From 0ae80c4f2d4183ded983437ee42056849e882d43 Mon Sep 17 00:00:00 2001 From: Ashwin Venkatesh Date: Tue, 22 Jun 2021 19:41:53 -0400 Subject: [PATCH] update docs (#10405) Consul 1.10 GA for Consul K8s --- website/content/docs/k8s/helm.mdx | 128 ++++++++++++++++++++++++++++-- 1 file changed, 122 insertions(+), 6 deletions(-) diff --git a/website/content/docs/k8s/helm.mdx b/website/content/docs/k8s/helm.mdx index 07b16fc3b6..c872465898 100644 --- a/website/content/docs/k8s/helm.mdx +++ b/website/content/docs/k8s/helm.mdx @@ -96,6 +96,11 @@ and consider if they're appropriate for your deployment. - `secretKey` ((#v-global-gossipencryption-secretkey)) (`string: ""`) - secretKey is the key within the Kubernetes secret that holds the gossip encryption key. + - `recursors` ((#v-global-recursors)) (`array: []`) - A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. + These values are given as `-recursor` flags to Consul servers and clients. + See https://www.consul.io/docs/agent/options#_recursor for more details. + If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). + - `tls` ((#v-global-tls)) - Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure) across the cluster to verify authenticity of the Consul servers and clients. Requires Consul v1.4.1+ and consul-k8s v0.16.2+ @@ -282,6 +287,8 @@ and consider if they're appropriate for your deployment. - `secretKey` ((#v-server-enterpriselicense-secretkey)) (`string: null`) - The key within the Kubernetes secret that holds the enterprise license. + - `enableLicenseAutoload` ((#v-server-enterpriselicense-enablelicenseautoload)) (`boolean: true`) - Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. + - `exposeGossipAndRPCPorts` ((#v-server-exposegossipandrpcports)) (`boolean: false`) - Exposes the servers' gossip and RPC ports as hostPorts. To enable a client agent outside of the k8s cluster to join the datacenter, you would need to enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and @@ -322,6 +329,17 @@ and consider if they're appropriate for your deployment. a new CA and set of certificates. Additional Connect settings can be configured by setting the `server.extraConfig` value. + - `serviceAccount` ((#v-server-serviceaccount)) + + - `annotations` ((#v-server-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the server service account. This should be formatted as a multi-line + string. + + ```yaml + annotations: | + "sample/annotation1": "foo" + "sample/annotation2": "bar" + ``` + - `resources` ((#v-server-resources)) (`map`) - The resource requests (CPU, memory, etc.) for each of the server agents. This should be a YAML map corresponding to a Kubernetes ResourceRequirements (https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) @@ -577,6 +595,17 @@ and consider if they're appropriate for your deployment. and the Consul servers are outside of the k8s cluster. This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. + - `serviceAccount` ((#v-client-serviceaccount)) + + - `annotations` ((#v-client-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the client service account. This should be formatted as a multi-line + string. + + ```yaml + annotations: | + "sample/annotation1": "foo" + "sample/annotation2": "bar" + ``` + - `resources` ((#v-client-resources)) (`map`) - Resource settings for Client agents. NOTE: The use of a YAML string is deprecated. Instead, set directly as a YAML map. @@ -738,6 +767,17 @@ and consider if they're appropriate for your deployment. - `secretKey` ((#v-client-snapshotagent-configsecret-secretkey)) (`string: null`) - The key of the Kubernetes secret. + - `serviceAccount` ((#v-client-snapshotagent-serviceaccount)) + + - `annotations` ((#v-client-snapshotagent-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the snapshot agent service account. This should be formatted as a + multi-line string. + + ```yaml + annotations: | + "sample/annotation1": "foo" + "sample/annotation2": "bar" + ``` + - `resources` ((#v-client-snapshotagent-resources)) (`map`) - Resource settings for snapshot agent pods. - `caCert` ((#v-client-snapshotagent-cacert)) (`string: null`) - Optional PEM-encoded CA certificate that will be added to the trusted system CAs. @@ -793,6 +833,14 @@ and consider if they're appropriate for your deployment. - `type` ((#v-ui-service-type)) (`string: null`) - The service type to register. + - `nodePort` ((#v-ui-service-nodeport)) - Optionally set the nodePort value of the ui service if using a NodePort service. + If not set and using a NodePort service, Kubernetes will automatically assign + a port. + + - `http` ((#v-ui-service-nodeport-http)) (`integer: null`) - HTTP node port + + - `https` ((#v-ui-service-nodeport-https)) (`integer: null`) - HTTPS node port + - `annotations` ((#v-ui-service-annotations)) (`string: null`) - Annotations to apply to the UI service. Example: @@ -1001,6 +1049,17 @@ and consider if they're appropriate for your deployment. This should be a multi-line string matching the Toleration array in a PodSpec. + - `serviceAccount` ((#v-synccatalog-serviceaccount)) + + - `annotations` ((#v-synccatalog-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + multi-line string. + + ```yaml + annotations: | + "sample/annotation1": "foo" + "sample/annotation2": "bar" + ``` + - `resources` ((#v-synccatalog-resources)) (`map`) - Resource settings for sync catalog pods. - `logLevel` ((#v-synccatalog-loglevel)) (`string: info`) - Log verbosity level. One of "trace", "debug", "info", "warn", or "error". @@ -1037,6 +1096,13 @@ and consider if they're appropriate for your deployment. i.e. we enforce that all traffic within the pod will go through the proxy. This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation. + - `defaultOverwriteProbes` ((#v-connectinject-transparentproxy-defaultoverwriteprobes)) (`boolean: true`) - If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead. + This setting is recommended because with traffic being enforced to go through the Envoy proxy, + the probes on the pod will fail because kube-proxy doesn't have the right certificates + to talk to Envoy. + This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation. + Note: This value has no effect if transparent proxy is disabled on the pod. + - `metrics` ((#v-connectinject-metrics)) - Configures metrics for Consul Connect services. All values are overridable via annotations on a per-pod basis. @@ -1085,6 +1151,17 @@ and consider if they're appropriate for your deployment. - `logLevel` ((#v-connectinject-loglevel)) (`string: info`) - Log verbosity level. One of "debug", "info", "warn", or "error". + - `serviceAccount` ((#v-connectinject-serviceaccount)) + + - `annotations` ((#v-connectinject-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the injector service account. This should be formatted as a + multi-line string. + + ```yaml + annotations: | + "sample/annotation1": "foo" + "sample/annotation2": "bar" + ``` + - `resources` ((#v-connectinject-resources)) (`map`) - Resource settings for connect inject pods. - `namespaceSelector` ((#v-connectinject-namespaceselector)) (`string: null`) - Selector for restricting the webhook to only @@ -1226,6 +1303,17 @@ and consider if they're appropriate for your deployment. - `logLevel` ((#v-controller-loglevel)) (`string: info`) - Log verbosity level. One of "debug", "info", "warn", or "error". + - `serviceAccount` ((#v-controller-serviceaccount)) + + - `annotations` ((#v-controller-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the controller service account. This should be formatted as a + multi-line string. + + ```yaml + annotations: | + "sample/annotation1": "foo" + "sample/annotation2": "bar" + ``` + - `resources` ((#v-controller-resources)) (`map`) - Resource settings for controller pods. - `nodeSelector` ((#v-controller-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config. @@ -1311,7 +1399,7 @@ and consider if they're appropriate for your deployment. - `port` ((#v-meshgateway-service-port)) (`integer: 443`) - Port that the service will be exposed on. The targetPort will be set to meshGateway.containerPort. - - `nodePort` ((#v-meshgateway-service-nodeport)) (`integer: null`) - Optionally hardcode the nodePort of the service if using a NodePort service. + - `nodePort` ((#v-meshgateway-service-nodeport)) (`integer: null`) - Optionally set the nodePort value of the service if using a NodePort service. If not set and using a NodePort service, Kubernetes will automatically assign a port. @@ -1345,6 +1433,17 @@ and consider if they're appropriate for your deployment. NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul agent. + - `serviceAccount` ((#v-meshgateway-serviceaccount)) + + - `annotations` ((#v-meshgateway-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + multi-line string. + + ```yaml + annotations: | + "sample/annotation1": "foo" + "sample/annotation2": "bar" + ``` + - `resources` ((#v-meshgateway-resources)) (`map`) - Resource settings for mesh gateway pods. NOTE: The use of a YAML string is deprecated. Instead, set directly as a YAML map. @@ -1415,6 +1514,17 @@ and consider if they're appropriate for your deployment. - `additionalSpec` ((#v-ingressgateways-defaults-service-additionalspec)) (`string: null`) - Optional YAML string that will be appended to the Service spec. + - `serviceAccount` ((#v-ingressgateways-defaults-serviceaccount)) + + - `annotations` ((#v-ingressgateways-defaults-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the ingress gateways' service account. This should be formatted + as a multi-line string. + + ```yaml + annotations: | + "sample/annotation1": "foo" + "sample/annotation2": "bar" + ``` + - `resources` ((#v-ingressgateways-defaults-resources)) (`map`) - Resource limits for all ingress gateway pods - `initCopyConsulContainer` ((#v-ingressgateways-defaults-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container. @@ -1510,6 +1620,17 @@ and consider if they're appropriate for your deployment. 'annotation-key': annotation-value ``` + - `serviceAccount` ((#v-terminatinggateways-defaults-serviceaccount)) + + - `annotations` ((#v-terminatinggateways-defaults-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the terminating gateways' service account. This should be + formatted as a multi-line string. + + ```yaml + annotations: | + "sample/annotation1": "foo" + "sample/annotation2": "bar" + ``` + - `consulNamespace` ((#v-terminatinggateways-defaults-consulnamespace)) (`string: default`) - `consulNamespace` defines the Consul namespace to register the gateway into. Requires `global.enableConsulNamespaces` to be true and Consul Enterprise v1.7+ with a valid Consul Enterprise license. @@ -1527,11 +1648,6 @@ and consider if they're appropriate for your deployment. - `enabled` ((#v-prometheus-enabled)) (`boolean: false`) - When true, the Helm chart will install a demo Prometheus server instance alongside Consul. -- `grafana` ((#v-grafana)) - Configures a demo Grafana installation. - - - `enabled` ((#v-grafana-enabled)) (`boolean: false`) - When true, the Helm chart will install a demo Grafana instance - alongside Consul. - - `tests` ((#v-tests)) - Control whether a test Pod manifest is generated when running helm template. When using helm install, the test Pod is not submitted to the cluster so this is only useful when running helm template.