From 8d49f51d2f6730af1f3bbe569b51e63c200074c4 Mon Sep 17 00:00:00 2001 From: Ashwin Venkatesh Date: Mon, 18 Oct 2021 12:44:43 -0700 Subject: [PATCH] Update docs for consul-k8s v0.35.0 (#11349) --- website/content/docs/k8s/helm.mdx | 78 +++++++++++++++++++------------ 1 file changed, 47 insertions(+), 31 deletions(-) diff --git a/website/content/docs/k8s/helm.mdx b/website/content/docs/k8s/helm.mdx index 19103a5b1..3763b9eeb 100644 --- a/website/content/docs/k8s/helm.mdx +++ b/website/content/docs/k8s/helm.mdx @@ -131,25 +131,20 @@ Use these links to navigate to a particular top-level stanza. - `enablePodSecurityPolicies` ((#v-global-enablepodsecuritypolicies)) (`boolean: false`) - Controls whether pod security policies are created for the Consul components created by this chart. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/. - - `gossipEncryption` ((#v-global-gossipencryption)) - Configures which Kubernetes secret to retrieve Consul's - gossip encryption key from (see `-encrypt` (https://consul.io/docs/agent/options#_encrypt)). If secretName or - secretKey are not set, gossip encryption will not be enabled. The secret must - be in the same namespace that Consul is installed into. + - `gossipEncryption` ((#v-global-gossipencryption)) - Configures Consul's gossip encryption key, set as a Kubernetes secret + (see `-encrypt` (https://consul.io/docs/agent/options#_encrypt)). + By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. + The recommended method is to automatically generate the key. + To automatically generate and set a gossip encryption key, set autoGenerate to true. + Values for secretName and secretKey should not be set if autoGenerate is true. + To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate + a Kubernetes secret referencing these values. - The secret can be created by running: - - ```shell + ``` $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) ``` - To reference, use: - - ```yaml - global: - gossipEncryption: - secretName: consul-gossip-encryption-key - secretKey: key - ``` + - `autoGenerate` ((#v-global-gossipencryption-autogenerate)) (`boolean: false`) - Automatically generate a gossip encryption key and save it to a Kubernetes secret. - `secretName` ((#v-global-gossipencryption-secretname)) (`string: ""`) - secretName is the name of the Kubernetes secret that holds the gossip encryption key. The secret must be in the same namespace that Consul is installed into. @@ -450,7 +445,7 @@ Use these links to navigate to a particular top-level stanza. Note: if running on OpenShift, this setting is ignored because the user and group are set automatically by the OpenShift platform. - - `containerSecurityContext` ((#v-server-containersecuritycontext)) (`map`) - The container securityContext for each container in the server pods. In + - `containerSecurityContext` ((#v-server-containersecuritycontext)) (`map`) - The container securityContext for each container in the server pods. In addition to the Pod's SecurityContext this can set the capabilities of processes running in the container and ensure the root file systems in the container is read-only. @@ -521,6 +516,17 @@ Use these links to navigate to a particular top-level stanza. configured to automatically load HCL/JSON configuration files from this volume with `-config-dir`. This defaults to false. + - `extraContainers` ((#v-server-extracontainers)) (`array`) - A list of sidecar containers. + Example: + + ```yaml + extraContainers: + - name: extra-container + image: example-image:latest + command: + - ... + ``` + - `affinity` ((#v-server-affinity)) (`string`) - This value defines the affinity (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for server pods. It defaults to allowing only a single server pod on each node, which minimizes risk of the cluster becoming unusable if a node is lost. If you need @@ -720,7 +726,7 @@ Use these links to navigate to a particular top-level stanza. Note: if running on OpenShift, this setting is ignored because the user and group are set automatically by the OpenShift platform. - - `containerSecurityContext` ((#v-client-containersecuritycontext)) (`map`) - The container securityContext for each container in the client pods. In + - `containerSecurityContext` ((#v-client-containersecuritycontext)) (`map`) - The container securityContext for each container in the client pods. In addition to the Pod's SecurityContext this can set the capabilities of processes running in the container and ensure the root file systems in the container is read-only. @@ -776,6 +782,17 @@ Use these links to navigate to a particular top-level stanza. configured to automatically load HCL/JSON configuration files from this volume with `-config-dir`. This defaults to false. + - `extraContainers` ((#v-client-extracontainers)) (`array`) - A list of sidecar containers. + Example: + + ```yaml + extraContainers: + - name: extra-container + image: example-image:latest + command: + - ... + ``` + - `tolerations` ((#v-client-tolerations)) (`string: ""`) - Toleration Settings for Client pods This should be a multi-line string matching the Toleration array in a PodSpec. @@ -1004,7 +1021,7 @@ Use these links to navigate to a particular top-level stanza. ```yaml tls: - hosts: - - chart-example.local + - chart-example.local secretName: testsecret-tls ``` @@ -1240,14 +1257,13 @@ Use these links to navigate to a particular top-level stanza. add prometheus annotations to connect-injected pods. It will also add a listener on the Envoy sidecar to expose metrics. The exposed metrics will depend on whether metrics merging is enabled: - - - If metrics merging is enabled: - the Consul sidecar will run a merged metrics server - combining Envoy sidecar and Connect service metrics, - i.e. if your service exposes its own Prometheus metrics. - - If metrics merging is disabled: - the listener will just expose Envoy sidecar metrics. - This will inherit from `global.metrics.enabled`. + - If metrics merging is enabled: + the Consul sidecar will run a merged metrics server + combining Envoy sidecar and Connect service metrics, + i.e. if your service exposes its own Prometheus metrics. + - If metrics merging is disabled: + the listener will just expose Envoy sidecar metrics. + This will inherit from `global.metrics.enabled`. - `defaultEnableMerging` ((#v-connectinject-metrics-defaultenablemerging)) (`boolean: false`) - Configures the Consul sidecar to run a merged metrics server to combine and serve both Envoy and Connect service metrics. @@ -1260,14 +1276,14 @@ Use these links to navigate to a particular top-level stanza. - `defaultPrometheusScrapePort` ((#v-connectinject-metrics-defaultprometheusscrapeport)) (`integer: 20200`) - Configures the port Prometheus will scrape metrics from, by configuring the Pod annotation `prometheus.io/port` and the corresponding listener in the Envoy sidecar. - NOTE: This is _not_ the port that your application exposes metrics on. + NOTE: This is *not* the port that your application exposes metrics on. That can be configured with the `consul.hashicorp.com/service-metrics-port` annotation. - `defaultPrometheusScrapePath` ((#v-connectinject-metrics-defaultprometheusscrapepath)) (`string: /metrics`) - Configures the path Prometheus will scrape metrics from, by configuring the pod annotation `prometheus.io/path` and the corresponding handler in the Envoy sidecar. - NOTE: This is _not_ the path that your application exposes metrics on. + NOTE: This is *not* the path that your application exposes metrics on. That can be configured with the `consul.hashicorp.com/service-metrics-path` annotation. @@ -1302,7 +1318,7 @@ Use these links to navigate to a particular top-level stanza. which can lead to hangs. In these environments it is recommend to use "Ignore" instead. This setting can be safely disabled by setting to "Ignore". - - `namespaceSelector` ((#v-connectinject-namespaceselector)) (`string: null`) - Selector for restricting the webhook to only specific namespaces. + - `namespaceSelector` ((#v-connectinject-namespaceselector)) (`string: null`) - Selector for restricting the webhook to only specific namespaces. Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string. See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector for more details. @@ -1469,7 +1485,6 @@ Use these links to navigate to a particular top-level stanza. `global.acls.manageSystemACLs`). If running Consul OSS, requires permissions: - ```hcl operator = "write" service_prefix "" { @@ -1477,7 +1492,6 @@ Use these links to navigate to a particular top-level stanza. intentions = "write" } ``` - If running Consul Enterprise, talk to your account manager for assistance. - `secretName` ((#v-controller-acltoken-secretname)) (`string: null`) - The name of the Kubernetes secret. @@ -1592,6 +1606,8 @@ Use these links to navigate to a particular top-level stanza. - `initCopyConsulContainer` ((#v-meshgateway-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container. + - `initServiceInitContainer` ((#v-meshgateway-initserviceinitcontainer)) (`map`) - Resource settings for the `service-init` init container. + - `affinity` ((#v-meshgateway-affinity)) (`string`) - By default, we set an anti-affinity so that two gateway pods won't be on the same node. NOTE: Gateways require that Consul client agents are also running on the nodes alongside each gateway pod.