.vault.connectInject.tlsCert.secretName`.
|
`global.secretsBackend.vault.connectInject.tlsCert.secretName`.
|
||||||
|
|
||||||
- `consulCARole` ((#v-global-secretsbackend-vault-consulcarole)) (`string: ""`) - The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated).
|
- `consulCARole` ((#v-global-secretsbackend-vault-consulcarole)) (`string: ""`) - The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated).
|
||||||
|
@ -296,14 +296,14 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
- `controller` ((#v-global-secretsbackend-vault-controller))
|
- `controller` ((#v-global-secretsbackend-vault-controller))
|
||||||
|
|
||||||
- `tlsCert` ((#v-global-secretsbackend-vault-controller-tlscert)) - Configuration to the Vault Secret that Kubernetes will use on
|
- `tlsCert` ((#v-global-secretsbackend-vault-controller-tlscert)) - Configuration to the Vault Secret that Kubernetes will use on
|
||||||
Kubernetes CRD creation, deletion, and update, to get TLS certificates
|
Kubernetes CRD creation, deletion, and update, to get TLS certificates
|
||||||
used issued from vault to send webhooks to the controller.
|
used issued from vault to send webhooks to the controller.
|
||||||
|
|
||||||
- `secretName` ((#v-global-secretsbackend-vault-controller-tlscert-secretname)) (`string: null`) - The Vault secret path that issues TLS certificates for controller
|
- `secretName` ((#v-global-secretsbackend-vault-controller-tlscert-secretname)) (`string: null`) - The Vault secret path that issues TLS certificates for controller
|
||||||
webhooks.
|
webhooks.
|
||||||
|
|
||||||
- `caCert` ((#v-global-secretsbackend-vault-controller-cacert)) - Configuration to the Vault Secret that Kubernetes will use on
|
- `caCert` ((#v-global-secretsbackend-vault-controller-cacert)) - Configuration to the Vault Secret that Kubernetes will use on
|
||||||
Kubernetes CRD creation, deletion, and update, to get CA certificates
|
Kubernetes CRD creation, deletion, and update, to get CA certificates
|
||||||
used issued from vault to send webhooks to the controller.
|
used issued from vault to send webhooks to the controller.
|
||||||
|
|
||||||
|
@ -312,14 +312,14 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
- `connectInject` ((#v-global-secretsbackend-vault-connectinject))
|
- `connectInject` ((#v-global-secretsbackend-vault-connectinject))
|
||||||
|
|
||||||
- `caCert` ((#v-global-secretsbackend-vault-connectinject-cacert)) - Configuration to the Vault Secret that Kubernetes will use on
|
- `caCert` ((#v-global-secretsbackend-vault-connectinject-cacert)) - Configuration to the Vault Secret that Kubernetes will use on
|
||||||
Kubernetes pod creation, deletion, and update, to get CA certificates
|
Kubernetes pod creation, deletion, and update, to get CA certificates
|
||||||
used issued from vault to send webhooks to the ConnectInject.
|
used issued from vault to send webhooks to the ConnectInject.
|
||||||
|
|
||||||
- `secretName` ((#v-global-secretsbackend-vault-connectinject-cacert-secretname)) (`string: null`) - The Vault secret path that contains the CA certificate for
|
- `secretName` ((#v-global-secretsbackend-vault-connectinject-cacert-secretname)) (`string: null`) - The Vault secret path that contains the CA certificate for
|
||||||
Connect Inject webhooks.
|
Connect Inject webhooks.
|
||||||
|
|
||||||
- `tlsCert` ((#v-global-secretsbackend-vault-connectinject-tlscert)) - Configuration to the Vault Secret that Kubernetes will use on
|
- `tlsCert` ((#v-global-secretsbackend-vault-connectinject-tlscert)) - Configuration to the Vault Secret that Kubernetes will use on
|
||||||
Kubernetes pod creation, deletion, and update, to get TLS certificates
|
Kubernetes pod creation, deletion, and update, to get TLS certificates
|
||||||
used issued from vault to send webhooks to the ConnectInject.
|
used issued from vault to send webhooks to the ConnectInject.
|
||||||
|
|
||||||
|
@ -361,7 +361,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
See https://www.consul.io/docs/agent/config/cli-flags#_recursor for more details.
|
See https://www.consul.io/docs/agent/config/cli-flags#_recursor for more details.
|
||||||
If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`).
|
If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`).
|
||||||
|
|
||||||
- `tls` ((#v-global-tls)) - Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure?utm_source=docs)
|
- `tls` ((#v-global-tls)) - Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure)
|
||||||
across the cluster to verify authenticity of the Consul servers and clients.
|
across the cluster to verify authenticity of the Consul servers and clients.
|
||||||
Requires Consul v1.4.1+.
|
Requires Consul v1.4.1+.
|
||||||
|
|
||||||
|
@ -516,7 +516,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
This address must be reachable from the Consul servers in the primary datacenter.
|
This address must be reachable from the Consul servers in the primary datacenter.
|
||||||
This auth method will be used to provision ACL tokens for Consul components and is different
|
This auth method will be used to provision ACL tokens for Consul components and is different
|
||||||
from the one used by the Consul Service Mesh.
|
from the one used by the Consul Service Mesh.
|
||||||
Please see the [Kubernetes Auth Method documentation](/docs/security/acl/auth-methods/kubernetes).
|
Please see the [Kubernetes Auth Method documentation](https://consul.io/docs/acl/auth-methods/kubernetes).
|
||||||
|
|
||||||
You can retrieve this value from your `kubeconfig` by running:
|
You can retrieve this value from your `kubeconfig` by running:
|
||||||
|
|
||||||
|
@ -527,7 +527,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
- `metrics` ((#v-global-metrics)) - Configures metrics for Consul service mesh
|
- `metrics` ((#v-global-metrics)) - Configures metrics for Consul service mesh
|
||||||
|
|
||||||
- `enabled` ((#v-global-metrics-enabled)) (`boolean: false`) - Configures the Helm chart's components
|
- `enabled` ((#v-global-metrics-enabled)) (`boolean: false`) - Configures the Helm chart’s components
|
||||||
to expose Prometheus metrics for the Consul service mesh. By default
|
to expose Prometheus metrics for the Consul service mesh. By default
|
||||||
this includes gateway metrics and sidecar metrics.
|
this includes gateway metrics and sidecar metrics.
|
||||||
|
|
||||||
|
@ -565,7 +565,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
- `enabled` ((#v-global-openshift-enabled)) (`boolean: false`) - If true, the Helm chart will create necessary configuration for running
|
- `enabled` ((#v-global-openshift-enabled)) (`boolean: false`) - If true, the Helm chart will create necessary configuration for running
|
||||||
its components on OpenShift.
|
its components on OpenShift.
|
||||||
|
|
||||||
- `consulAPITimeout` ((#v-global-consulapitimeout)) (`string: 5s`) - The time in seconds that the consul API client will wait for a response from
|
- `consulAPITimeout` ((#v-global-consulapitimeout)) (`string: 5s`) - The time in seconds that the consul API client will wait for a response from
|
||||||
the API before cancelling the request.
|
the API before cancelling the request.
|
||||||
|
|
||||||
### server ((#h-server))
|
### server ((#h-server))
|
||||||
|
@ -621,7 +621,8 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
Vault Secrets backend:
|
Vault Secrets backend:
|
||||||
If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]`
|
If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]`
|
||||||
capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`.
|
capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`.
|
||||||
Please refer the [Consul and Vault tutorial](https://learn.hashicorp.com/tutorials/consul/vault-pki-consul-secure-tls?utm_source=docs) for steps to generate a compatible certificate.
|
Please see the following guide for steps to generate a compatible certificate:
|
||||||
|
https://learn.hashicorp.com/tutorials/consul/vault-pki-consul-secure-tls
|
||||||
Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine
|
Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine
|
||||||
must be provided.
|
must be provided.
|
||||||
|
|
||||||
|
@ -655,13 +656,18 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
- `storageClass` ((#v-server-storageclass)) (`string: null`) - The StorageClass to use for the servers' StatefulSet storage. It must be
|
- `storageClass` ((#v-server-storageclass)) (`string: null`) - The StorageClass to use for the servers' StatefulSet storage. It must be
|
||||||
able to be dynamically provisioned if you want the storage
|
able to be dynamically provisioned if you want the storage
|
||||||
to be automatically created. For example, to use local
|
to be automatically created. For example, to use
|
||||||
(https://kubernetes.io/docs/concepts/storage/storage-classes/#local)
|
local(https://kubernetes.io/docs/concepts/storage/storage-classes/#local)
|
||||||
storage classes, the PersistentVolumeClaims would need to be manually created.
|
storage classes, the PersistentVolumeClaims would need to be manually created.
|
||||||
A `null` value will use the Kubernetes cluster's default StorageClass. If a default
|
A `null` value will use the Kubernetes cluster's default StorageClass. If a default
|
||||||
StorageClass does not exist, you will need to create one.
|
StorageClass does not exist, you will need to create one.
|
||||||
See https://www.consul.io/docs/install/performance#read-write-tuning for considerations around choosing a
|
Refer to the [Read/Write Tuning](https://www.consul.io/docs/install/performance#read-write-tuning)
|
||||||
performant storage class.
|
section of the Server Performance Requirements documentation for considerations
|
||||||
|
around choosing a performant storage class.
|
||||||
|
|
||||||
|
~> **Note:** The [Reference Architecture](https://learn.hashicorp.com/tutorials/consul/reference-architecture#hardware-sizing-for-consul-servers)
|
||||||
|
contains best practices and recommendations for selecting suitable
|
||||||
|
hardware sizes for your Consul servers.
|
||||||
|
|
||||||
- `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable Connect (https://consul.io/docs/connect). Setting this to true
|
- `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable Connect (https://consul.io/docs/connect). Setting this to true
|
||||||
_will not_ automatically secure pod communication, this
|
_will not_ automatically secure pod communication, this
|
||||||
|
@ -1423,8 +1429,8 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
already exist, it will be created. Turning this on overrides the
|
already exist, it will be created. Turning this on overrides the
|
||||||
`consulDestinationNamespace` setting.
|
`consulDestinationNamespace` setting.
|
||||||
`addK8SNamespaceSuffix` may no longer be needed if enabling this option.
|
`addK8SNamespaceSuffix` may no longer be needed if enabling this option.
|
||||||
If mirroring is enabled, avoid creating any Consul resources in the following
|
If mirroring is enabled, avoid creating any Consul resources in the following
|
||||||
Kubernetes namespaces, as Consul currently reserves these namespaces for
|
Kubernetes namespaces, as Consul currently reserves these namespaces for
|
||||||
system use: "system", "universal", "operator", "root".
|
system use: "system", "universal", "operator", "root".
|
||||||
|
|
||||||
- `mirroringK8SPrefix` ((#v-synccatalog-consulnamespaces-mirroringk8sprefix)) (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace
|
- `mirroringK8SPrefix` ((#v-synccatalog-consulnamespaces-mirroringk8sprefix)) (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace
|
||||||
|
@ -1473,11 +1479,11 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
- `aclSyncToken` ((#v-synccatalog-aclsynctoken)) - Refers to a Kubernetes secret that you have created that contains
|
- `aclSyncToken` ((#v-synccatalog-aclsynctoken)) - Refers to a Kubernetes secret that you have created that contains
|
||||||
an ACL token for your Consul cluster which allows the sync process the correct
|
an ACL token for your Consul cluster which allows the sync process the correct
|
||||||
permissions. This is only needed if ACLs are enabled on the Consul cluster.
|
permissions. This is only needed if ACLs are managed manually within the Consul cluster.
|
||||||
|
|
||||||
- `secretName` ((#v-synccatalog-aclsynctoken-secretname)) (`string: null`) - The name of the Vault secret that holds the acl sync token.
|
- `secretName` ((#v-synccatalog-aclsynctoken-secretname)) (`string: null`) - The name of the Kubernetes secret that holds the acl sync token.
|
||||||
|
|
||||||
- `secretKey` ((#v-synccatalog-aclsynctoken-secretkey)) (`string: null`) - The key within the Vault secret that holds the acl sync.
|
- `secretKey` ((#v-synccatalog-aclsynctoken-secretkey)) (`string: null`) - The key within the Kubernetes secret that holds the acl sync token.
|
||||||
|
|
||||||
- `nodeSelector` ((#v-synccatalog-nodeselector)) (`string: null`) - This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
|
- `nodeSelector` ((#v-synccatalog-nodeselector)) (`string: null`) - This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
|
||||||
labels for catalog sync pod assignment, formatted as a multi-line string.
|
labels for catalog sync pod assignment, formatted as a multi-line string.
|
||||||
|
@ -1566,7 +1572,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
- `disruptionBudget` ((#v-connectinject-disruptionbudget)) - This configures the PodDisruptionBudget (https://kubernetes.io/docs/tasks/run-application/configure-pdb/)
|
- `disruptionBudget` ((#v-connectinject-disruptionbudget)) - This configures the PodDisruptionBudget (https://kubernetes.io/docs/tasks/run-application/configure-pdb/)
|
||||||
for the service mesh sidecar injector.
|
for the service mesh sidecar injector.
|
||||||
|
|
||||||
- `enabled` ((#v-connectinject-disruptionbudget-enabled)) (`boolean: true`) - This will enable/disable registering a PodDisruptionBudget for the
|
- `enabled` ((#v-connectinject-disruptionbudget-enabled)) (`boolean: true`) - This will enable/disable registering a PodDisruptionBudget for the
|
||||||
service mesh sidecar injector. If this is enabled, it will only register the budget so long as
|
service mesh sidecar injector. If this is enabled, it will only register the budget so long as
|
||||||
the service mesh is enabled.
|
the service mesh is enabled.
|
||||||
|
|
||||||
|
@ -1578,7 +1584,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
- `cni` ((#v-connectinject-cni)) - Configures consul-cni plugin for Consul Service mesh services
|
- `cni` ((#v-connectinject-cni)) - Configures consul-cni plugin for Consul Service mesh services
|
||||||
|
|
||||||
- `enabled` ((#v-connectinject-cni-enabled)) (`boolean: false`) - If true, then all traffic redirection setup will use the consul-cni plugin.
|
- `enabled` ((#v-connectinject-cni-enabled)) (`boolean: false`) - If true, then all traffic redirection setup will use the consul-cni plugin.
|
||||||
Requires connectInject.enabled to also be true.
|
Requires connectInject.enabled to also be true.
|
||||||
|
|
||||||
- `logLevel` ((#v-connectinject-cni-loglevel)) (`string: null`) - Log level for the installer and plugin. Overrides global.logLevel
|
- `logLevel` ((#v-connectinject-cni-loglevel)) (`string: null`) - Log level for the installer and plugin. Overrides global.logLevel
|
||||||
|
@ -1694,7 +1700,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
which can lead to hangs. In these environments it is recommend to use "Ignore" instead.
|
which can lead to hangs. In these environments it is recommend to use "Ignore" instead.
|
||||||
This setting can be safely disabled by setting to "Ignore".
|
This setting can be safely disabled by setting to "Ignore".
|
||||||
|
|
||||||
- `namespaceSelector` ((#v-connectinject-namespaceselector)) (`string`) - Selector for restricting the webhook to only specific namespaces.
|
- `namespaceSelector` ((#v-connectinject-namespaceselector)) (`string`) - Selector for restricting the webhook to only specific namespaces.
|
||||||
Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string.
|
Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string.
|
||||||
See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
|
See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
|
||||||
for more details.
|
for more details.
|
||||||
|
@ -1750,8 +1756,8 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
of the same name as their k8s namespace, optionally prefixed if
|
of the same name as their k8s namespace, optionally prefixed if
|
||||||
`mirroringK8SPrefix` is set below. If the Consul namespace does not
|
`mirroringK8SPrefix` is set below. If the Consul namespace does not
|
||||||
already exist, it will be created. Turning this on overrides the
|
already exist, it will be created. Turning this on overrides the
|
||||||
`consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul
|
`consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul
|
||||||
resources in the following Kubernetes namespaces, as Consul currently reserves these
|
resources in the following Kubernetes namespaces, as Consul currently reserves these
|
||||||
namespaces for system use: "system", "universal", "operator", "root".
|
namespaces for system use: "system", "universal", "operator", "root".
|
||||||
|
|
||||||
- `mirroringK8SPrefix` ((#v-connectinject-consulnamespaces-mirroringk8sprefix)) (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace
|
- `mirroringK8SPrefix` ((#v-connectinject-consulnamespaces-mirroringk8sprefix)) (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace
|
||||||
|
|
Loading…
Reference in New Issue