Update Consul on Kubernetes Helm Docs (#18054)
* Render Consul K8s Helm Docs --------- Co-authored-by: David Yu <dyu@hashicorp.com>
This commit is contained in:
parent
97a57b476f
commit
ef09f400b5
|
@ -20,27 +20,22 @@ with Consul.
|
||||||
|
|
||||||
Use these links to navigate to a particular top-level stanza.
|
Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
- [Helm Chart Reference](#helm-chart-reference)
|
- [`global`](#h-global)
|
||||||
- [Top-Level Stanzas](#top-level-stanzas)
|
- [`server`](#h-server)
|
||||||
- [All Values](#all-values)
|
- [`externalServers`](#h-externalservers)
|
||||||
- [`global`](#h-global)
|
- [`client`](#h-client)
|
||||||
- [`server`](#h-server)
|
- [`dns`](#h-dns)
|
||||||
- [`externalServers`](#h-externalservers)
|
- [`ui`](#h-ui)
|
||||||
- [`client`](#h-client)
|
- [`syncCatalog`](#h-synccatalog)
|
||||||
- [`dns`](#h-dns)
|
- [`connectInject`](#h-connectinject)
|
||||||
- [`ui`](#h-ui)
|
- [`meshGateway`](#h-meshgateway)
|
||||||
- [`syncCatalog`](#h-synccatalog)
|
- [`ingressGateways`](#h-ingressgateways)
|
||||||
- [`connectInject`](#h-connectinject)
|
- [`terminatingGateways`](#h-terminatinggateways)
|
||||||
- [`meshGateway`](#h-meshgateway)
|
- [`apiGateway`](#h-apigateway)
|
||||||
- [`ingressGateways`](#h-ingressgateways)
|
- [`webhookCertManager`](#h-webhookcertmanager)
|
||||||
- [`terminatingGateways`](#h-terminatinggateways)
|
- [`prometheus`](#h-prometheus)
|
||||||
- [`apiGateway`](#h-apigateway)
|
- [`tests`](#h-tests)
|
||||||
- [`webhookCertManager`](#h-webhookcertmanager)
|
- [`telemetryCollector`](#h-telemetrycollector)
|
||||||
- [`prometheus`](#h-prometheus)
|
|
||||||
- [`tests`](#h-tests)
|
|
||||||
- [`telemetryCollector`](#h-telemetrycollector)
|
|
||||||
- [Helm Chart Examples](#helm-chart-examples)
|
|
||||||
- [Customizing the Helm Chart](#customizing-the-helm-chart)
|
|
||||||
|
|
||||||
## All Values
|
## All Values
|
||||||
|
|
||||||
|
@ -64,7 +59,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
the prefix will be `<helm release name>-consul`.
|
the prefix will be `<helm release name>-consul`.
|
||||||
|
|
||||||
- `domain` ((#v-global-domain)) (`string: consul`) - The domain Consul will answer DNS queries for
|
- `domain` ((#v-global-domain)) (`string: consul`) - The domain Consul will answer DNS queries for
|
||||||
(Refer to [`-domain`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from
|
(Refer to [`-domain`](/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from
|
||||||
Consul into Kubernetes will have, e.g. `service-name.service.consul`.
|
Consul into Kubernetes will have, e.g. `service-name.service.consul`.
|
||||||
|
|
||||||
- `peering` ((#v-global-peering)) - Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+.
|
- `peering` ((#v-global-peering)) - Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+.
|
||||||
|
@ -125,7 +120,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
- `secretsBackend` ((#v-global-secretsbackend)) - secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation.
|
- `secretsBackend` ((#v-global-secretsbackend)) - secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation.
|
||||||
The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled
|
The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled
|
||||||
and have necessary secrets, policies and roles created prior to installing Consul.
|
and have necessary secrets, policies and roles created prior to installing Consul.
|
||||||
Refer to [Vault as the Secrets Backend](https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault)
|
Refer to [Vault as the Secrets Backend](/consul/docs/k8s/deployment-configurations/vault)
|
||||||
documentation for full instructions.
|
documentation for full instructions.
|
||||||
|
|
||||||
The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend
|
The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend
|
||||||
|
@ -212,11 +207,11 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
- `secretKey` ((#v-global-secretsbackend-vault-ca-secretkey)) (`string: ""`) - The key within the Kubernetes or Vault secret that holds the Vault CA certificate.
|
- `secretKey` ((#v-global-secretsbackend-vault-ca-secretkey)) (`string: ""`) - The key within the Kubernetes or Vault secret that holds the Vault CA certificate.
|
||||||
|
|
||||||
- `connectCA` ((#v-global-secretsbackend-vault-connectca)) - Configuration for the Vault service mesh CA provider.
|
- `connectCA` ((#v-global-secretsbackend-vault-connectca)) - Configuration for the Vault Connect CA provider.
|
||||||
The provider will be configured to use the Vault Kubernetes auth method
|
The provider will be configured to use the Vault Kubernetes auth method
|
||||||
and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole`
|
and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole`
|
||||||
to have permissions to the root and intermediate PKI paths.
|
to have permissions to the root and intermediate PKI paths.
|
||||||
Please refer to [Vault ACL policies](https://developer.hashicorp.com/consul/docs/connect/ca/vault#vault-acl-policies)
|
Please refer to [Vault ACL policies](/consul/docs/connect/ca/vault#vault-acl-policies)
|
||||||
documentation for information on how to configure the Vault policies.
|
documentation for information on how to configure the Vault policies.
|
||||||
|
|
||||||
- `address` ((#v-global-secretsbackend-vault-connectca-address)) (`string: ""`) - The address of the Vault server.
|
- `address` ((#v-global-secretsbackend-vault-connectca-address)) (`string: ""`) - The address of the Vault server.
|
||||||
|
@ -224,13 +219,13 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
- `authMethodPath` ((#v-global-secretsbackend-vault-connectca-authmethodpath)) (`string: kubernetes`) - The mount path of the Kubernetes auth method in Vault.
|
- `authMethodPath` ((#v-global-secretsbackend-vault-connectca-authmethodpath)) (`string: kubernetes`) - The mount path of the Kubernetes auth method in Vault.
|
||||||
|
|
||||||
- `rootPKIPath` ((#v-global-secretsbackend-vault-connectca-rootpkipath)) (`string: ""`) - The path to a PKI secrets engine for the root certificate.
|
- `rootPKIPath` ((#v-global-secretsbackend-vault-connectca-rootpkipath)) (`string: ""`) - The path to a PKI secrets engine for the root certificate.
|
||||||
For more details, please refer to [Vault service mesh CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath).
|
For more details, please refer to [Vault Connect CA configuration](/consul/docs/connect/ca/vault#rootpkipath).
|
||||||
|
|
||||||
- `intermediatePKIPath` ((#v-global-secretsbackend-vault-connectca-intermediatepkipath)) (`string: ""`) - The path to a PKI secrets engine for the generated intermediate certificate.
|
- `intermediatePKIPath` ((#v-global-secretsbackend-vault-connectca-intermediatepkipath)) (`string: ""`) - The path to a PKI secrets engine for the generated intermediate certificate.
|
||||||
For more details, please refer to [Vault service mesh CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath).
|
For more details, please refer to [Vault Connect CA configuration](/consul/docs/connect/ca/vault#intermediatepkipath).
|
||||||
|
|
||||||
- `additionalConfig` ((#v-global-secretsbackend-vault-connectca-additionalconfig)) (`string: {}`) - Additional service mesh CA configuration in JSON format.
|
- `additionalConfig` ((#v-global-secretsbackend-vault-connectca-additionalconfig)) (`string: {}`) - Additional Connect CA configuration in JSON format.
|
||||||
Please refer to [Vault service mesh CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration)
|
Please refer to [Vault Connect CA configuration](/consul/docs/connect/ca/vault#configuration)
|
||||||
for all configuration options available for that provider.
|
for all configuration options available for that provider.
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
|
@ -251,20 +246,20 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
- `caCert` ((#v-global-secretsbackend-vault-connectinject-cacert)) - Configuration to the Vault Secret that Kubernetes uses on
|
- `caCert` ((#v-global-secretsbackend-vault-connectinject-cacert)) - Configuration to the Vault Secret that Kubernetes uses on
|
||||||
Kubernetes pod creation, deletion, and update, to get CA certificates
|
Kubernetes pod creation, deletion, and update, to get CA certificates
|
||||||
used issued from vault to send webhooks to the connect inject.
|
used issued from vault to send webhooks to the ConnectInject.
|
||||||
|
|
||||||
- `secretName` ((#v-global-secretsbackend-vault-connectinject-cacert-secretname)) (`string: null`) - The Vault secret path that contains the CA certificate for
|
- `secretName` ((#v-global-secretsbackend-vault-connectinject-cacert-secretname)) (`string: null`) - The Vault secret path that contains the CA certificate for
|
||||||
connect inject webhooks.
|
Connect Inject webhooks.
|
||||||
|
|
||||||
- `tlsCert` ((#v-global-secretsbackend-vault-connectinject-tlscert)) - Configuration to the Vault Secret that Kubernetes uses on
|
- `tlsCert` ((#v-global-secretsbackend-vault-connectinject-tlscert)) - Configuration to the Vault Secret that Kubernetes uses on
|
||||||
Kubernetes pod creation, deletion, and update, to get TLS certificates
|
Kubernetes pod creation, deletion, and update, to get TLS certificates
|
||||||
used issued from vault to send webhooks to the connect inject.
|
used issued from vault to send webhooks to the ConnectInject.
|
||||||
|
|
||||||
- `secretName` ((#v-global-secretsbackend-vault-connectinject-tlscert-secretname)) (`string: null`) - The Vault secret path that issues TLS certificates for connect
|
- `secretName` ((#v-global-secretsbackend-vault-connectinject-tlscert-secretname)) (`string: null`) - The Vault secret path that issues TLS certificates for connect
|
||||||
inject webhooks.
|
inject webhooks.
|
||||||
|
|
||||||
- `gossipEncryption` ((#v-global-gossipencryption)) - Configures Consul's gossip encryption key.
|
- `gossipEncryption` ((#v-global-gossipencryption)) - Configures Consul's gossip encryption key.
|
||||||
(Refer to [`-encrypt`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_encrypt)).
|
(Refer to [`-encrypt`](/consul/docs/agent/config/cli-flags#_encrypt)).
|
||||||
By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually.
|
By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually.
|
||||||
The recommended method is to automatically generate the key.
|
The recommended method is to automatically generate the key.
|
||||||
To automatically generate and set a gossip encryption key, set autoGenerate to true.
|
To automatically generate and set a gossip encryption key, set autoGenerate to true.
|
||||||
|
@ -295,17 +290,17 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
- `recursors` ((#v-global-recursors)) (`array<string>: []`) - A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries.
|
- `recursors` ((#v-global-recursors)) (`array<string>: []`) - A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries.
|
||||||
These values are given as `-recursor` flags to Consul servers and clients.
|
These values are given as `-recursor` flags to Consul servers and clients.
|
||||||
Refer to [`-recursor`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_recursor) for more details.
|
Refer to [`-recursor`](/consul/docs/agent/config/cli-flags#_recursor) for more details.
|
||||||
If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`).
|
If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`).
|
||||||
|
|
||||||
- `tls` ((#v-global-tls)) - Enables [TLS](https://developer.hashicorp.com/consul/tutorials/security/tls-encryption-secure)
|
- `tls` ((#v-global-tls)) - Enables [TLS](/consul/tutorials/security/tls-encryption-secure)
|
||||||
across the cluster to verify authenticity of the Consul servers and clients.
|
across the cluster to verify authenticity of the Consul servers and clients.
|
||||||
Requires Consul v1.4.1+.
|
Requires Consul v1.4.1+.
|
||||||
|
|
||||||
- `enabled` ((#v-global-tls-enabled)) (`boolean: false`) - If true, the Helm chart will enable TLS for Consul
|
- `enabled` ((#v-global-tls-enabled)) (`boolean: false`) - If true, the Helm chart will enable TLS for Consul
|
||||||
servers and clients and all consul-k8s-control-plane components, as well as generate certificate
|
servers and clients and all consul-k8s-control-plane components, as well as generate certificate
|
||||||
authority (optional) and server and client certificates.
|
authority (optional) and server and client certificates.
|
||||||
This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s).
|
This setting is required for [Cluster Peering](/consul/docs/connect/cluster-peering/k8s).
|
||||||
|
|
||||||
- `enableAutoEncrypt` ((#v-global-tls-enableautoencrypt)) (`boolean: false`) - If true, turns on the auto-encrypt feature on clients and servers.
|
- `enableAutoEncrypt` ((#v-global-tls-enableautoencrypt)) (`boolean: false`) - If true, turns on the auto-encrypt feature on clients and servers.
|
||||||
It also switches consul-k8s-control-plane components to retrieve the CA from the servers
|
It also switches consul-k8s-control-plane components to retrieve the CA from the servers
|
||||||
|
@ -322,7 +317,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
- `verify` ((#v-global-tls-verify)) (`boolean: true`) - If true, `verify_outgoing`, `verify_server_hostname`,
|
- `verify` ((#v-global-tls-verify)) (`boolean: true`) - If true, `verify_outgoing`, `verify_server_hostname`,
|
||||||
and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients.
|
and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients.
|
||||||
Set this to false to incrementally roll out TLS on an existing Consul cluster.
|
Set this to false to incrementally roll out TLS on an existing Consul cluster.
|
||||||
Please refer to [TLS on existing clusters](https://developer.hashicorp.com/consul/docs/k8s/operations/tls-on-existing-cluster)
|
Please refer to [TLS on existing clusters](/consul/docs/k8s/operations/tls-on-existing-cluster)
|
||||||
for more details.
|
for more details.
|
||||||
|
|
||||||
- `httpsOnly` ((#v-global-tls-httpsonly)) (`boolean: true`) - If true, the Helm chart will configure Consul to disable the HTTP port on
|
- `httpsOnly` ((#v-global-tls-httpsonly)) (`boolean: true`) - If true, the Helm chart will configure Consul to disable the HTTP port on
|
||||||
|
@ -410,6 +405,23 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
- `secretKey` ((#v-global-acls-replicationtoken-secretkey)) (`string: null`) - The key within the Kubernetes or Vault secret that holds the replication token.
|
- `secretKey` ((#v-global-acls-replicationtoken-secretkey)) (`string: null`) - The key within the Kubernetes or Vault secret that holds the replication token.
|
||||||
|
|
||||||
|
- `resources` ((#v-global-acls-resources)) (`map`) - The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods.
|
||||||
|
This should be a YAML map corresponding to a Kubernetes
|
||||||
|
[`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core)
|
||||||
|
object.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: '200Mi'
|
||||||
|
cpu: '100m'
|
||||||
|
limits:
|
||||||
|
memory: '200Mi'
|
||||||
|
cpu: '100m'
|
||||||
|
```
|
||||||
|
|
||||||
- `partitionToken` ((#v-global-acls-partitiontoken)) - partitionToken references a Vault secret containing the ACL token to be used in non-default partitions.
|
- `partitionToken` ((#v-global-acls-partitiontoken)) - partitionToken references a Vault secret containing the ACL token to be used in non-default partitions.
|
||||||
This value should only be provided in the default partition and only when setting
|
This value should only be provided in the default partition and only when setting
|
||||||
the `global.secretsBackend.vault.enabled` value to true.
|
the `global.secretsBackend.vault.enabled` value to true.
|
||||||
|
@ -475,7 +487,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
This address must be reachable from the Consul servers in the primary datacenter.
|
This address must be reachable from the Consul servers in the primary datacenter.
|
||||||
This auth method will be used to provision ACL tokens for Consul components and is different
|
This auth method will be used to provision ACL tokens for Consul components and is different
|
||||||
from the one used by the Consul Service Mesh.
|
from the one used by the Consul Service Mesh.
|
||||||
Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes).
|
Please refer to the [Kubernetes Auth Method documentation](/consul/docs/security/acl/auth-methods/kubernetes).
|
||||||
|
|
||||||
You can retrieve this value from your `kubeconfig` by running:
|
You can retrieve this value from your `kubeconfig` by running:
|
||||||
|
|
||||||
|
@ -602,7 +614,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
Consul server agents.
|
Consul server agents.
|
||||||
|
|
||||||
- `replicas` ((#v-server-replicas)) (`integer: 1`) - The number of server agents to run. This determines the fault tolerance of
|
- `replicas` ((#v-server-replicas)) (`integer: 1`) - The number of server agents to run. This determines the fault tolerance of
|
||||||
the cluster. Please refer to the [deployment table](https://developer.hashicorp.com/consul/docs/architecture/consensus#deployment-table)
|
the cluster. Please refer to the [deployment table](/consul/docs/architecture/consensus#deployment-table)
|
||||||
for more information.
|
for more information.
|
||||||
|
|
||||||
- `bootstrapExpect` ((#v-server-bootstrapexpect)) (`int: null`) - The number of servers that are expected to be running.
|
- `bootstrapExpect` ((#v-server-bootstrapexpect)) (`int: null`) - The number of servers that are expected to be running.
|
||||||
|
@ -641,7 +653,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
Vault Secrets backend:
|
Vault Secrets backend:
|
||||||
If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]`
|
If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]`
|
||||||
capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`.
|
capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`.
|
||||||
Complete [this tutorial](https://developer.hashicorp.com/consul/tutorials/vault-secure/vault-pki-consul-secure-tls)
|
Complete [this tutorial](/consul/tutorials/vault-secure/vault-pki-consul-secure-tls)
|
||||||
to learn how to generate a compatible certificate.
|
to learn how to generate a compatible certificate.
|
||||||
Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine
|
Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine
|
||||||
must be provided.
|
must be provided.
|
||||||
|
@ -681,18 +693,18 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
storage classes, the PersistentVolumeClaims would need to be manually created.
|
storage classes, the PersistentVolumeClaims would need to be manually created.
|
||||||
A `null` value will use the Kubernetes cluster's default StorageClass. If a default
|
A `null` value will use the Kubernetes cluster's default StorageClass. If a default
|
||||||
StorageClass does not exist, you will need to create one.
|
StorageClass does not exist, you will need to create one.
|
||||||
Refer to the [Read/Write Tuning](https://developer.hashicorp.com/consul/docs/install/performance#read-write-tuning)
|
Refer to the [Read/Write Tuning](/consul/docs/install/performance#read-write-tuning)
|
||||||
section of the Server Performance Requirements documentation for considerations
|
section of the Server Performance Requirements documentation for considerations
|
||||||
around choosing a performant storage class.
|
around choosing a performant storage class.
|
||||||
|
|
||||||
~> **Note:** The [Reference Architecture](https://developer.hashicorp.com/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers)
|
~> **Note:** The [Reference Architecture](/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers)
|
||||||
contains best practices and recommendations for selecting suitable
|
contains best practices and recommendations for selecting suitable
|
||||||
hardware sizes for your Consul servers.
|
hardware sizes for your Consul servers.
|
||||||
|
|
||||||
- `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true
|
- `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable [Connect](/consul/docs/connect). Setting this to true
|
||||||
_will not_ automatically secure pod communication, this
|
_will not_ automatically secure pod communication, this
|
||||||
setting will only enable usage of the feature. Consul will automatically initialize
|
setting will only enable usage of the feature. Consul will automatically initialize
|
||||||
a new CA and set of certificates. Additional service mesh settings can be configured
|
a new CA and set of certificates. Additional Connect settings can be configured
|
||||||
by setting the `server.extraConfig` value.
|
by setting the `server.extraConfig` value.
|
||||||
|
|
||||||
- `serviceAccount` ((#v-server-serviceaccount))
|
- `serviceAccount` ((#v-server-serviceaccount))
|
||||||
|
@ -716,10 +728,10 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
```yaml
|
```yaml
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
memory: '100Mi'
|
memory: '200Mi'
|
||||||
cpu: '100m'
|
cpu: '100m'
|
||||||
limits:
|
limits:
|
||||||
memory: '100Mi'
|
memory: '200Mi'
|
||||||
cpu: '100m'
|
cpu: '100m'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -741,7 +753,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
control a rolling update of Consul server agents. This value specifies the
|
control a rolling update of Consul server agents. This value specifies the
|
||||||
[partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions)
|
[partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions)
|
||||||
for performing a rolling update. Please read the linked Kubernetes
|
for performing a rolling update. Please read the linked Kubernetes
|
||||||
and [Upgrade Consul](https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-consul-servers)
|
and [Upgrade Consul](/consul/docs/k8s/upgrade#upgrading-consul-servers)
|
||||||
documentation for more information.
|
documentation for more information.
|
||||||
|
|
||||||
- `disruptionBudget` ((#v-server-disruptionbudget)) - This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/)
|
- `disruptionBudget` ((#v-server-disruptionbudget)) - This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/)
|
||||||
|
@ -757,7 +769,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
--set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation
|
--set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation
|
||||||
command because of a limitation in the Helm templating language.
|
command because of a limitation in the Helm templating language.
|
||||||
|
|
||||||
- `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul
|
- `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra [JSON configuration](/consul/docs/agent/config/config-files) for Consul
|
||||||
servers. This will be saved as-is into a ConfigMap that is read by the Consul
|
servers. This will be saved as-is into a ConfigMap that is read by the Consul
|
||||||
server agents. This can be used to add additional configuration that
|
server agents. This can be used to add additional configuration that
|
||||||
isn't directly exposed by the chart.
|
isn't directly exposed by the chart.
|
||||||
|
@ -934,18 +946,18 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
it could be used to configure custom consul parameters.
|
it could be used to configure custom consul parameters.
|
||||||
|
|
||||||
- `snapshotAgent` ((#v-server-snapshotagent)) - <EnterpriseAlert inline /> Values for setting up and running
|
- `snapshotAgent` ((#v-server-snapshotagent)) - <EnterpriseAlert inline /> Values for setting up and running
|
||||||
[snapshot agents](https://developer.hashicorp.com/consul/commands/snapshot/agent)
|
[snapshot agents](/consul/commands/snapshot/agent)
|
||||||
within the Consul clusters. They run as a sidecar with Consul servers.
|
within the Consul clusters. They run as a sidecar with Consul servers.
|
||||||
|
|
||||||
- `enabled` ((#v-server-snapshotagent-enabled)) (`boolean: false`) - If true, the chart will install resources necessary to run the snapshot agent.
|
- `enabled` ((#v-server-snapshotagent-enabled)) (`boolean: false`) - If true, the chart will install resources necessary to run the snapshot agent.
|
||||||
|
|
||||||
- `interval` ((#v-server-snapshotagent-interval)) (`string: 1h`) - Interval at which to perform snapshots.
|
- `interval` ((#v-server-snapshotagent-interval)) (`string: 1h`) - Interval at which to perform snapshots.
|
||||||
Refer to [`interval`](https://developer.hashicorp.com/consul/commands/snapshot/agent#interval)
|
Refer to [`interval`](/consul/commands/snapshot/agent#interval)
|
||||||
|
|
||||||
- `configSecret` ((#v-server-snapshotagent-configsecret)) - A Kubernetes or Vault secret that should be manually created to contain the entire
|
- `configSecret` ((#v-server-snapshotagent-configsecret)) - A Kubernetes or Vault secret that should be manually created to contain the entire
|
||||||
config to be used on the snapshot agent.
|
config to be used on the snapshot agent.
|
||||||
This is the preferred method of configuration since there are usually storage
|
This is the preferred method of configuration since there are usually storage
|
||||||
credentials present. Please refer to the [Snapshot agent config](https://developer.hashicorp.com/consul/commands/snapshot/agent#config-file-options)
|
credentials present. Please refer to the [Snapshot agent config](/consul/commands/snapshot/agent#config-file-options)
|
||||||
for details.
|
for details.
|
||||||
|
|
||||||
- `secretName` ((#v-server-snapshotagent-configsecret-secretname)) (`string: null`) - The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config.
|
- `secretName` ((#v-server-snapshotagent-configsecret-secretname)) (`string: null`) - The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config.
|
||||||
|
@ -966,6 +978,87 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
...
|
...
|
||||||
```
|
```
|
||||||
|
|
||||||
|
- `limits` ((#v-server-limits)) - Settings for potentially limiting timeouts, rate limiting on clients as well
|
||||||
|
as servers, and other settings to limit exposure too many requests, requests
|
||||||
|
waiting for too long, and other runtime considerations.
|
||||||
|
|
||||||
|
- `requestLimits` ((#v-server-limits-requestlimits)) - This object specifies configurations that limit the rate of RPC and gRPC
|
||||||
|
requests on the Consul server. Limiting the rate of gRPC and RPC requests
|
||||||
|
also limits HTTP requests to the Consul server.
|
||||||
|
/consul/docs/agent/config/config-files#request_limits
|
||||||
|
|
||||||
|
- `mode` ((#v-server-limits-requestlimits-mode)) (`string: disabled`) - Setting for disabling or enabling rate limiting. If not disabled, it
|
||||||
|
enforces the action that will occur when RequestLimitsReadRate
|
||||||
|
or RequestLimitsWriteRate is exceeded. The default value of "disabled" will
|
||||||
|
prevent any rate limiting from occuring. A value of "enforce" will block
|
||||||
|
the request from processings by returning an error. A value of
|
||||||
|
"permissive" will not block the request and will allow the request to
|
||||||
|
continue processing.
|
||||||
|
|
||||||
|
- `readRate` ((#v-server-limits-requestlimits-readrate)) (`integer: -1`) - Setting that controls how frequently RPC, gRPC, and HTTP
|
||||||
|
queries are allowed to happen. In any large enough time interval, rate
|
||||||
|
limiter limits the rate to RequestLimitsReadRate tokens per second.
|
||||||
|
|
||||||
|
See https://en.wikipedia.org/wiki/Token_bucket for more about token
|
||||||
|
buckets.
|
||||||
|
|
||||||
|
- `writeRate` ((#v-server-limits-requestlimits-writerate)) (`integer: -1`) - Setting that controls how frequently RPC, gRPC, and HTTP
|
||||||
|
writes are allowed to happen. In any large enough time interval, rate
|
||||||
|
limiter limits the rate to RequestLimitsWriteRate tokens per second.
|
||||||
|
|
||||||
|
See https://en.wikipedia.org/wiki/Token_bucket for more about token
|
||||||
|
buckets.
|
||||||
|
|
||||||
|
- `auditLogs` ((#v-server-auditlogs)) - <EnterpriseAlert inline /> Added in Consul 1.8, the audit object allow users to enable auditing
|
||||||
|
and configure a sink and filters for their audit logs. Please refer to
|
||||||
|
[audit logs](/consul/docs/enterprise/audit-logging) documentation
|
||||||
|
for further information.
|
||||||
|
|
||||||
|
- `enabled` ((#v-server-auditlogs-enabled)) (`boolean: false`) - Controls whether Consul logs out each time a user performs an operation.
|
||||||
|
global.acls.manageSystemACLs must be enabled to use this feature.
|
||||||
|
|
||||||
|
- `sinks` ((#v-server-auditlogs-sinks)) (`array<map>`) - A single entry of the sink object provides configuration for the destination to which Consul
|
||||||
|
will log auditing events.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
sinks:
|
||||||
|
- name: My Sink
|
||||||
|
type: file
|
||||||
|
format: json
|
||||||
|
path: /tmp/audit.json
|
||||||
|
delivery_guarantee: best-effort
|
||||||
|
rotate_duration: 24h
|
||||||
|
rotate_max_files: 15
|
||||||
|
rotate_bytes: 25165824
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
The sink object supports the following keys:
|
||||||
|
|
||||||
|
- `name` - Name of the sink.
|
||||||
|
|
||||||
|
- `type` - Type specifies what kind of sink this is. Currently only file sinks are available
|
||||||
|
|
||||||
|
- `format` - Format specifies what format the events will be emitted with. Currently only `json`
|
||||||
|
events are emitted.
|
||||||
|
|
||||||
|
- `path` - The directory and filename to write audit events to.
|
||||||
|
|
||||||
|
- `delivery_guarantee` - Specifies the rules governing how audit events are written. Consul
|
||||||
|
only supports `best-effort` event delivery.
|
||||||
|
|
||||||
|
- `mode` - The permissions to set on the audit log files.
|
||||||
|
|
||||||
|
- `rotate_duration` - Specifies the interval by which the system rotates to a new log file.
|
||||||
|
At least one of `rotate_duration` or `rotate_bytes` must be configured to enable audit logging.
|
||||||
|
|
||||||
|
- `rotate_bytes` - Specifies how large an individual log file can grow before Consul rotates to a new file.
|
||||||
|
At least one of rotate_bytes or rotate_duration must be configured to enable audit logging.
|
||||||
|
|
||||||
|
- `rotate_max_files` - Defines the limit that Consul should follow before it deletes old log files.
|
||||||
|
|
||||||
### externalServers ((#h-externalservers))
|
### externalServers ((#h-externalservers))
|
||||||
|
|
||||||
- `externalServers` ((#v-externalservers)) - Configuration for Consul servers when the servers are running outside of Kubernetes.
|
- `externalServers` ((#v-externalservers)) - Configuration for Consul servers when the servers are running outside of Kubernetes.
|
||||||
|
@ -1003,7 +1096,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
- `k8sAuthMethodHost` ((#v-externalservers-k8sauthmethodhost)) (`string: null`) - If you are setting `global.acls.manageSystemACLs` and
|
- `k8sAuthMethodHost` ((#v-externalservers-k8sauthmethodhost)) (`string: null`) - If you are setting `global.acls.manageSystemACLs` and
|
||||||
`connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server.
|
`connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server.
|
||||||
This address must be reachable from the Consul servers.
|
This address must be reachable from the Consul servers.
|
||||||
Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes).
|
Please refer to the [Kubernetes Auth Method documentation](/consul/docs/security/acl/auth-methods/kubernetes).
|
||||||
|
|
||||||
You could retrieve this value from your `kubeconfig` by running:
|
You could retrieve this value from your `kubeconfig` by running:
|
||||||
|
|
||||||
|
@ -1026,7 +1119,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
- `image` ((#v-client-image)) (`string: null`) - The name of the Docker image (including any tag) for the containers
|
- `image` ((#v-client-image)) (`string: null`) - The name of the Docker image (including any tag) for the containers
|
||||||
running Consul client agents.
|
running Consul client agents.
|
||||||
|
|
||||||
- `join` ((#v-client-join)) (`array<string>: null`) - A list of valid [`-retry-join` values](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_retry_join).
|
- `join` ((#v-client-join)) (`array<string>: null`) - A list of valid [`-retry-join` values](/consul/docs/agent/config/cli-flags#_retry_join).
|
||||||
If this is `null` (default), then the clients will attempt to automatically
|
If this is `null` (default), then the clients will attempt to automatically
|
||||||
join the server cluster running within Kubernetes.
|
join the server cluster running within Kubernetes.
|
||||||
This means that with `server.enabled` set to true, clients will automatically
|
This means that with `server.enabled` set to true, clients will automatically
|
||||||
|
@ -1044,10 +1137,10 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
- `grpc` ((#v-client-grpc)) (`boolean: true`) - If true, agents will enable their GRPC listener on
|
- `grpc` ((#v-client-grpc)) (`boolean: true`) - If true, agents will enable their GRPC listener on
|
||||||
port 8502 and expose it to the host. This will use slightly more resources, but is
|
port 8502 and expose it to the host. This will use slightly more resources, but is
|
||||||
required for service mesh.
|
required for Connect.
|
||||||
|
|
||||||
- `nodeMeta` ((#v-client-nodemeta)) - nodeMeta specifies an arbitrary metadata key/value pair to associate with the node
|
- `nodeMeta` ((#v-client-nodemeta)) - nodeMeta specifies an arbitrary metadata key/value pair to associate with the node
|
||||||
(refer to [`-node-meta`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_node_meta))
|
(refer to [`-node-meta`](/consul/docs/agent/config/cli-flags#_node_meta))
|
||||||
|
|
||||||
- `pod-name` ((#v-client-nodemeta-pod-name)) (`string: ${HOSTNAME}`)
|
- `pod-name` ((#v-client-nodemeta-pod-name)) (`string: ${HOSTNAME}`)
|
||||||
|
|
||||||
|
@ -1091,7 +1184,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
- `tlsInit` ((#v-client-containersecuritycontext-tlsinit)) (`map`) - The tls-init initContainer
|
- `tlsInit` ((#v-client-containersecuritycontext-tlsinit)) (`map`) - The tls-init initContainer
|
||||||
|
|
||||||
- `extraConfig` ((#v-client-extraconfig)) (`string: {}`) - A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul
|
- `extraConfig` ((#v-client-extraconfig)) (`string: {}`) - A raw string of extra [JSON configuration](/consul/docs/agent/config/config-files) for Consul
|
||||||
clients. This will be saved as-is into a ConfigMap that is read by the Consul
|
clients. This will be saved as-is into a ConfigMap that is read by the Consul
|
||||||
client agents. This can be used to add additional configuration that
|
client agents. This can be used to add additional configuration that
|
||||||
isn't directly exposed by the chart.
|
isn't directly exposed by the chart.
|
||||||
|
@ -1245,7 +1338,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
- `enabled` ((#v-dns-enabled)) (`boolean: -`)
|
- `enabled` ((#v-dns-enabled)) (`boolean: -`)
|
||||||
|
|
||||||
- `enableRedirection` ((#v-dns-enableredirection)) (`boolean: -`) - If true, services using Consul service mesh will use Consul DNS
|
- `enableRedirection` ((#v-dns-enableredirection)) (`boolean: -`) - If true, services using Consul Connect will use Consul DNS
|
||||||
for default DNS resolution. The DNS lookups fall back to the nameserver IPs
|
for default DNS resolution. The DNS lookups fall back to the nameserver IPs
|
||||||
listed in /etc/resolv.conf if not found in Consul.
|
listed in /etc/resolv.conf if not found in Consul.
|
||||||
|
|
||||||
|
@ -1357,16 +1450,16 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
will inherit from `global.metrics.enabled` value.
|
will inherit from `global.metrics.enabled` value.
|
||||||
|
|
||||||
- `provider` ((#v-ui-metrics-provider)) (`string: prometheus`) - Provider for metrics. Refer to
|
- `provider` ((#v-ui-metrics-provider)) (`string: prometheus`) - Provider for metrics. Refer to
|
||||||
[`metrics_provider`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_metrics_provider)
|
[`metrics_provider`](/consul/docs/agent/config/config-files#ui_config_metrics_provider)
|
||||||
This value is only used if `ui.enabled` is set to true.
|
This value is only used if `ui.enabled` is set to true.
|
||||||
|
|
||||||
- `baseURL` ((#v-ui-metrics-baseurl)) (`string: http://prometheus-server`) - baseURL is the URL of the prometheus server, usually the service URL.
|
- `baseURL` ((#v-ui-metrics-baseurl)) (`string: http://prometheus-server`) - baseURL is the URL of the prometheus server, usually the service URL.
|
||||||
This value is only used if `ui.enabled` is set to true.
|
This value is only used if `ui.enabled` is set to true.
|
||||||
|
|
||||||
- `dashboardURLTemplates` ((#v-ui-dashboardurltemplates)) - Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates)
|
- `dashboardURLTemplates` ((#v-ui-dashboardurltemplates)) - Corresponds to [`dashboard_url_templates`](/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates)
|
||||||
configuration.
|
configuration.
|
||||||
|
|
||||||
- `service` ((#v-ui-dashboardurltemplates-service)) (`string: ""`) - Sets [`dashboardURLTemplates.service`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service).
|
- `service` ((#v-ui-dashboardurltemplates-service)) (`string: ""`) - Sets [`dashboardURLTemplates.service`](/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service).
|
||||||
|
|
||||||
### syncCatalog ((#h-synccatalog))
|
### syncCatalog ((#h-synccatalog))
|
||||||
|
|
||||||
|
@ -1386,7 +1479,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
to run the sync program.
|
to run the sync program.
|
||||||
|
|
||||||
- `default` ((#v-synccatalog-default)) (`boolean: true`) - If true, all valid services in K8S are
|
- `default` ((#v-synccatalog-default)) (`boolean: true`) - If true, all valid services in K8S are
|
||||||
synced by default. If false, the service must be [annotated](https://developer.hashicorp.com/consul/docs/k8s/service-sync#enable-and-disable-sync)
|
synced by default. If false, the service must be [annotated](/consul/docs/k8s/service-sync#enable-and-disable-sync)
|
||||||
properly to sync.
|
properly to sync.
|
||||||
In either case an annotation can override the default.
|
In either case an annotation can override the default.
|
||||||
|
|
||||||
|
@ -1568,9 +1661,9 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
### connectInject ((#h-connectinject))
|
### connectInject ((#h-connectinject))
|
||||||
|
|
||||||
- `connectInject` ((#v-connectinject)) - Configures the automatic service mesh sidecar injector.
|
- `connectInject` ((#v-connectinject)) - Configures the automatic Connect sidecar injector.
|
||||||
|
|
||||||
- `enabled` ((#v-connectinject-enabled)) (`boolean: true`) - True if you want to enable service mesh sidecar injection. Set to "-" to inherit from
|
- `enabled` ((#v-connectinject-enabled)) (`boolean: true`) - True if you want to enable connect injection. Set to "-" to inherit from
|
||||||
global.enabled.
|
global.enabled.
|
||||||
|
|
||||||
- `replicas` ((#v-connectinject-replicas)) (`integer: 1`) - The number of deployment replicas.
|
- `replicas` ((#v-connectinject-replicas)) (`integer: 1`) - The number of deployment replicas.
|
||||||
|
@ -1579,14 +1672,14 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
- `default` ((#v-connectinject-default)) (`boolean: false`) - If true, the injector will inject the
|
- `default` ((#v-connectinject-default)) (`boolean: false`) - If true, the injector will inject the
|
||||||
Connect sidecar into all pods by default. Otherwise, pods must specify the
|
Connect sidecar into all pods by default. Otherwise, pods must specify the
|
||||||
[injection annotation](https://developer.hashicorp.com/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject)
|
[injection annotation](/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject)
|
||||||
to opt-in to service mesh sidecar injection. If this is true, pods can use the same annotation
|
to opt-in to Connect injection. If this is true, pods can use the same annotation
|
||||||
to explicitly opt-out of injection.
|
to explicitly opt-out of injection.
|
||||||
|
|
||||||
- `transparentProxy` ((#v-connectinject-transparentproxy)) - Configures Transparent Proxy for Consul Service mesh services.
|
- `transparentProxy` ((#v-connectinject-transparentproxy)) - Configures Transparent Proxy for Consul Service mesh services.
|
||||||
Using this feature requires Consul 1.10.0-beta1+.
|
Using this feature requires Consul 1.10.0-beta1+.
|
||||||
|
|
||||||
- `defaultEnabled` ((#v-connectinject-transparentproxy-defaultenabled)) (`boolean: true`) - If true, then all Consul service mesh will run with transparent proxy enabled by default,
|
- `defaultEnabled` ((#v-connectinject-transparentproxy-defaultenabled)) (`boolean: true`) - If true, then all Consul Service mesh will run with transparent proxy enabled by default,
|
||||||
i.e. we enforce that all traffic within the pod will go through the proxy.
|
i.e. we enforce that all traffic within the pod will go through the proxy.
|
||||||
This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation.
|
This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation.
|
||||||
|
|
||||||
|
@ -1613,6 +1706,64 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
- `minAvailable` ((#v-connectinject-disruptionbudget-minavailable)) (`integer: null`) - The minimum number of available pods.
|
- `minAvailable` ((#v-connectinject-disruptionbudget-minavailable)) (`integer: null`) - The minimum number of available pods.
|
||||||
Takes precedence over maxUnavailable if set.
|
Takes precedence over maxUnavailable if set.
|
||||||
|
|
||||||
|
- `apiGateway` ((#v-connectinject-apigateway)) - Configuration settings for the Consul API Gateway integration.
|
||||||
|
|
||||||
|
- `manageExternalCRDs` ((#v-connectinject-apigateway-manageexternalcrds)) (`boolean: true`) - Enables Consul on Kubernetes to manage the CRDs used for Gateway API.
|
||||||
|
Setting this to true will install the CRDs used for the Gateway API when Consul on Kubernetes is installed.
|
||||||
|
These CRDs can clash with existing Gateway API CRDs if they are already installed in your cluster.
|
||||||
|
If this setting is false, you will need to install the Gateway API CRDs manually.
|
||||||
|
|
||||||
|
- `managedGatewayClass` ((#v-connectinject-apigateway-managedgatewayclass)) - Configuration settings for the GatewayClass installed by Consul on Kubernetes.
|
||||||
|
|
||||||
|
- `nodeSelector` ((#v-connectinject-apigateway-managedgatewayclass-nodeselector)) (`string: null`) - This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
|
||||||
|
labels for gateway pod assignment, formatted as a multi-line string.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
nodeSelector: |
|
||||||
|
beta.kubernetes.io/arch: amd64
|
||||||
|
```
|
||||||
|
|
||||||
|
- `tolerations` ((#v-connectinject-apigateway-managedgatewayclass-tolerations)) (`string: null`) - Toleration settings for gateway pods created with the managed gateway class.
|
||||||
|
This should be a multi-line string matching the
|
||||||
|
[Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec.
|
||||||
|
|
||||||
|
- `serviceType` ((#v-connectinject-apigateway-managedgatewayclass-servicetype)) (`string: LoadBalancer`) - This value defines the type of Service created for gateways (e.g. LoadBalancer, ClusterIP)
|
||||||
|
|
||||||
|
- `copyAnnotations` ((#v-connectinject-apigateway-managedgatewayclass-copyannotations)) - Configuration settings for annotations to be copied from the Gateway to other child resources.
|
||||||
|
|
||||||
|
- `service` ((#v-connectinject-apigateway-managedgatewayclass-copyannotations-service)) (`string: null`) - This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
service:
|
||||||
|
annotations: |
|
||||||
|
- external-dns.alpha.kubernetes.io/hostname
|
||||||
|
```
|
||||||
|
|
||||||
|
- `deployment` ((#v-connectinject-apigateway-managedgatewayclass-deployment)) - This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways
|
||||||
|
|
||||||
|
- `defaultInstances` ((#v-connectinject-apigateway-managedgatewayclass-deployment-defaultinstances)) (`integer: 1`)
|
||||||
|
|
||||||
|
- `maxInstances` ((#v-connectinject-apigateway-managedgatewayclass-deployment-maxinstances)) (`integer: 1`)
|
||||||
|
|
||||||
|
- `minInstances` ((#v-connectinject-apigateway-managedgatewayclass-deployment-mininstances)) (`integer: 1`)
|
||||||
|
|
||||||
|
- `serviceAccount` ((#v-connectinject-apigateway-serviceaccount)) - Configuration for the ServiceAccount created for the api-gateway component
|
||||||
|
|
||||||
|
- `annotations` ((#v-connectinject-apigateway-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the client service account. This should be formatted as a multi-line
|
||||||
|
string.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
annotations: |
|
||||||
|
"sample/annotation1": "foo"
|
||||||
|
"sample/annotation2": "bar"
|
||||||
|
```
|
||||||
|
|
||||||
|
- `resources` ((#v-connectinject-apigateway-resources)) (`map`) - The resource settings for Pods handling traffic for Gateway API.
|
||||||
|
|
||||||
- `cni` ((#v-connectinject-cni)) - Configures consul-cni plugin for Consul Service mesh services
|
- `cni` ((#v-connectinject-cni)) - Configures consul-cni plugin for Consul Service mesh services
|
||||||
|
|
||||||
- `enabled` ((#v-connectinject-cni-enabled)) (`boolean: false`) - If true, then all traffic redirection setup uses the consul-cni plugin.
|
- `enabled` ((#v-connectinject-cni-enabled)) (`boolean: false`) - If true, then all traffic redirection setup uses the consul-cni plugin.
|
||||||
|
@ -1681,7 +1832,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
persistent: true
|
persistent: true
|
||||||
```
|
```
|
||||||
|
|
||||||
- `metrics` ((#v-connectinject-metrics)) - Configures metrics for services in the Consul service mesh. All values are overridable
|
- `metrics` ((#v-connectinject-metrics)) - Configures metrics for Consul Connect services. All values are overridable
|
||||||
via annotations on a per-pod basis.
|
via annotations on a per-pod basis.
|
||||||
|
|
||||||
- `defaultEnabled` ((#v-connectinject-metrics-defaultenabled)) (`string: -`) - If true, the connect-injector will automatically
|
- `defaultEnabled` ((#v-connectinject-metrics-defaultenabled)) (`string: -`) - If true, the connect-injector will automatically
|
||||||
|
@ -1690,14 +1841,14 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
metrics will depend on whether metrics merging is enabled:
|
metrics will depend on whether metrics merging is enabled:
|
||||||
- If metrics merging is enabled:
|
- If metrics merging is enabled:
|
||||||
the consul-dataplane will run a merged metrics server
|
the consul-dataplane will run a merged metrics server
|
||||||
combining Envoy sidecar and mesh service metrics,
|
combining Envoy sidecar and Connect service metrics,
|
||||||
i.e. if your service exposes its own Prometheus metrics.
|
i.e. if your service exposes its own Prometheus metrics.
|
||||||
- If metrics merging is disabled:
|
- If metrics merging is disabled:
|
||||||
the listener will just expose Envoy sidecar metrics.
|
the listener will just expose Envoy sidecar metrics.
|
||||||
This will inherit from `global.metrics.enabled`.
|
This will inherit from `global.metrics.enabled`.
|
||||||
|
|
||||||
- `defaultEnableMerging` ((#v-connectinject-metrics-defaultenablemerging)) (`boolean: false`) - Configures the consul-dataplane to run a merged metrics server
|
- `defaultEnableMerging` ((#v-connectinject-metrics-defaultenablemerging)) (`boolean: false`) - Configures the consul-dataplane to run a merged metrics server
|
||||||
to combine and serve both Envoy and mesh service metrics.
|
to combine and serve both Envoy and Connect service metrics.
|
||||||
This feature is available only in Consul v1.10.0 or greater.
|
This feature is available only in Consul v1.10.0 or greater.
|
||||||
|
|
||||||
- `defaultMergedMetricsPort` ((#v-connectinject-metrics-defaultmergedmetricsport)) (`integer: 20100`) - Configures the port at which the consul-dataplane will listen on to return
|
- `defaultMergedMetricsPort` ((#v-connectinject-metrics-defaultmergedmetricsport)) (`integer: 20100`) - Configures the port at which the consul-dataplane will listen on to return
|
||||||
|
@ -1763,13 +1914,13 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
- `requests` ((#v-connectinject-resources-requests))
|
- `requests` ((#v-connectinject-resources-requests))
|
||||||
|
|
||||||
- `memory` ((#v-connectinject-resources-requests-memory)) (`string: 50Mi`) - Recommended production default: 500Mi
|
- `memory` ((#v-connectinject-resources-requests-memory)) (`string: 200Mi`) - Recommended production default: 500Mi
|
||||||
|
|
||||||
- `cpu` ((#v-connectinject-resources-requests-cpu)) (`string: 50m`) - Recommended production default: 250m
|
- `cpu` ((#v-connectinject-resources-requests-cpu)) (`string: 50m`) - Recommended production default: 250m
|
||||||
|
|
||||||
- `limits` ((#v-connectinject-resources-limits))
|
- `limits` ((#v-connectinject-resources-limits))
|
||||||
|
|
||||||
- `memory` ((#v-connectinject-resources-limits-memory)) (`string: 50Mi`) - Recommended production default: 500Mi
|
- `memory` ((#v-connectinject-resources-limits-memory)) (`string: 200Mi`) - Recommended production default: 500Mi
|
||||||
|
|
||||||
- `cpu` ((#v-connectinject-resources-limits-cpu)) (`string: 50m`) - Recommended production default: 250m
|
- `cpu` ((#v-connectinject-resources-limits-cpu)) (`string: 50m`) - Recommended production default: 250m
|
||||||
|
|
||||||
|
@ -1798,13 +1949,13 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
namespace-label: label-value
|
namespace-label: label-value
|
||||||
```
|
```
|
||||||
|
|
||||||
- `k8sAllowNamespaces` ((#v-connectinject-k8sallownamespaces)) (`array<string>: ["*"]`) - List of k8s namespaces to allow service mesh sidecar
|
- `k8sAllowNamespaces` ((#v-connectinject-k8sallownamespaces)) (`array<string>: ["*"]`) - List of k8s namespaces to allow Connect sidecar
|
||||||
injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`,
|
injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`,
|
||||||
pods in that k8s namespace will not be injected even if they are explicitly
|
pods in that k8s namespace will not be injected even if they are explicitly
|
||||||
annotated. Use `["*"]` to automatically allow all k8s namespaces.
|
annotated. Use `["*"]` to automatically allow all k8s namespaces.
|
||||||
|
|
||||||
For example, `["namespace1", "namespace2"]` will only allow pods in the k8s
|
For example, `["namespace1", "namespace2"]` will only allow pods in the k8s
|
||||||
namespaces `namespace1` and `namespace2` to have service mesh sidecars injected
|
namespaces `namespace1` and `namespace2` to have Connect sidecars injected
|
||||||
and registered with Consul. All other k8s namespaces will be ignored.
|
and registered with Consul. All other k8s namespaces will be ignored.
|
||||||
|
|
||||||
To deny all namespaces, set this to `[]`.
|
To deny all namespaces, set this to `[]`.
|
||||||
|
@ -1813,7 +1964,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
`namespaceSelector` takes precedence over both since it is applied first.
|
`namespaceSelector` takes precedence over both since it is applied first.
|
||||||
`kube-system` and `kube-public` are never injected, even if included here.
|
`kube-system` and `kube-public` are never injected, even if included here.
|
||||||
|
|
||||||
- `k8sDenyNamespaces` ((#v-connectinject-k8sdenynamespaces)) (`array<string>: []`) - List of k8s namespaces that should not allow service mesh
|
- `k8sDenyNamespaces` ((#v-connectinject-k8sdenynamespaces)) (`array<string>: []`) - List of k8s namespaces that should not allow Connect
|
||||||
sidecar injection. This list takes precedence over `k8sAllowNamespaces`.
|
sidecar injection. This list takes precedence over `k8sAllowNamespaces`.
|
||||||
`*` is not supported because then nothing would be allowed to be injected.
|
`*` is not supported because then nothing would be allowed to be injected.
|
||||||
|
|
||||||
|
@ -1869,8 +2020,8 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
If set to an empty string all service accounts can log in.
|
If set to an empty string all service accounts can log in.
|
||||||
This only has effect if ACLs are enabled.
|
This only has effect if ACLs are enabled.
|
||||||
|
|
||||||
Refer to Auth methods [Binding rules](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods#binding-rules)
|
Refer to Auth methods [Binding rules](/consul/docs/security/acl/auth-methods#binding-rules)
|
||||||
and [Trusted identiy attributes](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes)
|
and [Trusted identiy attributes](/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes)
|
||||||
for more details.
|
for more details.
|
||||||
Requires Consul >= v1.5.
|
Requires Consul >= v1.5.
|
||||||
|
|
||||||
|
@ -1878,7 +2029,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
auth method for Connect inject, set this to the name of your auth method.
|
auth method for Connect inject, set this to the name of your auth method.
|
||||||
|
|
||||||
- `aclInjectToken` ((#v-connectinject-aclinjecttoken)) - Refers to a Kubernetes secret that you have created that contains
|
- `aclInjectToken` ((#v-connectinject-aclinjecttoken)) - Refers to a Kubernetes secret that you have created that contains
|
||||||
an ACL token for your Consul cluster which allows the connect injector the correct
|
an ACL token for your Consul cluster which allows the Connect injector the correct
|
||||||
permissions. This is only needed if Consul namespaces <EnterpriseAlert inline /> and ACLs
|
permissions. This is only needed if Consul namespaces <EnterpriseAlert inline /> and ACLs
|
||||||
are enabled on the Consul cluster and you are not setting
|
are enabled on the Consul cluster and you are not setting
|
||||||
`global.acls.manageSystemACLs` to `true`.
|
`global.acls.manageSystemACLs` to `true`.
|
||||||
|
@ -1922,7 +2073,26 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
- `cpu` ((#v-connectinject-sidecarproxy-resources-limits-cpu)) (`string: null`) - Recommended production default: 100m
|
- `cpu` ((#v-connectinject-sidecarproxy-resources-limits-cpu)) (`string: null`) - Recommended production default: 100m
|
||||||
|
|
||||||
- `initContainer` ((#v-connectinject-initcontainer)) (`map`) - The resource settings for the connect injected init container. If null, the resources
|
- `lifecycle` ((#v-connectinject-sidecarproxy-lifecycle)) (`map`) - Set default lifecycle management configuration for sidecar proxy.
|
||||||
|
These settings can be overridden on a per-pod basis via these annotations:
|
||||||
|
|
||||||
|
- `consul.hashicorp.com/enable-sidecar-proxy-lifecycle`
|
||||||
|
- `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners`
|
||||||
|
- `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds`
|
||||||
|
- `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port`
|
||||||
|
- `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path`
|
||||||
|
|
||||||
|
- `defaultEnabled` ((#v-connectinject-sidecarproxy-lifecycle-defaultenabled)) (`boolean: true`)
|
||||||
|
|
||||||
|
- `defaultEnableShutdownDrainListeners` ((#v-connectinject-sidecarproxy-lifecycle-defaultenableshutdowndrainlisteners)) (`boolean: true`)
|
||||||
|
|
||||||
|
- `defaultShutdownGracePeriodSeconds` ((#v-connectinject-sidecarproxy-lifecycle-defaultshutdowngraceperiodseconds)) (`integer: 30`)
|
||||||
|
|
||||||
|
- `defaultGracefulPort` ((#v-connectinject-sidecarproxy-lifecycle-defaultgracefulport)) (`integer: 20600`)
|
||||||
|
|
||||||
|
- `defaultGracefulShutdownPath` ((#v-connectinject-sidecarproxy-lifecycle-defaultgracefulshutdownpath)) (`string: /graceful_shutdown`)
|
||||||
|
|
||||||
|
- `initContainer` ((#v-connectinject-initcontainer)) (`map`) - The resource settings for the Connect injected init container. If null, the resources
|
||||||
won't be set for the initContainer. The defaults are optimized for developer instances of
|
won't be set for the initContainer. The defaults are optimized for developer instances of
|
||||||
Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times.
|
Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times.
|
||||||
|
|
||||||
|
@ -1942,11 +2112,11 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
### meshGateway ((#h-meshgateway))
|
### meshGateway ((#h-meshgateway))
|
||||||
|
|
||||||
- `meshGateway` ((#v-meshgateway)) - [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul service mesh to work across Consul datacenters.
|
- `meshGateway` ((#v-meshgateway)) - [Mesh Gateways](/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters.
|
||||||
|
|
||||||
- `enabled` ((#v-meshgateway-enabled)) (`boolean: false`) - If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs
|
- `enabled` ((#v-meshgateway-enabled)) (`boolean: false`) - If [mesh gateways](/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs
|
||||||
gateways and Consul service mesh will be configured to use gateways.
|
gateways and Consul Connect will be configured to use gateways.
|
||||||
This setting is required for [cluster peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s).
|
This setting is required for [Cluster Peering](/consul/docs/connect/cluster-peering/k8s).
|
||||||
Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``.
|
Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``.
|
||||||
|
|
||||||
- `replicas` ((#v-meshgateway-replicas)) (`integer: 1`) - Number of replicas for the Deployment.
|
- `replicas` ((#v-meshgateway-replicas)) (`integer: 1`) - Number of replicas for the Deployment.
|
||||||
|
@ -2110,8 +2280,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
for a specific gateway.
|
for a specific gateway.
|
||||||
Requirements: consul >= 1.8.0
|
Requirements: consul >= 1.8.0
|
||||||
|
|
||||||
- `enabled` ((#v-ingressgateways-enabled)) (`boolean: false`) - Enable ingress gateway deployment. Requires `connectInject.enabled=true`
|
- `enabled` ((#v-ingressgateways-enabled)) (`boolean: false`) - Enable ingress gateway deployment. Requires `connectInject.enabled=true`.
|
||||||
and `client.enabled=true`.
|
|
||||||
|
|
||||||
- `defaults` ((#v-ingressgateways-defaults)) - Defaults sets default values for all gateway fields. With the exception
|
- `defaults` ((#v-ingressgateways-defaults)) - Defaults sets default values for all gateway fields. With the exception
|
||||||
of annotations, defining any of these values in the `gateways` list
|
of annotations, defining any of these values in the `gateways` list
|
||||||
|
@ -2240,8 +2409,7 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
for a specific gateway.
|
for a specific gateway.
|
||||||
Requirements: consul >= 1.8.0
|
Requirements: consul >= 1.8.0
|
||||||
|
|
||||||
- `enabled` ((#v-terminatinggateways-enabled)) (`boolean: false`) - Enable terminating gateway deployment. Requires `connectInject.enabled=true`
|
- `enabled` ((#v-terminatinggateways-enabled)) (`boolean: false`) - Enable terminating gateway deployment. Requires `connectInject.enabled=true`.
|
||||||
and `client.enabled=true`.
|
|
||||||
|
|
||||||
- `defaults` ((#v-terminatinggateways-defaults)) - Defaults sets default values for all gateway fields. With the exception
|
- `defaults` ((#v-terminatinggateways-defaults)) - Defaults sets default values for all gateway fields. With the exception
|
||||||
of annotations, defining any of these values in the `gateways` list
|
of annotations, defining any of these values in the `gateways` list
|
||||||
|
@ -2348,7 +2516,8 @@ Use these links to navigate to a particular top-level stanza.
|
||||||
|
|
||||||
### apiGateway ((#h-apigateway))
|
### apiGateway ((#h-apigateway))
|
||||||
|
|
||||||
- `apiGateway` ((#v-apigateway)) - Configuration settings for the Consul API Gateway integration
|
- `apiGateway` ((#v-apigateway)) - [DEPRECATED] Use connectInject.apiGateway instead. This stanza will be removed with the release of Consul 1.17
|
||||||
|
Configuration settings for the Consul API Gateway integration
|
||||||
|
|
||||||
- `enabled` ((#v-apigateway-enabled)) (`boolean: false`) - When true the helm chart will install the Consul API Gateway controller
|
- `enabled` ((#v-apigateway-enabled)) (`boolean: false`) - When true the helm chart will install the Consul API Gateway controller
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue