diff --git a/.changelog/18080.txt b/.changelog/18080.txt
new file mode 100644
index 0000000000..9826b249eb
--- /dev/null
+++ b/.changelog/18080.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+Fix some typos in metrics docs
+```
\ No newline at end of file
diff --git a/.github/workflows/reusable-unit-split.yml b/.github/workflows/reusable-unit-split.yml
index e2da192096..7750627f42 100644
--- a/.github/workflows/reusable-unit-split.yml
+++ b/.github/workflows/reusable-unit-split.yml
@@ -46,7 +46,7 @@ on:
required: true
env:
TEST_RESULTS: /tmp/test-results
- GOTESTSUM_VERSION: 1.8.2
+ GOTESTSUM_VERSION: "1.10.1"
GOARCH: ${{inputs.go-arch}}
TOTAL_RUNNERS: ${{inputs.runner-count}}
CONSUL_LICENSE: ${{secrets.consul-license}}
diff --git a/.github/workflows/reusable-unit.yml b/.github/workflows/reusable-unit.yml
index 3f7ffa2774..c066cad3f4 100644
--- a/.github/workflows/reusable-unit.yml
+++ b/.github/workflows/reusable-unit.yml
@@ -42,7 +42,7 @@ on:
required: true
env:
TEST_RESULTS: /tmp/test-results
- GOTESTSUM_VERSION: 1.8.2
+ GOTESTSUM_VERSION: "1.10.1"
GOARCH: ${{inputs.go-arch}}
CONSUL_LICENSE: ${{secrets.consul-license}}
GOTAGS: ${{ inputs.go-tags}}
diff --git a/.github/workflows/test-integrations.yml b/.github/workflows/test-integrations.yml
index 641533012d..263a2e41e4 100644
--- a/.github/workflows/test-integrations.yml
+++ b/.github/workflows/test-integrations.yml
@@ -19,7 +19,7 @@ env:
TEST_RESULTS_ARTIFACT_NAME: test-results
CONSUL_LICENSE: ${{ secrets.CONSUL_LICENSE }}
GOTAGS: ${{ endsWith(github.repository, '-enterprise') && 'consulent' || '' }}
- GOTESTSUM_VERSION: "1.9.0"
+ GOTESTSUM_VERSION: "1.10.1"
CONSUL_BINARY_UPLOAD_NAME: consul-bin
# strip the hashicorp/ off the front of github.repository for consul
CONSUL_LATEST_IMAGE_NAME: ${{ endsWith(github.repository, '-enterprise') && github.repository || 'consul' }}
diff --git a/agent/structs/config_entry_inline_certificate_test.go b/agent/structs/config_entry_inline_certificate_test.go
index 8c77540131..b95f3b0e96 100644
--- a/agent/structs/config_entry_inline_certificate_test.go
+++ b/agent/structs/config_entry_inline_certificate_test.go
@@ -162,7 +162,9 @@ func TestInlineCertificate(t *testing.T) {
PrivateKey: tooShortPrivateKey,
Certificate: "foo",
},
- validateErr: "key length must be at least 2048 bits",
+ // non-FIPS: "key length must be at least 2048 bits"
+ // FIPS: "key length invalid: only RSA lengths of 2048, 3072, and 4096 are allowed in FIPS mode"
+ validateErr: "key length",
},
"mismatched certificate": {
entry: &InlineCertificateConfigEntry{
diff --git a/ui/packages/consul-ui/translations/routes/en-us.yaml b/ui/packages/consul-ui/translations/routes/en-us.yaml
index da76128e88..1296863840 100644
--- a/ui/packages/consul-ui/translations/routes/en-us.yaml
+++ b/ui/packages/consul-ui/translations/routes/en-us.yaml
@@ -152,7 +152,7 @@ dc:
{items, select,
0 {Services must be exported from one peer to another to enable service communication across two peers. There don't seem to be any services imported from {name} yet, or you may not have services:read permissions to access to this view.}
- other {No services where found matching that search, or you may not have access to view the services you are searching for.}
+ other {No services were found matching that search, or you may not have access to view the services you are searching for.}
}
exported:
@@ -162,7 +162,7 @@ dc:
{items, select,
0 {Services must be exported from one peer to another to enable service communication across two peers. There don't seem to be any services exported to {name} yet, or you may not have services:read permissions to access to this view.}
- other {No services where found matching that search, or you may not have access to view the services you are searching for.}
+ other {No services were found matching that search, or you may not have access to view the services you are searching for.}
}
diff --git a/website/content/docs/agent/telemetry.mdx b/website/content/docs/agent/telemetry.mdx
index 326f5b42db..eae1c1aa42 100644
--- a/website/content/docs/agent/telemetry.mdx
+++ b/website/content/docs/agent/telemetry.mdx
@@ -487,8 +487,8 @@ These metrics are used to monitor the health of the Consul servers.
| `consul.raft.leader.oldestLogAge` | The number of milliseconds since the _oldest_ log in the leader's log store was written. This can be important for replication health where write rate is high and the snapshot is large as followers may be unable to recover from a restart if restoring takes longer than the minimum value for the current leader. Compare this with `consul.raft.fsm.lastRestoreDuration` and `consul.raft.rpc.installSnapshot` to monitor. In normal usage this gauge value will grow linearly over time until a snapshot completes on the leader and the log is truncated. Note: this metric won't be emitted until the leader writes a snapshot. After an upgrade to Consul 1.10.0 it won't be emitted until the oldest log was written after the upgrade. | ms | gauge |
| `consul.raft.replication.heartbeat` | Measures the time taken to invoke appendEntries on a peer, so that it doesn't timeout on a periodic basis. | ms | timer |
| `consul.raft.replication.appendEntries` | Measures the time it takes to replicate log entries to followers. This is a general indicator of the load pressure on the Consul servers, as well as the performance of the communication between the servers. | ms | timer |
-| `consul.raft.replication.appendEntries.rpc` | Measures the time taken by the append entries RFC, to replicate the log entries of a leader agent onto its follower agent(s) | ms | timer |
-| `consul.raft.replication.appendEntries.logs` | Measures the number of logs replicated to an agent, to bring it up to speed with the leader's logs. | logs appended/ interval | counter |
+| `consul.raft.replication.appendEntries.rpc` | Measures the time taken by the append entries RPC to replicate the log entries of a leader agent onto its follower agent(s). | ms | timer |
+| `consul.raft.replication.appendEntries.logs` | Counts the number of logs replicated to an agent to bring it up to speed with the leader's logs. | logs appended/ interval | counter |
| `consul.raft.restore` | Counts the number of times the restore operation has been performed by the agent. Here, restore refers to the action of raft consuming an external snapshot to restore its state. | operation invoked / interval | counter |
| `consul.raft.restoreUserSnapshot` | Measures the time taken by the agent to restore the FSM state from a user's snapshot | ms | timer |
| `consul.raft.rpc.appendEntries` | Measures the time taken to process an append entries RPC call from an agent. | ms | timer |
@@ -560,12 +560,12 @@ These metrics are used to monitor the health of the Consul servers.
| `consul.leader.replication.namespaces.status` | This will only be emitted by the leader in a secondary datacenter. The value will be a 1 if the last round of namespace replication was successful or 0 if there was an error. | healthy | gauge |
| `consul.leader.replication.namespaces.index` | This will only be emitted by the leader in a secondary datacenter. Increments to the index of namespaces in the primary datacenter that have been successfully replicated. | index | gauge |
| `consul.prepared-query.apply` | Measures the time it takes to apply a prepared query update. | ms | timer |
-| `consul.prepared-query.explain` | Measures the time it takes to process a prepared query explain request. | ms | timer |
-| `consul.prepared-query.execute` | Measures the time it takes to process a prepared query execute request. | ms | timer |
| `consul.prepared-query.execute_remote` | Measures the time it takes to process a prepared query execute request that was forwarded to another datacenter. | ms | timer |
+| `consul.prepared-query.execute` | Measures the time it takes to process a prepared query execute request. | ms | timer |
+| `consul.prepared-query.explain` | Measures the time it takes to process a prepared query explain request. | ms | timer |
| `consul.rpc.raft_handoff` | Increments when a server accepts a Raft-related RPC connection. | connections | counter |
-| `consul.rpc.request_error` | Increments when a server returns an error from an RPC request. | errors | counter |
| `consul.rpc.request` | Increments when a server receives a Consul-related RPC request. | requests | counter |
+| `consul.rpc.request_error` | Increments when a server returns an error from an RPC request. | errors | counter |
| `consul.rpc.query` | Increments when a server receives a read RPC request, indicating the rate of new read queries. See consul.rpc.queries_blocking for the current number of in-flight blocking RPC calls. This metric changed in 1.7.0 to only increment on the the start of a query. The rate of queries will appear lower, but is more accurate. | queries | counter |
| `consul.rpc.queries_blocking` | The current number of in-flight blocking queries the server is handling. | queries | gauge |
| `consul.rpc.cross-dc` | Increments when a server sends a (potentially blocking) cross datacenter RPC query. | queries | counter |
diff --git a/website/content/docs/connect/dataplane/consul-dataplane.mdx b/website/content/docs/connect/dataplane/consul-dataplane.mdx
index ab59a5ba60..cf0ae43321 100644
--- a/website/content/docs/connect/dataplane/consul-dataplane.mdx
+++ b/website/content/docs/connect/dataplane/consul-dataplane.mdx
@@ -54,6 +54,8 @@ The following options are required when starting `consul-dataplane` with the CLI
- `-envoy-concurrency` - The number of worker threads that Envoy uses. Default is `2`. Accepted environment variable is `DP_ENVOY_CONCURRENCY`.
- `-envoy-ready-bind-address` - The address Envoy's readiness probe is available on. Accepted environment variable is `DP_ENVOY_READY_BIND_ADDRESS`.
- `-envoy-ready-bind-port` - The port Envoy's readiness probe is available on. Accepted environment variable is `DP_ENVOY_READY_BIND_PORT`.
+- `-graceful-port` - The port to serve HTTP endpoints for graceful operations. Accepted environment variable is `DP_GRACEFUL_PORT`.
+- `-graceful-shutdown-path` - The HTTP path to serve the graceful shutdown endpoint. Accepted environment variable is `DP_GRACEFUL_SHUTDOWN_PATH`.
- `-grpc-port` - The Consul server gRPC port to which `consul-dataplane` connects. Default is `8502`. Accepted environment variable is `DP_CONSUL_GRPC_PORT`.
- `-log-json` - Enables log messages in JSON format. Default is `false`. Accepted environment variable is `DP_LOG_JSON`.
- `-log-level` - Log level of the messages to print. Available log levels are `"trace"`, `"debug"`, `"info"`, `"warn"`, and `"error"`. Default is `"info"`. Accepted environment variable is `DP_LOG_LEVEL`.
@@ -71,6 +73,8 @@ The following options are required when starting `consul-dataplane` with the CLI
- `-service-node-id` - The ID of the Consul node to which the proxy service instance is registered. Accepted environment variable is `DP_SERVICE_NODE_ID`.
- `-service-node-name` - The name of the Consul node to which the proxy service instance is registered. Accepted environment variable is `DP_SERVICE_NODE_NAME`.
- `-service-partition` - The Consul Enterprise partition in which the proxy service instance is registered. Accepted environment variable is `DP_SERVICE_PARTITION`.
+- `-shutdown-drain-listeners` - Wait for proxy listeners to drain before terminating the proxy container. Accepted environment variable is `DP_SHUTDOWN_DRAIN_LISTENERS`.
+- `-shutdown-grace-period-seconds` - Amount of time to wait after receiving a SIGTERM signal before terminating the proxy. Accepted environment variable is `DP_SHUTDOWN_GRACE_PERIOD_SECONDS`.
- `-static-token` - The ACL token used to authenticate requests to Consul servers when `-credential-type` is set to `"static"`. Accepted environment variable is `DP_CREDENTIAL_STATIC_TOKEN`.
- `-telemetry-prom-ca-certs-path` - The path to a file or directory containing CA certificates used to verify the Prometheus server's certificate. Accepted environment variable is `DP_TELEMETRY_PROM_CA_CERTS_PATH`.
- `-telemetry-prom-cert-file` - The path to the client certificate used to serve Prometheus metrics. Accepted environment variable is `DP_TELEMETRY_PROM_CERT_FILE`.
diff --git a/website/content/docs/consul-vs-other/service-mesh-compare.mdx b/website/content/docs/consul-vs-other/service-mesh-compare.mdx
index b0848d2b90..419f5679ba 100644
--- a/website/content/docs/consul-vs-other/service-mesh-compare.mdx
+++ b/website/content/docs/consul-vs-other/service-mesh-compare.mdx
@@ -14,5 +14,5 @@ Consul’s service mesh allows organizations to securely connect and manage thei
Consul is platform agnostic — it supports any runtime (Kubernetes, EKS, AKS, GKE, VMs, ECS, Lambda, Nomad) and any cloud provider (AWS, Microsoft Azure, GCP, private clouds). This makes it one of the most flexible service discovery and service mesh platforms. While other service mesh software provides support for multiple runtimes for the data plane, they require you to run the control plane solely on Kubernetes. With Consul, you can run both the control plane and data plane in different runtimes.
Consul also has several unique integrations with Vault, an industry standard for secrets management. Operators have the option to use Consul’s built-in certificate authority, or leverage Vault’s PKI engine to generate and store TLS certificates for both the data plane and control plane. In addition, Consul can automatically rotate the TLS certificates on both the data plane and control plane without requiring any type of restarts. This lets you rotate the certificates more frequently without incurring additional management burden on operators.
-When deploying Consul on Kubernetes, you can store sensitive data including licenses, ACL tokens, and TLS certificates centrally Vault instead of Kubernetes secrets. Vault is much more secure than Kubernetes secrets because it automatically encrypts all data, provides advanced access controls to secrets, and provides centralized governance for all secrets.
+When deploying Consul on Kubernetes, you can store sensitive data including licenses, ACL tokens, and TLS certificates centrally in Vault instead of Kubernetes secrets. Vault is much more secure than Kubernetes secrets because it automatically encrypts all data, provides advanced access controls to secrets, and provides centralized governance for all secrets.
diff --git a/website/content/docs/k8s/annotations-and-labels.mdx b/website/content/docs/k8s/annotations-and-labels.mdx
index 56d0aa6006..0735ede6cc 100644
--- a/website/content/docs/k8s/annotations-and-labels.mdx
+++ b/website/content/docs/k8s/annotations-and-labels.mdx
@@ -91,38 +91,38 @@ The following Kubernetes resource annotations could be used on a pod to control
annotations:
"consul.hashicorp.com/connect-service-upstreams":"[service-name].svc:[port]"
```
-
+
- Peer or datacenter: Place the peer or datacenter after `svc.` followed by either `peer` or `dc` and the port number.
-
+
```yaml
annotations:
"consul.hashicorp.com/connect-service-upstreams":"[service-name].svc.[service-peer].peer:[port]"
```
-
+
```yaml
annotations:
"consul.hashicorp.com/connect-service-upstreams":"[service-name].svc.[service-dc].dc:[port]"
```
-
+
- Namespace (requires Consul Enterprise): Place the namespace after `svc.` followed by `ns` and the port number.
-
+
```yaml
annotations:
"consul.hashicorp.com/connect-service-upstreams":"[service-name].svc.[service-namespace].ns:[port]"
```
-
+
When namespaces are enabled, you must include the namespace in the annotation before specifying a cluster peer, WAN-federated datacenter, or admin partition in the same datacenter.
-
+
```yaml
annotations:
"consul.hashicorp.com/connect-service-upstreams":"[service-name].svc.[service-namespace].ns.[service-peer].peer:[port]"
```
-
+
```yaml
annotations:
"consul.hashicorp.com/connect-service-upstreams":"[service-name].svc.[service-namespace].ns.[service-partition].ap:[port]"
```
-
+
```yaml
annotations:
"consul.hashicorp.com/connect-service-upstreams":"[service-name].svc.[service-namespace].ns.[service-dc].dc:[port]"
@@ -132,7 +132,7 @@ The following Kubernetes resource annotations could be used on a pod to control
The unlabeled annotation format allows you to reference any service not in a cluster peer as an upstream. You can specify a Consul Enterprise namespace. You can also specify an admin partition in the same datacenter or a WAN-federated datacenter. Unlike the labeled annotation, you can also reference a prepared query as an upstream.
- Service name: Place the service name at the beginning of the annotation to specify the upstream service. You also have the option to append the WAN federated datacenter where the service is deployed.
-
+
```yaml
annotations:
"consul.hashicorp.com/connect-service-upstreams":"[service-name]:[port]:[optional datacenter]"
@@ -140,7 +140,7 @@ The following Kubernetes resource annotations could be used on a pod to control
- Namespace: Upstream services may be running in a different namespace. Place
the upstream namespace after the service name. For additional details about configuring the injector, refer to [Consul Enterprise namespaces](#consul-enterprise-namespaces) .
-
+
```yaml
annotations:
"consul.hashicorp.com/connect-service-upstreams":"[service-name].[service-namespace]:[port]:[optional datacenter]"
@@ -158,7 +158,7 @@ The following Kubernetes resource annotations could be used on a pod to control
annotations:
"consul.hashicorp.com/connect-service-upstreams":"[service-name].[service-namespace].[service-partition]:[port]:[optional datacenter]"
```
-
+
- Prepared queries: To reference a [prepared query](/consul/api-docs/query) in an upstream annotation, prepend the annotation
with `prepared_query` and then invoke the name of the query.
@@ -166,7 +166,7 @@ The following Kubernetes resource annotations could be used on a pod to control
annotations:
'consul.hashicorp.com/connect-service-upstreams': 'prepared_query:[query name]:[port]'
```
-
+
- **Multiple upstreams**: Delimit multiple services or upstreams with commas. You can specify any of the unlabeled, labeled, or prepared query formats when using the supported versions for the formats.
```yaml
@@ -239,6 +239,12 @@ The following Kubernetes resource annotations could be used on a pod to control
- `consul.hashicorp.com/consul-sidecar-memory-limit` - Override the default memory limit.
- `consul.hashicorp.com/consul-sidecar-memory-request` - Override the default memory request.
+- `consul.hashicorp.com/enable-sidecar-proxy-lifecycle` - Override the default Helm value [`connectInject.sidecarProxy.lifecycle.defaultEnabled`](/consul/docs/k8s/helm#v-connectinject-sidecarproxy-lifecycle-defaultenabled)
+- `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners` - Override the default Helm value [`connectInject.sidecarProxy.lifecycle.defaultEnableShutdownDrainListeners`](/consul/docs/k8s/helm#v-connectinject-sidecarproxy-lifecycle-defaultenableshutdowndrainlisteners)
+- `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds` - Override the default Helm value [`connectInject.sidecarProxy.lifecycle.defaultShutdownGracePeriodSeconds`](/consul/docs/k8s/helm#v-connectinject-sidecarproxy-lifecycle-defaultshutdowngraceperiodseconds)
+- `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port` - Override the default Helm value [`connectInject.sidecarProxy.lifecycle.defaultGracefulPort`](/consul/docs/k8s/helm#v-connectinject-sidecarproxy-lifecycle-defaultgracefulport)
+- `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path` - Override the default Helm value [`connectInject.sidecarProxy.lifecycle.defaultGracefulShutdownPath`](/consul/docs/k8s/helm#v-connectinject-sidecarproxy-lifecycle-defaultgracefulshutdownpath)
+
- `consul.hashicorp.com/enable-metrics` - Override the default Helm value [`connectInject.metrics.defaultEnabled`](/consul/docs/k8s/helm#v-connectinject-metrics-defaultenabled).
- `consul.hashicorp.com/enable-metrics-merging` - Override the default Helm value [`connectInject.metrics.defaultEnableMerging`](/consul/docs/k8s/helm#v-connectinject-metrics-defaultenablemerging).
- `consul.hashicorp.com/merged-metrics-port` - Override the default Helm value [`connectInject.metrics.defaultMergedMetricsPort`](/consul/docs/k8s/helm#v-connectinject-metrics-defaultmergedmetricsport).
@@ -281,21 +287,21 @@ Resource labels could be used on a Kubernetes service to control connect-inject
registration to ignore all services except for the one which should be used for routing requests
using Consul.
-## Service Sync
+## Service Sync
### Annotations
The following Kubernetes resource annotations could be used on a pod to [Service Sync](https://developer.hashicorp.com/consul/docs/k8s/service-sync) behavior:
-- `consul.hashicorp.com/service-sync`: If this is set to `true`, then the Kubernetes service is explicitly configured to be synced to Consul.
+- `consul.hashicorp.com/service-sync`: If this is set to `true`, then the Kubernetes service is explicitly configured to be synced to Consul.
```yaml
annotations:
'consul.hashicorp.com/service-sync': 'true'
```
-- `consul.hashicorp.com/service-port`: Configures the port to register to the Consul Catalog for the Kubernetes service. The annotation value may be a name of a port (recommended) or an exact port value. Refer to [service ports](https://developer.hashicorp.com/consul/docs/k8s/service-sync#service-ports) for more information.
-
+- `consul.hashicorp.com/service-port`: Configures the port to register to the Consul Catalog for the Kubernetes service. The annotation value may be a name of a port (recommended) or an exact port value. Refer to [service ports](https://developer.hashicorp.com/consul/docs/k8s/service-sync#service-ports) for more information.
+
```yaml
annotations:
'consul.hashicorp.com/service-port': 'http'
@@ -315,7 +321,7 @@ The following Kubernetes resource annotations could be used on a pod to [Service
'consul.hashicorp.com/service-meta-KEY': 'value'
```
-- `consul.hashicorp.com/service-weight:` - Configures ability to support weighted loadbalancing by service annotation for Catalog Sync. The integer provided will be applied as a weight for the `passing` state for the health of the service. Refer to [weights](/consul/docs/services/configuration/services-configuration-reference#weights) in service configuration for more information on how this is leveraged for services in the Consul catalog.
+- `consul.hashicorp.com/service-weight:` - Configures ability to support weighted loadbalancing by service annotation for Catalog Sync. The integer provided will be applied as a weight for the `passing` state for the health of the service. Refer to [weights](/consul/docs/services/configuration/services-configuration-reference#weights) in service configuration for more information on how this is leveraged for services in the Consul catalog.
```yaml
annotations:
diff --git a/website/content/docs/k8s/connect/cluster-peering/tech-specs.mdx b/website/content/docs/k8s/connect/cluster-peering/tech-specs.mdx
index cfe4ba7aeb..2d27a4f369 100644
--- a/website/content/docs/k8s/connect/cluster-peering/tech-specs.mdx
+++ b/website/content/docs/k8s/connect/cluster-peering/tech-specs.mdx
@@ -41,7 +41,7 @@ Refer to the following example Helm configuration:
```yaml
global:
name: consul
- image: "hashicorp/consul:1.14.1"
+ image: "hashicorp/consul:1.16.0"
peering:
enabled: true
tls:
@@ -166,4 +166,4 @@ If ACLs are enabled, you must add tokens to grant the following permissions:
- Grant `service:write` permissions to services that define mesh gateways in their server definition.
- Grant `service:read` permissions for all services on the partition.
-- Grant `mesh:write` permissions to the mesh gateways that participate in cluster peering connections. This permission allows a leaf certificate to be issued for mesh gateways to terminate TLS sessions for HTTP requests.
\ No newline at end of file
+- Grant `mesh:write` permissions to the mesh gateways that participate in cluster peering connections. This permission allows a leaf certificate to be issued for mesh gateways to terminate TLS sessions for HTTP requests.
diff --git a/website/content/docs/k8s/connect/cluster-peering/usage/establish-peering.mdx b/website/content/docs/k8s/connect/cluster-peering/usage/establish-peering.mdx
index 167d4fdcec..375886132e 100644
--- a/website/content/docs/k8s/connect/cluster-peering/usage/establish-peering.mdx
+++ b/website/content/docs/k8s/connect/cluster-peering/usage/establish-peering.mdx
@@ -48,7 +48,7 @@ After you provision a Kubernetes cluster and set up your kubeconfig file to mana
$ export CLUSTER2_CONTEXT=
```
-### Update the Helm chart
+### Install Consul using Helm and configure peering over mesh gateways
To use cluster peering with Consul on Kubernetes deployments, update the Helm chart with [the required values](/consul/docs/k8s/connect/cluster-peering/tech-specs#helm-requirements). After updating the Helm chart, you can use the `consul-k8s` CLI to apply `values.yaml` to each cluster.
@@ -59,7 +59,7 @@ To use cluster peering with Consul on Kubernetes deployments, update the Helm ch
```
```shell-session
- $ helm install ${HELM_RELEASE_NAME1} hashicorp/consul --create-namespace --namespace consul --version "1.0.1" --values values.yaml --set global.datacenter=dc1 --kube-context $CLUSTER1_CONTEXT
+ $ helm install ${HELM_RELEASE_NAME1} hashicorp/consul --create-namespace --namespace consul --version "1.2.0" --values values.yaml --set global.datacenter=dc1 --kube-context $CLUSTER1_CONTEXT
```
1. In `cluster-02`, run the following commands:
@@ -69,9 +69,11 @@ To use cluster peering with Consul on Kubernetes deployments, update the Helm ch
```
```shell-session
- $ helm install ${HELM_RELEASE_NAME2} hashicorp/consul --create-namespace --namespace consul --version "1.0.1" --values values.yaml --set global.datacenter=dc2 --kube-context $CLUSTER2_CONTEXT
+ $ helm install ${HELM_RELEASE_NAME2} hashicorp/consul --create-namespace --namespace consul --version "1.2.0" --values values.yaml --set global.datacenter=dc2 --kube-context $CLUSTER2_CONTEXT
```
+1. For both clusters apply the `Mesh` configuration entry values provided in [Mesh Gateway Specifications](/consul/docs/k8s/connect/cluster-peering/tech-specs#mesh-gateway-specifications) to allow establishing peering connections over mesh gateways.
+
### Configure the mesh gateway mode for traffic between services
In Kubernetes deployments, you can configure mesh gateways to use `local` mode so that a service dialing a service in a remote peer dials the remote mesh gateway instead of the local mesh gateway. To configure the mesh gateway mode so that this traffic always leaves through the local mesh gateway, you can use the `ProxyDefaults` CRD.
@@ -452,4 +454,4 @@ For Consul Enterprise, the permissions apply to all imported services in the ser
Refer to [Reading servers](/consul/docs/connect/config-entries/exported-services#reading-services) in the `exported-services` configuration entry documentation for example rules.
-For additional information about how to configure and use ACLs, refer to [ACLs system overview](/consul/docs/security/acl).
\ No newline at end of file
+For additional information about how to configure and use ACLs, refer to [ACLs system overview](/consul/docs/security/acl).
diff --git a/website/content/docs/k8s/helm.mdx b/website/content/docs/k8s/helm.mdx
index c4f639b279..06f77f32a9 100644
--- a/website/content/docs/k8s/helm.mdx
+++ b/website/content/docs/k8s/helm.mdx
@@ -20,27 +20,22 @@ with Consul.
Use these links to navigate to a particular top-level stanza.
-- [Helm Chart Reference](#helm-chart-reference)
- - [Top-Level Stanzas](#top-level-stanzas)
- - [All Values](#all-values)
- - [`global`](#h-global)
- - [`server`](#h-server)
- - [`externalServers`](#h-externalservers)
- - [`client`](#h-client)
- - [`dns`](#h-dns)
- - [`ui`](#h-ui)
- - [`syncCatalog`](#h-synccatalog)
- - [`connectInject`](#h-connectinject)
- - [`meshGateway`](#h-meshgateway)
- - [`ingressGateways`](#h-ingressgateways)
- - [`terminatingGateways`](#h-terminatinggateways)
- - [`apiGateway`](#h-apigateway)
- - [`webhookCertManager`](#h-webhookcertmanager)
- - [`prometheus`](#h-prometheus)
- - [`tests`](#h-tests)
- - [`telemetryCollector`](#h-telemetrycollector)
- - [Helm Chart Examples](#helm-chart-examples)
- - [Customizing the Helm Chart](#customizing-the-helm-chart)
+- [`global`](#h-global)
+- [`server`](#h-server)
+- [`externalServers`](#h-externalservers)
+- [`client`](#h-client)
+- [`dns`](#h-dns)
+- [`ui`](#h-ui)
+- [`syncCatalog`](#h-synccatalog)
+- [`connectInject`](#h-connectinject)
+- [`meshGateway`](#h-meshgateway)
+- [`ingressGateways`](#h-ingressgateways)
+- [`terminatingGateways`](#h-terminatinggateways)
+- [`apiGateway`](#h-apigateway)
+- [`webhookCertManager`](#h-webhookcertmanager)
+- [`prometheus`](#h-prometheus)
+- [`tests`](#h-tests)
+- [`telemetryCollector`](#h-telemetrycollector)
## All Values
@@ -64,7 +59,7 @@ Use these links to navigate to a particular top-level stanza.
the prefix will be `-consul`.
- `domain` ((#v-global-domain)) (`string: consul`) - The domain Consul will answer DNS queries for
- (Refer to [`-domain`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from
+ (Refer to [`-domain`](/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from
Consul into Kubernetes will have, e.g. `service-name.service.consul`.
- `peering` ((#v-global-peering)) - Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+.
@@ -125,7 +120,7 @@ Use these links to navigate to a particular top-level stanza.
- `secretsBackend` ((#v-global-secretsbackend)) - secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation.
The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled
and have necessary secrets, policies and roles created prior to installing Consul.
- Refer to [Vault as the Secrets Backend](https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault)
+ Refer to [Vault as the Secrets Backend](/consul/docs/k8s/deployment-configurations/vault)
documentation for full instructions.
The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend
@@ -212,11 +207,11 @@ Use these links to navigate to a particular top-level stanza.
- `secretKey` ((#v-global-secretsbackend-vault-ca-secretkey)) (`string: ""`) - The key within the Kubernetes or Vault secret that holds the Vault CA certificate.
- - `connectCA` ((#v-global-secretsbackend-vault-connectca)) - Configuration for the Vault service mesh CA provider.
+ - `connectCA` ((#v-global-secretsbackend-vault-connectca)) - Configuration for the Vault Connect CA provider.
The provider will be configured to use the Vault Kubernetes auth method
and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole`
to have permissions to the root and intermediate PKI paths.
- Please refer to [Vault ACL policies](https://developer.hashicorp.com/consul/docs/connect/ca/vault#vault-acl-policies)
+ Please refer to [Vault ACL policies](/consul/docs/connect/ca/vault#vault-acl-policies)
documentation for information on how to configure the Vault policies.
- `address` ((#v-global-secretsbackend-vault-connectca-address)) (`string: ""`) - The address of the Vault server.
@@ -224,13 +219,13 @@ Use these links to navigate to a particular top-level stanza.
- `authMethodPath` ((#v-global-secretsbackend-vault-connectca-authmethodpath)) (`string: kubernetes`) - The mount path of the Kubernetes auth method in Vault.
- `rootPKIPath` ((#v-global-secretsbackend-vault-connectca-rootpkipath)) (`string: ""`) - The path to a PKI secrets engine for the root certificate.
- For more details, please refer to [Vault service mesh CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath).
+ For more details, please refer to [Vault Connect CA configuration](/consul/docs/connect/ca/vault#rootpkipath).
- `intermediatePKIPath` ((#v-global-secretsbackend-vault-connectca-intermediatepkipath)) (`string: ""`) - The path to a PKI secrets engine for the generated intermediate certificate.
- For more details, please refer to [Vault service mesh CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath).
+ For more details, please refer to [Vault Connect CA configuration](/consul/docs/connect/ca/vault#intermediatepkipath).
- - `additionalConfig` ((#v-global-secretsbackend-vault-connectca-additionalconfig)) (`string: {}`) - Additional service mesh CA configuration in JSON format.
- Please refer to [Vault service mesh CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration)
+ - `additionalConfig` ((#v-global-secretsbackend-vault-connectca-additionalconfig)) (`string: {}`) - Additional Connect CA configuration in JSON format.
+ Please refer to [Vault Connect CA configuration](/consul/docs/connect/ca/vault#configuration)
for all configuration options available for that provider.
Example:
@@ -251,20 +246,20 @@ Use these links to navigate to a particular top-level stanza.
- `caCert` ((#v-global-secretsbackend-vault-connectinject-cacert)) - Configuration to the Vault Secret that Kubernetes uses on
Kubernetes pod creation, deletion, and update, to get CA certificates
- used issued from vault to send webhooks to the connect inject.
+ used issued from vault to send webhooks to the ConnectInject.
- `secretName` ((#v-global-secretsbackend-vault-connectinject-cacert-secretname)) (`string: null`) - The Vault secret path that contains the CA certificate for
- connect inject webhooks.
+ Connect Inject webhooks.
- `tlsCert` ((#v-global-secretsbackend-vault-connectinject-tlscert)) - Configuration to the Vault Secret that Kubernetes uses on
Kubernetes pod creation, deletion, and update, to get TLS certificates
- used issued from vault to send webhooks to the connect inject.
+ used issued from vault to send webhooks to the ConnectInject.
- `secretName` ((#v-global-secretsbackend-vault-connectinject-tlscert-secretname)) (`string: null`) - The Vault secret path that issues TLS certificates for connect
inject webhooks.
- `gossipEncryption` ((#v-global-gossipencryption)) - Configures Consul's gossip encryption key.
- (Refer to [`-encrypt`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_encrypt)).
+ (Refer to [`-encrypt`](/consul/docs/agent/config/cli-flags#_encrypt)).
By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually.
The recommended method is to automatically generate the key.
To automatically generate and set a gossip encryption key, set autoGenerate to true.
@@ -295,17 +290,17 @@ Use these links to navigate to a particular top-level stanza.
- `recursors` ((#v-global-recursors)) (`array: []`) - A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries.
These values are given as `-recursor` flags to Consul servers and clients.
- Refer to [`-recursor`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_recursor) for more details.
+ Refer to [`-recursor`](/consul/docs/agent/config/cli-flags#_recursor) for more details.
If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`).
- - `tls` ((#v-global-tls)) - Enables [TLS](https://developer.hashicorp.com/consul/tutorials/security/tls-encryption-secure)
+ - `tls` ((#v-global-tls)) - Enables [TLS](/consul/tutorials/security/tls-encryption-secure)
across the cluster to verify authenticity of the Consul servers and clients.
Requires Consul v1.4.1+.
- `enabled` ((#v-global-tls-enabled)) (`boolean: false`) - If true, the Helm chart will enable TLS for Consul
servers and clients and all consul-k8s-control-plane components, as well as generate certificate
authority (optional) and server and client certificates.
- This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s).
+ This setting is required for [Cluster Peering](/consul/docs/connect/cluster-peering/k8s).
- `enableAutoEncrypt` ((#v-global-tls-enableautoencrypt)) (`boolean: false`) - If true, turns on the auto-encrypt feature on clients and servers.
It also switches consul-k8s-control-plane components to retrieve the CA from the servers
@@ -322,7 +317,7 @@ Use these links to navigate to a particular top-level stanza.
- `verify` ((#v-global-tls-verify)) (`boolean: true`) - If true, `verify_outgoing`, `verify_server_hostname`,
and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients.
Set this to false to incrementally roll out TLS on an existing Consul cluster.
- Please refer to [TLS on existing clusters](https://developer.hashicorp.com/consul/docs/k8s/operations/tls-on-existing-cluster)
+ Please refer to [TLS on existing clusters](/consul/docs/k8s/operations/tls-on-existing-cluster)
for more details.
- `httpsOnly` ((#v-global-tls-httpsonly)) (`boolean: true`) - If true, the Helm chart will configure Consul to disable the HTTP port on
@@ -366,6 +361,15 @@ Use these links to navigate to a particular top-level stanza.
- `secretKey` ((#v-global-tls-cakey-secretkey)) (`string: null`) - The key within the Kubernetes or Vault secret that holds the CA key.
+ - `annotations` ((#v-global-tls-annotations)) (`string: null`) - This value defines additional annotations for
+ tls init jobs. This should be formatted as a multi-line string.
+
+ ```yaml
+ annotations: |
+ "sample/annotation1": "foo"
+ "sample/annotation2": "bar"
+ ```
+
- `enableConsulNamespaces` ((#v-global-enableconsulnamespaces)) (`boolean: false`) - `enableConsulNamespaces` indicates that you are running
Consul Enterprise v1.7+ with a valid Consul Enterprise license and would
like to make use of configuration beyond registering everything into
@@ -410,6 +414,23 @@ Use these links to navigate to a particular top-level stanza.
- `secretKey` ((#v-global-acls-replicationtoken-secretkey)) (`string: null`) - The key within the Kubernetes or Vault secret that holds the replication token.
+ - `resources` ((#v-global-acls-resources)) (`map`) - The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods.
+ This should be a YAML map corresponding to a Kubernetes
+ [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core)
+ object.
+
+ Example:
+
+ ```yaml
+ resources:
+ requests:
+ memory: '200Mi'
+ cpu: '100m'
+ limits:
+ memory: '200Mi'
+ cpu: '100m'
+ ```
+
- `partitionToken` ((#v-global-acls-partitiontoken)) - partitionToken references a Vault secret containing the ACL token to be used in non-default partitions.
This value should only be provided in the default partition and only when setting
the `global.secretsBackend.vault.enabled` value to true.
@@ -435,6 +456,15 @@ Use these links to navigate to a particular top-level stanza.
beta.kubernetes.io/arch: amd64
```
+ - `annotations` ((#v-global-acls-annotations)) (`string: null`) - This value defines additional annotations for
+ acl init jobs. This should be formatted as a multi-line string.
+
+ ```yaml
+ annotations: |
+ "sample/annotation1": "foo"
+ "sample/annotation2": "bar"
+ ```
+
- `enterpriseLicense` ((#v-global-enterpriselicense)) - This value refers to a Kubernetes or Vault secret that you have created
that contains your enterprise license. It is required if you are using an
enterprise binary. Defining it here applies it to your cluster once a leader
@@ -475,7 +505,7 @@ Use these links to navigate to a particular top-level stanza.
This address must be reachable from the Consul servers in the primary datacenter.
This auth method will be used to provision ACL tokens for Consul components and is different
from the one used by the Consul Service Mesh.
- Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes).
+ Please refer to the [Kubernetes Auth Method documentation](/consul/docs/security/acl/auth-methods/kubernetes).
You can retrieve this value from your `kubeconfig` by running:
@@ -602,7 +632,7 @@ Use these links to navigate to a particular top-level stanza.
Consul server agents.
- `replicas` ((#v-server-replicas)) (`integer: 1`) - The number of server agents to run. This determines the fault tolerance of
- the cluster. Please refer to the [deployment table](https://developer.hashicorp.com/consul/docs/architecture/consensus#deployment-table)
+ the cluster. Please refer to the [deployment table](/consul/docs/architecture/consensus#deployment-table)
for more information.
- `bootstrapExpect` ((#v-server-bootstrapexpect)) (`int: null`) - The number of servers that are expected to be running.
@@ -641,7 +671,7 @@ Use these links to navigate to a particular top-level stanza.
Vault Secrets backend:
If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]`
capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`.
- Complete [this tutorial](https://developer.hashicorp.com/consul/tutorials/vault-secure/vault-pki-consul-secure-tls)
+ Complete [this tutorial](/consul/tutorials/vault-secure/vault-pki-consul-secure-tls)
to learn how to generate a compatible certificate.
Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine
must be provided.
@@ -681,19 +711,19 @@ Use these links to navigate to a particular top-level stanza.
storage classes, the PersistentVolumeClaims would need to be manually created.
A `null` value will use the Kubernetes cluster's default StorageClass. If a default
StorageClass does not exist, you will need to create one.
- Refer to the [Read/Write Tuning](https://developer.hashicorp.com/consul/docs/install/performance#read-write-tuning)
+ Refer to the [Read/Write Tuning](/consul/docs/install/performance#read-write-tuning)
section of the Server Performance Requirements documentation for considerations
around choosing a performant storage class.
- ~> **Note:** The [Reference Architecture](https://developer.hashicorp.com/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers)
+ ~> **Note:** The [Reference Architecture](/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers)
contains best practices and recommendations for selecting suitable
hardware sizes for your Consul servers.
- - `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true
+ - `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable [service mesh](/consul/docs/connect). Setting this to true
_will not_ automatically secure pod communication, this
setting will only enable usage of the feature. Consul will automatically initialize
a new CA and set of certificates. Additional service mesh settings can be configured
- by setting the `server.extraConfig` value.
+ by setting the `server.extraConfig` value or by applying [configuration entries](/consul/docs/connect/config-entries).
- `serviceAccount` ((#v-server-serviceaccount))
@@ -716,10 +746,10 @@ Use these links to navigate to a particular top-level stanza.
```yaml
resources:
requests:
- memory: '100Mi'
+ memory: '200Mi'
cpu: '100m'
limits:
- memory: '100Mi'
+ memory: '200Mi'
cpu: '100m'
```
@@ -737,11 +767,15 @@ Use these links to navigate to a particular top-level stanza.
- `server` ((#v-server-containersecuritycontext-server)) (`map`) - The consul server agent container
+ - `aclInit` ((#v-server-containersecuritycontext-aclinit)) (`map`) - The acl-init job
+
+ - `tlsInit` ((#v-server-containersecuritycontext-tlsinit)) (`map`) - The tls-init job
+
- `updatePartition` ((#v-server-updatepartition)) (`integer: 0`) - This value is used to carefully
control a rolling update of Consul server agents. This value specifies the
[partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions)
for performing a rolling update. Please read the linked Kubernetes
- and [Upgrade Consul](https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-consul-servers)
+ and [Upgrade Consul](/consul/docs/k8s/upgrade#upgrading-consul-servers)
documentation for more information.
- `disruptionBudget` ((#v-server-disruptionbudget)) - This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/)
@@ -757,7 +791,7 @@ Use these links to navigate to a particular top-level stanza.
--set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation
command because of a limitation in the Helm templating language.
- - `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul
+ - `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra [JSON configuration](/consul/docs/agent/config/config-files) for Consul
servers. This will be saved as-is into a ConfigMap that is read by the Consul
server agents. This can be used to add additional configuration that
isn't directly exposed by the chart.
@@ -934,18 +968,18 @@ Use these links to navigate to a particular top-level stanza.
it could be used to configure custom consul parameters.
- `snapshotAgent` ((#v-server-snapshotagent)) - Values for setting up and running
- [snapshot agents](https://developer.hashicorp.com/consul/commands/snapshot/agent)
+ [snapshot agents](/consul/commands/snapshot/agent)
within the Consul clusters. They run as a sidecar with Consul servers.
- `enabled` ((#v-server-snapshotagent-enabled)) (`boolean: false`) - If true, the chart will install resources necessary to run the snapshot agent.
- `interval` ((#v-server-snapshotagent-interval)) (`string: 1h`) - Interval at which to perform snapshots.
- Refer to [`interval`](https://developer.hashicorp.com/consul/commands/snapshot/agent#interval)
+ Refer to [`interval`](/consul/commands/snapshot/agent#interval)
- `configSecret` ((#v-server-snapshotagent-configsecret)) - A Kubernetes or Vault secret that should be manually created to contain the entire
config to be used on the snapshot agent.
This is the preferred method of configuration since there are usually storage
- credentials present. Please refer to the [Snapshot agent config](https://developer.hashicorp.com/consul/commands/snapshot/agent#config-file-options)
+ credentials present. Please refer to the [Snapshot agent config](/consul/commands/snapshot/agent#config-file-options)
for details.
- `secretName` ((#v-server-snapshotagent-configsecret-secretname)) (`string: null`) - The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config.
@@ -966,6 +1000,87 @@ Use these links to navigate to a particular top-level stanza.
...
```
+ - `auditLogs` ((#v-server-auditlogs)) - Added in Consul 1.8, the audit object allow users to enable auditing
+ and configure a sink and filters for their audit logs. Please refer to
+ [audit logs](/consul/docs/enterprise/audit-logging) documentation
+ for further information.
+
+ - `enabled` ((#v-server-auditlogs-enabled)) (`boolean: false`) - Controls whether Consul logs out each time a user performs an operation.
+ global.acls.manageSystemACLs must be enabled to use this feature.
+
+ - `sinks` ((#v-server-auditlogs-sinks)) (`array