Update Consul on Kubernetes Helm Docs (#18054)

* Render Consul K8s Helm Docs
---------

Co-authored-by: David Yu <dyu@hashicorp.com>
This commit is contained in:
Thomas Eckert 2023-07-07 17:54:51 -04:00 committed by GitHub
parent 97a57b476f
commit ef09f400b5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -20,27 +20,22 @@ with Consul.
Use these links to navigate to a particular top-level stanza. Use these links to navigate to a particular top-level stanza.
- [Helm Chart Reference](#helm-chart-reference) - [`global`](#h-global)
- [Top-Level Stanzas](#top-level-stanzas) - [`server`](#h-server)
- [All Values](#all-values) - [`externalServers`](#h-externalservers)
- [`global`](#h-global) - [`client`](#h-client)
- [`server`](#h-server) - [`dns`](#h-dns)
- [`externalServers`](#h-externalservers) - [`ui`](#h-ui)
- [`client`](#h-client) - [`syncCatalog`](#h-synccatalog)
- [`dns`](#h-dns) - [`connectInject`](#h-connectinject)
- [`ui`](#h-ui) - [`meshGateway`](#h-meshgateway)
- [`syncCatalog`](#h-synccatalog) - [`ingressGateways`](#h-ingressgateways)
- [`connectInject`](#h-connectinject) - [`terminatingGateways`](#h-terminatinggateways)
- [`meshGateway`](#h-meshgateway) - [`apiGateway`](#h-apigateway)
- [`ingressGateways`](#h-ingressgateways) - [`webhookCertManager`](#h-webhookcertmanager)
- [`terminatingGateways`](#h-terminatinggateways) - [`prometheus`](#h-prometheus)
- [`apiGateway`](#h-apigateway) - [`tests`](#h-tests)
- [`webhookCertManager`](#h-webhookcertmanager) - [`telemetryCollector`](#h-telemetrycollector)
- [`prometheus`](#h-prometheus)
- [`tests`](#h-tests)
- [`telemetryCollector`](#h-telemetrycollector)
- [Helm Chart Examples](#helm-chart-examples)
- [Customizing the Helm Chart](#customizing-the-helm-chart)
## All Values ## All Values
@ -64,7 +59,7 @@ Use these links to navigate to a particular top-level stanza.
the prefix will be `<helm release name>-consul`. the prefix will be `<helm release name>-consul`.
- `domain` ((#v-global-domain)) (`string: consul`) - The domain Consul will answer DNS queries for - `domain` ((#v-global-domain)) (`string: consul`) - The domain Consul will answer DNS queries for
(Refer to [`-domain`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from (Refer to [`-domain`](/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from
Consul into Kubernetes will have, e.g. `service-name.service.consul`. Consul into Kubernetes will have, e.g. `service-name.service.consul`.
- `peering` ((#v-global-peering)) - Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+. - `peering` ((#v-global-peering)) - Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+.
@ -125,7 +120,7 @@ Use these links to navigate to a particular top-level stanza.
- `secretsBackend` ((#v-global-secretsbackend)) - secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation. - `secretsBackend` ((#v-global-secretsbackend)) - secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation.
The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled
and have necessary secrets, policies and roles created prior to installing Consul. and have necessary secrets, policies and roles created prior to installing Consul.
Refer to [Vault as the Secrets Backend](https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault) Refer to [Vault as the Secrets Backend](/consul/docs/k8s/deployment-configurations/vault)
documentation for full instructions. documentation for full instructions.
The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend
@ -212,11 +207,11 @@ Use these links to navigate to a particular top-level stanza.
- `secretKey` ((#v-global-secretsbackend-vault-ca-secretkey)) (`string: ""`) - The key within the Kubernetes or Vault secret that holds the Vault CA certificate. - `secretKey` ((#v-global-secretsbackend-vault-ca-secretkey)) (`string: ""`) - The key within the Kubernetes or Vault secret that holds the Vault CA certificate.
- `connectCA` ((#v-global-secretsbackend-vault-connectca)) - Configuration for the Vault service mesh CA provider. - `connectCA` ((#v-global-secretsbackend-vault-connectca)) - Configuration for the Vault Connect CA provider.
The provider will be configured to use the Vault Kubernetes auth method The provider will be configured to use the Vault Kubernetes auth method
and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole` and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole`
to have permissions to the root and intermediate PKI paths. to have permissions to the root and intermediate PKI paths.
Please refer to [Vault ACL policies](https://developer.hashicorp.com/consul/docs/connect/ca/vault#vault-acl-policies) Please refer to [Vault ACL policies](/consul/docs/connect/ca/vault#vault-acl-policies)
documentation for information on how to configure the Vault policies. documentation for information on how to configure the Vault policies.
- `address` ((#v-global-secretsbackend-vault-connectca-address)) (`string: ""`) - The address of the Vault server. - `address` ((#v-global-secretsbackend-vault-connectca-address)) (`string: ""`) - The address of the Vault server.
@ -224,13 +219,13 @@ Use these links to navigate to a particular top-level stanza.
- `authMethodPath` ((#v-global-secretsbackend-vault-connectca-authmethodpath)) (`string: kubernetes`) - The mount path of the Kubernetes auth method in Vault. - `authMethodPath` ((#v-global-secretsbackend-vault-connectca-authmethodpath)) (`string: kubernetes`) - The mount path of the Kubernetes auth method in Vault.
- `rootPKIPath` ((#v-global-secretsbackend-vault-connectca-rootpkipath)) (`string: ""`) - The path to a PKI secrets engine for the root certificate. - `rootPKIPath` ((#v-global-secretsbackend-vault-connectca-rootpkipath)) (`string: ""`) - The path to a PKI secrets engine for the root certificate.
For more details, please refer to [Vault service mesh CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath). For more details, please refer to [Vault Connect CA configuration](/consul/docs/connect/ca/vault#rootpkipath).
- `intermediatePKIPath` ((#v-global-secretsbackend-vault-connectca-intermediatepkipath)) (`string: ""`) - The path to a PKI secrets engine for the generated intermediate certificate. - `intermediatePKIPath` ((#v-global-secretsbackend-vault-connectca-intermediatepkipath)) (`string: ""`) - The path to a PKI secrets engine for the generated intermediate certificate.
For more details, please refer to [Vault service mesh CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath). For more details, please refer to [Vault Connect CA configuration](/consul/docs/connect/ca/vault#intermediatepkipath).
- `additionalConfig` ((#v-global-secretsbackend-vault-connectca-additionalconfig)) (`string: {}`) - Additional service mesh CA configuration in JSON format. - `additionalConfig` ((#v-global-secretsbackend-vault-connectca-additionalconfig)) (`string: {}`) - Additional Connect CA configuration in JSON format.
Please refer to [Vault service mesh CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration) Please refer to [Vault Connect CA configuration](/consul/docs/connect/ca/vault#configuration)
for all configuration options available for that provider. for all configuration options available for that provider.
Example: Example:
@ -251,20 +246,20 @@ Use these links to navigate to a particular top-level stanza.
- `caCert` ((#v-global-secretsbackend-vault-connectinject-cacert)) - Configuration to the Vault Secret that Kubernetes uses on - `caCert` ((#v-global-secretsbackend-vault-connectinject-cacert)) - Configuration to the Vault Secret that Kubernetes uses on
Kubernetes pod creation, deletion, and update, to get CA certificates Kubernetes pod creation, deletion, and update, to get CA certificates
used issued from vault to send webhooks to the connect inject. used issued from vault to send webhooks to the ConnectInject.
- `secretName` ((#v-global-secretsbackend-vault-connectinject-cacert-secretname)) (`string: null`) - The Vault secret path that contains the CA certificate for - `secretName` ((#v-global-secretsbackend-vault-connectinject-cacert-secretname)) (`string: null`) - The Vault secret path that contains the CA certificate for
connect inject webhooks. Connect Inject webhooks.
- `tlsCert` ((#v-global-secretsbackend-vault-connectinject-tlscert)) - Configuration to the Vault Secret that Kubernetes uses on - `tlsCert` ((#v-global-secretsbackend-vault-connectinject-tlscert)) - Configuration to the Vault Secret that Kubernetes uses on
Kubernetes pod creation, deletion, and update, to get TLS certificates Kubernetes pod creation, deletion, and update, to get TLS certificates
used issued from vault to send webhooks to the connect inject. used issued from vault to send webhooks to the ConnectInject.
- `secretName` ((#v-global-secretsbackend-vault-connectinject-tlscert-secretname)) (`string: null`) - The Vault secret path that issues TLS certificates for connect - `secretName` ((#v-global-secretsbackend-vault-connectinject-tlscert-secretname)) (`string: null`) - The Vault secret path that issues TLS certificates for connect
inject webhooks. inject webhooks.
- `gossipEncryption` ((#v-global-gossipencryption)) - Configures Consul's gossip encryption key. - `gossipEncryption` ((#v-global-gossipencryption)) - Configures Consul's gossip encryption key.
(Refer to [`-encrypt`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_encrypt)). (Refer to [`-encrypt`](/consul/docs/agent/config/cli-flags#_encrypt)).
By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually.
The recommended method is to automatically generate the key. The recommended method is to automatically generate the key.
To automatically generate and set a gossip encryption key, set autoGenerate to true. To automatically generate and set a gossip encryption key, set autoGenerate to true.
@ -295,17 +290,17 @@ Use these links to navigate to a particular top-level stanza.
- `recursors` ((#v-global-recursors)) (`array<string>: []`) - A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. - `recursors` ((#v-global-recursors)) (`array<string>: []`) - A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries.
These values are given as `-recursor` flags to Consul servers and clients. These values are given as `-recursor` flags to Consul servers and clients.
Refer to [`-recursor`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_recursor) for more details. Refer to [`-recursor`](/consul/docs/agent/config/cli-flags#_recursor) for more details.
If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`).
- `tls` ((#v-global-tls)) - Enables [TLS](https://developer.hashicorp.com/consul/tutorials/security/tls-encryption-secure) - `tls` ((#v-global-tls)) - Enables [TLS](/consul/tutorials/security/tls-encryption-secure)
across the cluster to verify authenticity of the Consul servers and clients. across the cluster to verify authenticity of the Consul servers and clients.
Requires Consul v1.4.1+. Requires Consul v1.4.1+.
- `enabled` ((#v-global-tls-enabled)) (`boolean: false`) - If true, the Helm chart will enable TLS for Consul - `enabled` ((#v-global-tls-enabled)) (`boolean: false`) - If true, the Helm chart will enable TLS for Consul
servers and clients and all consul-k8s-control-plane components, as well as generate certificate servers and clients and all consul-k8s-control-plane components, as well as generate certificate
authority (optional) and server and client certificates. authority (optional) and server and client certificates.
This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). This setting is required for [Cluster Peering](/consul/docs/connect/cluster-peering/k8s).
- `enableAutoEncrypt` ((#v-global-tls-enableautoencrypt)) (`boolean: false`) - If true, turns on the auto-encrypt feature on clients and servers. - `enableAutoEncrypt` ((#v-global-tls-enableautoencrypt)) (`boolean: false`) - If true, turns on the auto-encrypt feature on clients and servers.
It also switches consul-k8s-control-plane components to retrieve the CA from the servers It also switches consul-k8s-control-plane components to retrieve the CA from the servers
@ -322,7 +317,7 @@ Use these links to navigate to a particular top-level stanza.
- `verify` ((#v-global-tls-verify)) (`boolean: true`) - If true, `verify_outgoing`, `verify_server_hostname`, - `verify` ((#v-global-tls-verify)) (`boolean: true`) - If true, `verify_outgoing`, `verify_server_hostname`,
and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients. and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients.
Set this to false to incrementally roll out TLS on an existing Consul cluster. Set this to false to incrementally roll out TLS on an existing Consul cluster.
Please refer to [TLS on existing clusters](https://developer.hashicorp.com/consul/docs/k8s/operations/tls-on-existing-cluster) Please refer to [TLS on existing clusters](/consul/docs/k8s/operations/tls-on-existing-cluster)
for more details. for more details.
- `httpsOnly` ((#v-global-tls-httpsonly)) (`boolean: true`) - If true, the Helm chart will configure Consul to disable the HTTP port on - `httpsOnly` ((#v-global-tls-httpsonly)) (`boolean: true`) - If true, the Helm chart will configure Consul to disable the HTTP port on
@ -410,6 +405,23 @@ Use these links to navigate to a particular top-level stanza.
- `secretKey` ((#v-global-acls-replicationtoken-secretkey)) (`string: null`) - The key within the Kubernetes or Vault secret that holds the replication token. - `secretKey` ((#v-global-acls-replicationtoken-secretkey)) (`string: null`) - The key within the Kubernetes or Vault secret that holds the replication token.
- `resources` ((#v-global-acls-resources)) (`map`) - The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods.
This should be a YAML map corresponding to a Kubernetes
[`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core)
object.
Example:
```yaml
resources:
requests:
memory: '200Mi'
cpu: '100m'
limits:
memory: '200Mi'
cpu: '100m'
```
- `partitionToken` ((#v-global-acls-partitiontoken)) - partitionToken references a Vault secret containing the ACL token to be used in non-default partitions. - `partitionToken` ((#v-global-acls-partitiontoken)) - partitionToken references a Vault secret containing the ACL token to be used in non-default partitions.
This value should only be provided in the default partition and only when setting This value should only be provided in the default partition and only when setting
the `global.secretsBackend.vault.enabled` value to true. the `global.secretsBackend.vault.enabled` value to true.
@ -475,7 +487,7 @@ Use these links to navigate to a particular top-level stanza.
This address must be reachable from the Consul servers in the primary datacenter. This address must be reachable from the Consul servers in the primary datacenter.
This auth method will be used to provision ACL tokens for Consul components and is different This auth method will be used to provision ACL tokens for Consul components and is different
from the one used by the Consul Service Mesh. from the one used by the Consul Service Mesh.
Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). Please refer to the [Kubernetes Auth Method documentation](/consul/docs/security/acl/auth-methods/kubernetes).
You can retrieve this value from your `kubeconfig` by running: You can retrieve this value from your `kubeconfig` by running:
@ -602,7 +614,7 @@ Use these links to navigate to a particular top-level stanza.
Consul server agents. Consul server agents.
- `replicas` ((#v-server-replicas)) (`integer: 1`) - The number of server agents to run. This determines the fault tolerance of - `replicas` ((#v-server-replicas)) (`integer: 1`) - The number of server agents to run. This determines the fault tolerance of
the cluster. Please refer to the [deployment table](https://developer.hashicorp.com/consul/docs/architecture/consensus#deployment-table) the cluster. Please refer to the [deployment table](/consul/docs/architecture/consensus#deployment-table)
for more information. for more information.
- `bootstrapExpect` ((#v-server-bootstrapexpect)) (`int: null`) - The number of servers that are expected to be running. - `bootstrapExpect` ((#v-server-bootstrapexpect)) (`int: null`) - The number of servers that are expected to be running.
@ -641,7 +653,7 @@ Use these links to navigate to a particular top-level stanza.
Vault Secrets backend: Vault Secrets backend:
If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]` If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]`
capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`.
Complete [this tutorial](https://developer.hashicorp.com/consul/tutorials/vault-secure/vault-pki-consul-secure-tls) Complete [this tutorial](/consul/tutorials/vault-secure/vault-pki-consul-secure-tls)
to learn how to generate a compatible certificate. to learn how to generate a compatible certificate.
Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine
must be provided. must be provided.
@ -681,18 +693,18 @@ Use these links to navigate to a particular top-level stanza.
storage classes, the PersistentVolumeClaims would need to be manually created. storage classes, the PersistentVolumeClaims would need to be manually created.
A `null` value will use the Kubernetes cluster's default StorageClass. If a default A `null` value will use the Kubernetes cluster's default StorageClass. If a default
StorageClass does not exist, you will need to create one. StorageClass does not exist, you will need to create one.
Refer to the [Read/Write Tuning](https://developer.hashicorp.com/consul/docs/install/performance#read-write-tuning) Refer to the [Read/Write Tuning](/consul/docs/install/performance#read-write-tuning)
section of the Server Performance Requirements documentation for considerations section of the Server Performance Requirements documentation for considerations
around choosing a performant storage class. around choosing a performant storage class.
~> **Note:** The [Reference Architecture](https://developer.hashicorp.com/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) ~> **Note:** The [Reference Architecture](/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers)
contains best practices and recommendations for selecting suitable contains best practices and recommendations for selecting suitable
hardware sizes for your Consul servers. hardware sizes for your Consul servers.
- `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true - `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable [Connect](/consul/docs/connect). Setting this to true
_will not_ automatically secure pod communication, this _will not_ automatically secure pod communication, this
setting will only enable usage of the feature. Consul will automatically initialize setting will only enable usage of the feature. Consul will automatically initialize
a new CA and set of certificates. Additional service mesh settings can be configured a new CA and set of certificates. Additional Connect settings can be configured
by setting the `server.extraConfig` value. by setting the `server.extraConfig` value.
- `serviceAccount` ((#v-server-serviceaccount)) - `serviceAccount` ((#v-server-serviceaccount))
@ -716,10 +728,10 @@ Use these links to navigate to a particular top-level stanza.
```yaml ```yaml
resources: resources:
requests: requests:
memory: '100Mi' memory: '200Mi'
cpu: '100m' cpu: '100m'
limits: limits:
memory: '100Mi' memory: '200Mi'
cpu: '100m' cpu: '100m'
``` ```
@ -741,7 +753,7 @@ Use these links to navigate to a particular top-level stanza.
control a rolling update of Consul server agents. This value specifies the control a rolling update of Consul server agents. This value specifies the
[partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions)
for performing a rolling update. Please read the linked Kubernetes for performing a rolling update. Please read the linked Kubernetes
and [Upgrade Consul](https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-consul-servers) and [Upgrade Consul](/consul/docs/k8s/upgrade#upgrading-consul-servers)
documentation for more information. documentation for more information.
- `disruptionBudget` ((#v-server-disruptionbudget)) - This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) - `disruptionBudget` ((#v-server-disruptionbudget)) - This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/)
@ -757,7 +769,7 @@ Use these links to navigate to a particular top-level stanza.
--set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation
command because of a limitation in the Helm templating language. command because of a limitation in the Helm templating language.
- `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul - `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra [JSON configuration](/consul/docs/agent/config/config-files) for Consul
servers. This will be saved as-is into a ConfigMap that is read by the Consul servers. This will be saved as-is into a ConfigMap that is read by the Consul
server agents. This can be used to add additional configuration that server agents. This can be used to add additional configuration that
isn't directly exposed by the chart. isn't directly exposed by the chart.
@ -934,18 +946,18 @@ Use these links to navigate to a particular top-level stanza.
it could be used to configure custom consul parameters. it could be used to configure custom consul parameters.
- `snapshotAgent` ((#v-server-snapshotagent)) - <EnterpriseAlert inline /> Values for setting up and running - `snapshotAgent` ((#v-server-snapshotagent)) - <EnterpriseAlert inline /> Values for setting up and running
[snapshot agents](https://developer.hashicorp.com/consul/commands/snapshot/agent) [snapshot agents](/consul/commands/snapshot/agent)
within the Consul clusters. They run as a sidecar with Consul servers. within the Consul clusters. They run as a sidecar with Consul servers.
- `enabled` ((#v-server-snapshotagent-enabled)) (`boolean: false`) - If true, the chart will install resources necessary to run the snapshot agent. - `enabled` ((#v-server-snapshotagent-enabled)) (`boolean: false`) - If true, the chart will install resources necessary to run the snapshot agent.
- `interval` ((#v-server-snapshotagent-interval)) (`string: 1h`) - Interval at which to perform snapshots. - `interval` ((#v-server-snapshotagent-interval)) (`string: 1h`) - Interval at which to perform snapshots.
Refer to [`interval`](https://developer.hashicorp.com/consul/commands/snapshot/agent#interval) Refer to [`interval`](/consul/commands/snapshot/agent#interval)
- `configSecret` ((#v-server-snapshotagent-configsecret)) - A Kubernetes or Vault secret that should be manually created to contain the entire - `configSecret` ((#v-server-snapshotagent-configsecret)) - A Kubernetes or Vault secret that should be manually created to contain the entire
config to be used on the snapshot agent. config to be used on the snapshot agent.
This is the preferred method of configuration since there are usually storage This is the preferred method of configuration since there are usually storage
credentials present. Please refer to the [Snapshot agent config](https://developer.hashicorp.com/consul/commands/snapshot/agent#config-file-options) credentials present. Please refer to the [Snapshot agent config](/consul/commands/snapshot/agent#config-file-options)
for details. for details.
- `secretName` ((#v-server-snapshotagent-configsecret-secretname)) (`string: null`) - The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config. - `secretName` ((#v-server-snapshotagent-configsecret-secretname)) (`string: null`) - The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config.
@ -966,6 +978,87 @@ Use these links to navigate to a particular top-level stanza.
... ...
``` ```
- `limits` ((#v-server-limits)) - Settings for potentially limiting timeouts, rate limiting on clients as well
as servers, and other settings to limit exposure too many requests, requests
waiting for too long, and other runtime considerations.
- `requestLimits` ((#v-server-limits-requestlimits)) - This object specifies configurations that limit the rate of RPC and gRPC
requests on the Consul server. Limiting the rate of gRPC and RPC requests
also limits HTTP requests to the Consul server.
/consul/docs/agent/config/config-files#request_limits
- `mode` ((#v-server-limits-requestlimits-mode)) (`string: disabled`) - Setting for disabling or enabling rate limiting. If not disabled, it
enforces the action that will occur when RequestLimitsReadRate
or RequestLimitsWriteRate is exceeded. The default value of "disabled" will
prevent any rate limiting from occuring. A value of "enforce" will block
the request from processings by returning an error. A value of
"permissive" will not block the request and will allow the request to
continue processing.
- `readRate` ((#v-server-limits-requestlimits-readrate)) (`integer: -1`) - Setting that controls how frequently RPC, gRPC, and HTTP
queries are allowed to happen. In any large enough time interval, rate
limiter limits the rate to RequestLimitsReadRate tokens per second.
See https://en.wikipedia.org/wiki/Token_bucket for more about token
buckets.
- `writeRate` ((#v-server-limits-requestlimits-writerate)) (`integer: -1`) - Setting that controls how frequently RPC, gRPC, and HTTP
writes are allowed to happen. In any large enough time interval, rate
limiter limits the rate to RequestLimitsWriteRate tokens per second.
See https://en.wikipedia.org/wiki/Token_bucket for more about token
buckets.
- `auditLogs` ((#v-server-auditlogs)) - <EnterpriseAlert inline /> Added in Consul 1.8, the audit object allow users to enable auditing
and configure a sink and filters for their audit logs. Please refer to
[audit logs](/consul/docs/enterprise/audit-logging) documentation
for further information.
- `enabled` ((#v-server-auditlogs-enabled)) (`boolean: false`) - Controls whether Consul logs out each time a user performs an operation.
global.acls.manageSystemACLs must be enabled to use this feature.
- `sinks` ((#v-server-auditlogs-sinks)) (`array<map>`) - A single entry of the sink object provides configuration for the destination to which Consul
will log auditing events.
Example:
```yaml
sinks:
- name: My Sink
type: file
format: json
path: /tmp/audit.json
delivery_guarantee: best-effort
rotate_duration: 24h
rotate_max_files: 15
rotate_bytes: 25165824
```
The sink object supports the following keys:
- `name` - Name of the sink.
- `type` - Type specifies what kind of sink this is. Currently only file sinks are available
- `format` - Format specifies what format the events will be emitted with. Currently only `json`
events are emitted.
- `path` - The directory and filename to write audit events to.
- `delivery_guarantee` - Specifies the rules governing how audit events are written. Consul
only supports `best-effort` event delivery.
- `mode` - The permissions to set on the audit log files.
- `rotate_duration` - Specifies the interval by which the system rotates to a new log file.
At least one of `rotate_duration` or `rotate_bytes` must be configured to enable audit logging.
- `rotate_bytes` - Specifies how large an individual log file can grow before Consul rotates to a new file.
At least one of rotate_bytes or rotate_duration must be configured to enable audit logging.
- `rotate_max_files` - Defines the limit that Consul should follow before it deletes old log files.
### externalServers ((#h-externalservers)) ### externalServers ((#h-externalservers))
- `externalServers` ((#v-externalservers)) - Configuration for Consul servers when the servers are running outside of Kubernetes. - `externalServers` ((#v-externalservers)) - Configuration for Consul servers when the servers are running outside of Kubernetes.
@ -1003,7 +1096,7 @@ Use these links to navigate to a particular top-level stanza.
- `k8sAuthMethodHost` ((#v-externalservers-k8sauthmethodhost)) (`string: null`) - If you are setting `global.acls.manageSystemACLs` and - `k8sAuthMethodHost` ((#v-externalservers-k8sauthmethodhost)) (`string: null`) - If you are setting `global.acls.manageSystemACLs` and
`connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server.
This address must be reachable from the Consul servers. This address must be reachable from the Consul servers.
Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). Please refer to the [Kubernetes Auth Method documentation](/consul/docs/security/acl/auth-methods/kubernetes).
You could retrieve this value from your `kubeconfig` by running: You could retrieve this value from your `kubeconfig` by running:
@ -1026,7 +1119,7 @@ Use these links to navigate to a particular top-level stanza.
- `image` ((#v-client-image)) (`string: null`) - The name of the Docker image (including any tag) for the containers - `image` ((#v-client-image)) (`string: null`) - The name of the Docker image (including any tag) for the containers
running Consul client agents. running Consul client agents.
- `join` ((#v-client-join)) (`array<string>: null`) - A list of valid [`-retry-join` values](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_retry_join). - `join` ((#v-client-join)) (`array<string>: null`) - A list of valid [`-retry-join` values](/consul/docs/agent/config/cli-flags#_retry_join).
If this is `null` (default), then the clients will attempt to automatically If this is `null` (default), then the clients will attempt to automatically
join the server cluster running within Kubernetes. join the server cluster running within Kubernetes.
This means that with `server.enabled` set to true, clients will automatically This means that with `server.enabled` set to true, clients will automatically
@ -1044,10 +1137,10 @@ Use these links to navigate to a particular top-level stanza.
- `grpc` ((#v-client-grpc)) (`boolean: true`) - If true, agents will enable their GRPC listener on - `grpc` ((#v-client-grpc)) (`boolean: true`) - If true, agents will enable their GRPC listener on
port 8502 and expose it to the host. This will use slightly more resources, but is port 8502 and expose it to the host. This will use slightly more resources, but is
required for service mesh. required for Connect.
- `nodeMeta` ((#v-client-nodemeta)) - nodeMeta specifies an arbitrary metadata key/value pair to associate with the node - `nodeMeta` ((#v-client-nodemeta)) - nodeMeta specifies an arbitrary metadata key/value pair to associate with the node
(refer to [`-node-meta`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_node_meta)) (refer to [`-node-meta`](/consul/docs/agent/config/cli-flags#_node_meta))
- `pod-name` ((#v-client-nodemeta-pod-name)) (`string: ${HOSTNAME}`) - `pod-name` ((#v-client-nodemeta-pod-name)) (`string: ${HOSTNAME}`)
@ -1091,7 +1184,7 @@ Use these links to navigate to a particular top-level stanza.
- `tlsInit` ((#v-client-containersecuritycontext-tlsinit)) (`map`) - The tls-init initContainer - `tlsInit` ((#v-client-containersecuritycontext-tlsinit)) (`map`) - The tls-init initContainer
- `extraConfig` ((#v-client-extraconfig)) (`string: {}`) - A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul - `extraConfig` ((#v-client-extraconfig)) (`string: {}`) - A raw string of extra [JSON configuration](/consul/docs/agent/config/config-files) for Consul
clients. This will be saved as-is into a ConfigMap that is read by the Consul clients. This will be saved as-is into a ConfigMap that is read by the Consul
client agents. This can be used to add additional configuration that client agents. This can be used to add additional configuration that
isn't directly exposed by the chart. isn't directly exposed by the chart.
@ -1245,7 +1338,7 @@ Use these links to navigate to a particular top-level stanza.
- `enabled` ((#v-dns-enabled)) (`boolean: -`) - `enabled` ((#v-dns-enabled)) (`boolean: -`)
- `enableRedirection` ((#v-dns-enableredirection)) (`boolean: -`) - If true, services using Consul service mesh will use Consul DNS - `enableRedirection` ((#v-dns-enableredirection)) (`boolean: -`) - If true, services using Consul Connect will use Consul DNS
for default DNS resolution. The DNS lookups fall back to the nameserver IPs for default DNS resolution. The DNS lookups fall back to the nameserver IPs
listed in /etc/resolv.conf if not found in Consul. listed in /etc/resolv.conf if not found in Consul.
@ -1357,16 +1450,16 @@ Use these links to navigate to a particular top-level stanza.
will inherit from `global.metrics.enabled` value. will inherit from `global.metrics.enabled` value.
- `provider` ((#v-ui-metrics-provider)) (`string: prometheus`) - Provider for metrics. Refer to - `provider` ((#v-ui-metrics-provider)) (`string: prometheus`) - Provider for metrics. Refer to
[`metrics_provider`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_metrics_provider) [`metrics_provider`](/consul/docs/agent/config/config-files#ui_config_metrics_provider)
This value is only used if `ui.enabled` is set to true. This value is only used if `ui.enabled` is set to true.
- `baseURL` ((#v-ui-metrics-baseurl)) (`string: http://prometheus-server`) - baseURL is the URL of the prometheus server, usually the service URL. - `baseURL` ((#v-ui-metrics-baseurl)) (`string: http://prometheus-server`) - baseURL is the URL of the prometheus server, usually the service URL.
This value is only used if `ui.enabled` is set to true. This value is only used if `ui.enabled` is set to true.
- `dashboardURLTemplates` ((#v-ui-dashboardurltemplates)) - Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) - `dashboardURLTemplates` ((#v-ui-dashboardurltemplates)) - Corresponds to [`dashboard_url_templates`](/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates)
configuration. configuration.
- `service` ((#v-ui-dashboardurltemplates-service)) (`string: ""`) - Sets [`dashboardURLTemplates.service`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service). - `service` ((#v-ui-dashboardurltemplates-service)) (`string: ""`) - Sets [`dashboardURLTemplates.service`](/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service).
### syncCatalog ((#h-synccatalog)) ### syncCatalog ((#h-synccatalog))
@ -1386,7 +1479,7 @@ Use these links to navigate to a particular top-level stanza.
to run the sync program. to run the sync program.
- `default` ((#v-synccatalog-default)) (`boolean: true`) - If true, all valid services in K8S are - `default` ((#v-synccatalog-default)) (`boolean: true`) - If true, all valid services in K8S are
synced by default. If false, the service must be [annotated](https://developer.hashicorp.com/consul/docs/k8s/service-sync#enable-and-disable-sync) synced by default. If false, the service must be [annotated](/consul/docs/k8s/service-sync#enable-and-disable-sync)
properly to sync. properly to sync.
In either case an annotation can override the default. In either case an annotation can override the default.
@ -1568,9 +1661,9 @@ Use these links to navigate to a particular top-level stanza.
### connectInject ((#h-connectinject)) ### connectInject ((#h-connectinject))
- `connectInject` ((#v-connectinject)) - Configures the automatic service mesh sidecar injector. - `connectInject` ((#v-connectinject)) - Configures the automatic Connect sidecar injector.
- `enabled` ((#v-connectinject-enabled)) (`boolean: true`) - True if you want to enable service mesh sidecar injection. Set to "-" to inherit from - `enabled` ((#v-connectinject-enabled)) (`boolean: true`) - True if you want to enable connect injection. Set to "-" to inherit from
global.enabled. global.enabled.
- `replicas` ((#v-connectinject-replicas)) (`integer: 1`) - The number of deployment replicas. - `replicas` ((#v-connectinject-replicas)) (`integer: 1`) - The number of deployment replicas.
@ -1579,14 +1672,14 @@ Use these links to navigate to a particular top-level stanza.
- `default` ((#v-connectinject-default)) (`boolean: false`) - If true, the injector will inject the - `default` ((#v-connectinject-default)) (`boolean: false`) - If true, the injector will inject the
Connect sidecar into all pods by default. Otherwise, pods must specify the Connect sidecar into all pods by default. Otherwise, pods must specify the
[injection annotation](https://developer.hashicorp.com/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject) [injection annotation](/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject)
to opt-in to service mesh sidecar injection. If this is true, pods can use the same annotation to opt-in to Connect injection. If this is true, pods can use the same annotation
to explicitly opt-out of injection. to explicitly opt-out of injection.
- `transparentProxy` ((#v-connectinject-transparentproxy)) - Configures Transparent Proxy for Consul Service mesh services. - `transparentProxy` ((#v-connectinject-transparentproxy)) - Configures Transparent Proxy for Consul Service mesh services.
Using this feature requires Consul 1.10.0-beta1+. Using this feature requires Consul 1.10.0-beta1+.
- `defaultEnabled` ((#v-connectinject-transparentproxy-defaultenabled)) (`boolean: true`) - If true, then all Consul service mesh will run with transparent proxy enabled by default, - `defaultEnabled` ((#v-connectinject-transparentproxy-defaultenabled)) (`boolean: true`) - If true, then all Consul Service mesh will run with transparent proxy enabled by default,
i.e. we enforce that all traffic within the pod will go through the proxy. i.e. we enforce that all traffic within the pod will go through the proxy.
This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation. This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation.
@ -1613,6 +1706,64 @@ Use these links to navigate to a particular top-level stanza.
- `minAvailable` ((#v-connectinject-disruptionbudget-minavailable)) (`integer: null`) - The minimum number of available pods. - `minAvailable` ((#v-connectinject-disruptionbudget-minavailable)) (`integer: null`) - The minimum number of available pods.
Takes precedence over maxUnavailable if set. Takes precedence over maxUnavailable if set.
- `apiGateway` ((#v-connectinject-apigateway)) - Configuration settings for the Consul API Gateway integration.
- `manageExternalCRDs` ((#v-connectinject-apigateway-manageexternalcrds)) (`boolean: true`) - Enables Consul on Kubernetes to manage the CRDs used for Gateway API.
Setting this to true will install the CRDs used for the Gateway API when Consul on Kubernetes is installed.
These CRDs can clash with existing Gateway API CRDs if they are already installed in your cluster.
If this setting is false, you will need to install the Gateway API CRDs manually.
- `managedGatewayClass` ((#v-connectinject-apigateway-managedgatewayclass)) - Configuration settings for the GatewayClass installed by Consul on Kubernetes.
- `nodeSelector` ((#v-connectinject-apigateway-managedgatewayclass-nodeselector)) (`string: null`) - This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
labels for gateway pod assignment, formatted as a multi-line string.
Example:
```yaml
nodeSelector: |
beta.kubernetes.io/arch: amd64
```
- `tolerations` ((#v-connectinject-apigateway-managedgatewayclass-tolerations)) (`string: null`) - Toleration settings for gateway pods created with the managed gateway class.
This should be a multi-line string matching the
[Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec.
- `serviceType` ((#v-connectinject-apigateway-managedgatewayclass-servicetype)) (`string: LoadBalancer`) - This value defines the type of Service created for gateways (e.g. LoadBalancer, ClusterIP)
- `copyAnnotations` ((#v-connectinject-apigateway-managedgatewayclass-copyannotations)) - Configuration settings for annotations to be copied from the Gateway to other child resources.
- `service` ((#v-connectinject-apigateway-managedgatewayclass-copyannotations-service)) (`string: null`) - This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string.
Example:
```yaml
service:
annotations: |
- external-dns.alpha.kubernetes.io/hostname
```
- `deployment` ((#v-connectinject-apigateway-managedgatewayclass-deployment)) - This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways
- `defaultInstances` ((#v-connectinject-apigateway-managedgatewayclass-deployment-defaultinstances)) (`integer: 1`)
- `maxInstances` ((#v-connectinject-apigateway-managedgatewayclass-deployment-maxinstances)) (`integer: 1`)
- `minInstances` ((#v-connectinject-apigateway-managedgatewayclass-deployment-mininstances)) (`integer: 1`)
- `serviceAccount` ((#v-connectinject-apigateway-serviceaccount)) - Configuration for the ServiceAccount created for the api-gateway component
- `annotations` ((#v-connectinject-apigateway-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the client service account. This should be formatted as a multi-line
string.
```yaml
annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
```
- `resources` ((#v-connectinject-apigateway-resources)) (`map`) - The resource settings for Pods handling traffic for Gateway API.
- `cni` ((#v-connectinject-cni)) - Configures consul-cni plugin for Consul Service mesh services - `cni` ((#v-connectinject-cni)) - Configures consul-cni plugin for Consul Service mesh services
- `enabled` ((#v-connectinject-cni-enabled)) (`boolean: false`) - If true, then all traffic redirection setup uses the consul-cni plugin. - `enabled` ((#v-connectinject-cni-enabled)) (`boolean: false`) - If true, then all traffic redirection setup uses the consul-cni plugin.
@ -1681,7 +1832,7 @@ Use these links to navigate to a particular top-level stanza.
persistent: true persistent: true
``` ```
- `metrics` ((#v-connectinject-metrics)) - Configures metrics for services in the Consul service mesh. All values are overridable - `metrics` ((#v-connectinject-metrics)) - Configures metrics for Consul Connect services. All values are overridable
via annotations on a per-pod basis. via annotations on a per-pod basis.
- `defaultEnabled` ((#v-connectinject-metrics-defaultenabled)) (`string: -`) - If true, the connect-injector will automatically - `defaultEnabled` ((#v-connectinject-metrics-defaultenabled)) (`string: -`) - If true, the connect-injector will automatically
@ -1690,14 +1841,14 @@ Use these links to navigate to a particular top-level stanza.
metrics will depend on whether metrics merging is enabled: metrics will depend on whether metrics merging is enabled:
- If metrics merging is enabled: - If metrics merging is enabled:
the consul-dataplane will run a merged metrics server the consul-dataplane will run a merged metrics server
combining Envoy sidecar and mesh service metrics, combining Envoy sidecar and Connect service metrics,
i.e. if your service exposes its own Prometheus metrics. i.e. if your service exposes its own Prometheus metrics.
- If metrics merging is disabled: - If metrics merging is disabled:
the listener will just expose Envoy sidecar metrics. the listener will just expose Envoy sidecar metrics.
This will inherit from `global.metrics.enabled`. This will inherit from `global.metrics.enabled`.
- `defaultEnableMerging` ((#v-connectinject-metrics-defaultenablemerging)) (`boolean: false`) - Configures the consul-dataplane to run a merged metrics server - `defaultEnableMerging` ((#v-connectinject-metrics-defaultenablemerging)) (`boolean: false`) - Configures the consul-dataplane to run a merged metrics server
to combine and serve both Envoy and mesh service metrics. to combine and serve both Envoy and Connect service metrics.
This feature is available only in Consul v1.10.0 or greater. This feature is available only in Consul v1.10.0 or greater.
- `defaultMergedMetricsPort` ((#v-connectinject-metrics-defaultmergedmetricsport)) (`integer: 20100`) - Configures the port at which the consul-dataplane will listen on to return - `defaultMergedMetricsPort` ((#v-connectinject-metrics-defaultmergedmetricsport)) (`integer: 20100`) - Configures the port at which the consul-dataplane will listen on to return
@ -1763,13 +1914,13 @@ Use these links to navigate to a particular top-level stanza.
- `requests` ((#v-connectinject-resources-requests)) - `requests` ((#v-connectinject-resources-requests))
- `memory` ((#v-connectinject-resources-requests-memory)) (`string: 50Mi`) - Recommended production default: 500Mi - `memory` ((#v-connectinject-resources-requests-memory)) (`string: 200Mi`) - Recommended production default: 500Mi
- `cpu` ((#v-connectinject-resources-requests-cpu)) (`string: 50m`) - Recommended production default: 250m - `cpu` ((#v-connectinject-resources-requests-cpu)) (`string: 50m`) - Recommended production default: 250m
- `limits` ((#v-connectinject-resources-limits)) - `limits` ((#v-connectinject-resources-limits))
- `memory` ((#v-connectinject-resources-limits-memory)) (`string: 50Mi`) - Recommended production default: 500Mi - `memory` ((#v-connectinject-resources-limits-memory)) (`string: 200Mi`) - Recommended production default: 500Mi
- `cpu` ((#v-connectinject-resources-limits-cpu)) (`string: 50m`) - Recommended production default: 250m - `cpu` ((#v-connectinject-resources-limits-cpu)) (`string: 50m`) - Recommended production default: 250m
@ -1798,13 +1949,13 @@ Use these links to navigate to a particular top-level stanza.
namespace-label: label-value namespace-label: label-value
``` ```
- `k8sAllowNamespaces` ((#v-connectinject-k8sallownamespaces)) (`array<string>: ["*"]`) - List of k8s namespaces to allow service mesh sidecar - `k8sAllowNamespaces` ((#v-connectinject-k8sallownamespaces)) (`array<string>: ["*"]`) - List of k8s namespaces to allow Connect sidecar
injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`,
pods in that k8s namespace will not be injected even if they are explicitly pods in that k8s namespace will not be injected even if they are explicitly
annotated. Use `["*"]` to automatically allow all k8s namespaces. annotated. Use `["*"]` to automatically allow all k8s namespaces.
For example, `["namespace1", "namespace2"]` will only allow pods in the k8s For example, `["namespace1", "namespace2"]` will only allow pods in the k8s
namespaces `namespace1` and `namespace2` to have service mesh sidecars injected namespaces `namespace1` and `namespace2` to have Connect sidecars injected
and registered with Consul. All other k8s namespaces will be ignored. and registered with Consul. All other k8s namespaces will be ignored.
To deny all namespaces, set this to `[]`. To deny all namespaces, set this to `[]`.
@ -1813,7 +1964,7 @@ Use these links to navigate to a particular top-level stanza.
`namespaceSelector` takes precedence over both since it is applied first. `namespaceSelector` takes precedence over both since it is applied first.
`kube-system` and `kube-public` are never injected, even if included here. `kube-system` and `kube-public` are never injected, even if included here.
- `k8sDenyNamespaces` ((#v-connectinject-k8sdenynamespaces)) (`array<string>: []`) - List of k8s namespaces that should not allow service mesh - `k8sDenyNamespaces` ((#v-connectinject-k8sdenynamespaces)) (`array<string>: []`) - List of k8s namespaces that should not allow Connect
sidecar injection. This list takes precedence over `k8sAllowNamespaces`. sidecar injection. This list takes precedence over `k8sAllowNamespaces`.
`*` is not supported because then nothing would be allowed to be injected. `*` is not supported because then nothing would be allowed to be injected.
@ -1869,8 +2020,8 @@ Use these links to navigate to a particular top-level stanza.
If set to an empty string all service accounts can log in. If set to an empty string all service accounts can log in.
This only has effect if ACLs are enabled. This only has effect if ACLs are enabled.
Refer to Auth methods [Binding rules](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods#binding-rules) Refer to Auth methods [Binding rules](/consul/docs/security/acl/auth-methods#binding-rules)
and [Trusted identiy attributes](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes) and [Trusted identiy attributes](/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes)
for more details. for more details.
Requires Consul >= v1.5. Requires Consul >= v1.5.
@ -1878,7 +2029,7 @@ Use these links to navigate to a particular top-level stanza.
auth method for Connect inject, set this to the name of your auth method. auth method for Connect inject, set this to the name of your auth method.
- `aclInjectToken` ((#v-connectinject-aclinjecttoken)) - Refers to a Kubernetes secret that you have created that contains - `aclInjectToken` ((#v-connectinject-aclinjecttoken)) - Refers to a Kubernetes secret that you have created that contains
an ACL token for your Consul cluster which allows the connect injector the correct an ACL token for your Consul cluster which allows the Connect injector the correct
permissions. This is only needed if Consul namespaces <EnterpriseAlert inline /> and ACLs permissions. This is only needed if Consul namespaces <EnterpriseAlert inline /> and ACLs
are enabled on the Consul cluster and you are not setting are enabled on the Consul cluster and you are not setting
`global.acls.manageSystemACLs` to `true`. `global.acls.manageSystemACLs` to `true`.
@ -1922,7 +2073,26 @@ Use these links to navigate to a particular top-level stanza.
- `cpu` ((#v-connectinject-sidecarproxy-resources-limits-cpu)) (`string: null`) - Recommended production default: 100m - `cpu` ((#v-connectinject-sidecarproxy-resources-limits-cpu)) (`string: null`) - Recommended production default: 100m
- `initContainer` ((#v-connectinject-initcontainer)) (`map`) - The resource settings for the connect injected init container. If null, the resources - `lifecycle` ((#v-connectinject-sidecarproxy-lifecycle)) (`map`) - Set default lifecycle management configuration for sidecar proxy.
These settings can be overridden on a per-pod basis via these annotations:
- `consul.hashicorp.com/enable-sidecar-proxy-lifecycle`
- `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners`
- `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds`
- `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port`
- `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path`
- `defaultEnabled` ((#v-connectinject-sidecarproxy-lifecycle-defaultenabled)) (`boolean: true`)
- `defaultEnableShutdownDrainListeners` ((#v-connectinject-sidecarproxy-lifecycle-defaultenableshutdowndrainlisteners)) (`boolean: true`)
- `defaultShutdownGracePeriodSeconds` ((#v-connectinject-sidecarproxy-lifecycle-defaultshutdowngraceperiodseconds)) (`integer: 30`)
- `defaultGracefulPort` ((#v-connectinject-sidecarproxy-lifecycle-defaultgracefulport)) (`integer: 20600`)
- `defaultGracefulShutdownPath` ((#v-connectinject-sidecarproxy-lifecycle-defaultgracefulshutdownpath)) (`string: /graceful_shutdown`)
- `initContainer` ((#v-connectinject-initcontainer)) (`map`) - The resource settings for the Connect injected init container. If null, the resources
won't be set for the initContainer. The defaults are optimized for developer instances of won't be set for the initContainer. The defaults are optimized for developer instances of
Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times. Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times.
@ -1942,11 +2112,11 @@ Use these links to navigate to a particular top-level stanza.
### meshGateway ((#h-meshgateway)) ### meshGateway ((#h-meshgateway))
- `meshGateway` ((#v-meshgateway)) - [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul service mesh to work across Consul datacenters. - `meshGateway` ((#v-meshgateway)) - [Mesh Gateways](/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters.
- `enabled` ((#v-meshgateway-enabled)) (`boolean: false`) - If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs - `enabled` ((#v-meshgateway-enabled)) (`boolean: false`) - If [mesh gateways](/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs
gateways and Consul service mesh will be configured to use gateways. gateways and Consul Connect will be configured to use gateways.
This setting is required for [cluster peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). This setting is required for [Cluster Peering](/consul/docs/connect/cluster-peering/k8s).
Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``. Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``.
- `replicas` ((#v-meshgateway-replicas)) (`integer: 1`) - Number of replicas for the Deployment. - `replicas` ((#v-meshgateway-replicas)) (`integer: 1`) - Number of replicas for the Deployment.
@ -2110,8 +2280,7 @@ Use these links to navigate to a particular top-level stanza.
for a specific gateway. for a specific gateway.
Requirements: consul >= 1.8.0 Requirements: consul >= 1.8.0
- `enabled` ((#v-ingressgateways-enabled)) (`boolean: false`) - Enable ingress gateway deployment. Requires `connectInject.enabled=true` - `enabled` ((#v-ingressgateways-enabled)) (`boolean: false`) - Enable ingress gateway deployment. Requires `connectInject.enabled=true`.
and `client.enabled=true`.
- `defaults` ((#v-ingressgateways-defaults)) - Defaults sets default values for all gateway fields. With the exception - `defaults` ((#v-ingressgateways-defaults)) - Defaults sets default values for all gateway fields. With the exception
of annotations, defining any of these values in the `gateways` list of annotations, defining any of these values in the `gateways` list
@ -2240,8 +2409,7 @@ Use these links to navigate to a particular top-level stanza.
for a specific gateway. for a specific gateway.
Requirements: consul >= 1.8.0 Requirements: consul >= 1.8.0
- `enabled` ((#v-terminatinggateways-enabled)) (`boolean: false`) - Enable terminating gateway deployment. Requires `connectInject.enabled=true` - `enabled` ((#v-terminatinggateways-enabled)) (`boolean: false`) - Enable terminating gateway deployment. Requires `connectInject.enabled=true`.
and `client.enabled=true`.
- `defaults` ((#v-terminatinggateways-defaults)) - Defaults sets default values for all gateway fields. With the exception - `defaults` ((#v-terminatinggateways-defaults)) - Defaults sets default values for all gateway fields. With the exception
of annotations, defining any of these values in the `gateways` list of annotations, defining any of these values in the `gateways` list
@ -2348,7 +2516,8 @@ Use these links to navigate to a particular top-level stanza.
### apiGateway ((#h-apigateway)) ### apiGateway ((#h-apigateway))
- `apiGateway` ((#v-apigateway)) - Configuration settings for the Consul API Gateway integration - `apiGateway` ((#v-apigateway)) - [DEPRECATED] Use connectInject.apiGateway instead. This stanza will be removed with the release of Consul 1.17
Configuration settings for the Consul API Gateway integration
- `enabled` ((#v-apigateway-enabled)) (`boolean: false`) - When true the helm chart will install the Consul API Gateway controller - `enabled` ((#v-apigateway-enabled)) (`boolean: false`) - When true the helm chart will install the Consul API Gateway controller