docs - helm consul k8s 1.1.x helm chart reference (#18057)

* add helm chart changes * ran again with updated values Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
2023-07-10 12:39:58 -07:00 · 2023-07-10 12:39:58 -07:00 · e261d0a25a
parent b7563515ce
commit e261d0a25a
1 changed files with 135 additions and 54 deletions
--- a/website/content/docs/k8s/helm.mdx
+++ b/website/content/docs/k8s/helm.mdx
@ -20,27 +20,22 @@ with Consul.
 Use these links to navigate to a particular top-level stanza.
- [Helm Chart Reference](#helm-chart-reference)
+- [`global`](#h-global)
-  - [Top-Level Stanzas](#top-level-stanzas)
+- [`server`](#h-server)
-  - [All Values](#all-values)
+- [`externalServers`](#h-externalservers)
-    - [`global`](#h-global)
+- [`client`](#h-client)
-    - [`server`](#h-server)
+- [`dns`](#h-dns)
-    - [`externalServers`](#h-externalservers)
+- [`ui`](#h-ui)
-    - [`client`](#h-client)
+- [`syncCatalog`](#h-synccatalog)
-    - [`dns`](#h-dns)
+- [`connectInject`](#h-connectinject)
-    - [`ui`](#h-ui)
+- [`meshGateway`](#h-meshgateway)
-    - [`syncCatalog`](#h-synccatalog)
+- [`ingressGateways`](#h-ingressgateways)
-    - [`connectInject`](#h-connectinject)
+- [`terminatingGateways`](#h-terminatinggateways)
-    - [`meshGateway`](#h-meshgateway)
+- [`apiGateway`](#h-apigateway)
-    - [`ingressGateways`](#h-ingressgateways)
+- [`webhookCertManager`](#h-webhookcertmanager)
-    - [`terminatingGateways`](#h-terminatinggateways)
+- [`prometheus`](#h-prometheus)
-    - [`apiGateway`](#h-apigateway)
+- [`tests`](#h-tests)
-    - [`webhookCertManager`](#h-webhookcertmanager)
+- [`telemetryCollector`](#h-telemetrycollector)
    - [`prometheus`](#h-prometheus)
    - [`tests`](#h-tests)
    - [`telemetryCollector`](#h-telemetrycollector)
  - [Helm Chart Examples](#helm-chart-examples)
  - [Customizing the Helm Chart](#customizing-the-helm-chart)
 ## All Values
@ -212,7 +207,7 @@ Use these links to navigate to a particular top-level stanza.
        - `secretKey` ((#v-global-secretsbackend-vault-ca-secretkey)) (`string: ""`) - The key within the Kubernetes or Vault secret that holds the Vault CA certificate.
-      - `connectCA` ((#v-global-secretsbackend-vault-connectca)) - Configuration for the Vault service mesh CA provider.
+      - `connectCA` ((#v-global-secretsbackend-vault-connectca)) - Configuration for the Vault Connect CA provider.
        The provider will be configured to use the Vault Kubernetes auth method
        and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole`
        to have permissions to the root and intermediate PKI paths.
@ -224,13 +219,13 @@ Use these links to navigate to a particular top-level stanza.
        - `authMethodPath` ((#v-global-secretsbackend-vault-connectca-authmethodpath)) (`string: kubernetes`) - The mount path of the Kubernetes auth method in Vault.
        - `rootPKIPath` ((#v-global-secretsbackend-vault-connectca-rootpkipath)) (`string: ""`) - The path to a PKI secrets engine for the root certificate.
-          For more details, please refer to [Vault service mesh CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath).
+          For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath).
        - `intermediatePKIPath` ((#v-global-secretsbackend-vault-connectca-intermediatepkipath)) (`string: ""`) - The path to a PKI secrets engine for the generated intermediate certificate.
-          For more details, please refer to [Vault service mesh CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath).
+          For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath).
-        - `additionalConfig` ((#v-global-secretsbackend-vault-connectca-additionalconfig)) (`string: {}`) - Additional service mesh CA configuration in JSON format.
+        - `additionalConfig` ((#v-global-secretsbackend-vault-connectca-additionalconfig)) (`string: {}`) - Additional Connect CA configuration in JSON format.
-          Please refer to [Vault service mesh CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration)
+          Please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration)
          for all configuration options available for that provider.
          Example:
@ -251,14 +246,14 @@ Use these links to navigate to a particular top-level stanza.
        - `caCert` ((#v-global-secretsbackend-vault-connectinject-cacert)) - Configuration to the Vault Secret that Kubernetes uses on
          Kubernetes pod creation, deletion, and update, to get CA certificates
-          used issued from vault to send webhooks to the connect inject.
+          used issued from vault to send webhooks to the ConnectInject.
          - `secretName` ((#v-global-secretsbackend-vault-connectinject-cacert-secretname)) (`string: null`) - The Vault secret path that contains the CA certificate for
-            connect inject webhooks.
+            Connect Inject webhooks.
        - `tlsCert` ((#v-global-secretsbackend-vault-connectinject-tlscert)) - Configuration to the Vault Secret that Kubernetes uses on
          Kubernetes pod creation, deletion, and update, to get TLS certificates
-          used issued from vault to send webhooks to the connect inject.
+          used issued from vault to send webhooks to the ConnectInject.
          - `secretName` ((#v-global-secretsbackend-vault-connectinject-tlscert-secretname)) (`string: null`) - The Vault secret path that issues TLS certificates for connect
            inject webhooks.
@ -410,6 +405,23 @@ Use these links to navigate to a particular top-level stanza.
      - `secretKey` ((#v-global-acls-replicationtoken-secretkey)) (`string: null`) - The key within the Kubernetes or Vault secret that holds the replication token.
    - `resources` ((#v-global-acls-resources)) (`map`) - The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods.
      This should be a YAML map corresponding to a Kubernetes
      [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core)
      object.
      Example:
      ```yaml
      resources:
        requests:
          memory: '200Mi'
          cpu: '100m'
        limits:
          memory: '200Mi'
          cpu: '100m'
      ```
    - `partitionToken` ((#v-global-acls-partitiontoken)) - partitionToken references a Vault secret containing the ACL token to be used in non-default partitions.
      This value should only be provided in the default partition and only when setting
      the `global.secretsBackend.vault.enabled` value to true.
@ -689,10 +701,10 @@ Use these links to navigate to a particular top-level stanza.
    contains best practices and recommendations for selecting suitable
    hardware sizes for your Consul servers.
-  - `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true
+  - `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable [Connect](https://developer.hashicorp.com/consul/docs/connect). Setting this to true
    _will not_ automatically secure pod communication, this
    setting will only enable usage of the feature. Consul will automatically initialize
-    a new CA and set of certificates. Additional service mesh settings can be configured
+    a new CA and set of certificates. Additional Connect settings can be configured
    by setting the `server.extraConfig` value.
  - `serviceAccount` ((#v-server-serviceaccount))
@ -716,10 +728,10 @@ Use these links to navigate to a particular top-level stanza.
    ```yaml
    resources:
      requests:
-        memory: '100Mi'
+        memory: '200Mi'
        cpu: '100m'
      limits:
-        memory: '100Mi'
+        memory: '200Mi'
        cpu: '100m'
    ```
@ -966,6 +978,56 @@ Use these links to navigate to a particular top-level stanza.
        ...
      ```
  - `auditLogs` ((#v-server-auditlogs)) - <EnterpriseAlert inline /> Added in Consul 1.8, the audit object allow users to enable auditing
    and configure a sink and filters for their audit logs. Please refer to
    [audit logs](https://developer.hashicorp.com/consul/docs/enterprise/audit-logging) documentation
    for further information.
    - `enabled` ((#v-server-auditlogs-enabled)) (`boolean: false`) - Controls whether Consul logs out each time a user performs an operation.
      global.acls.manageSystemACLs must be enabled to use this feature.
    - `sinks` ((#v-server-auditlogs-sinks)) (`array<map>`) - A single entry of the sink object provides configuration for the destination to which Consul
      will log auditing events.
      Example:
      ```yaml
      sinks:
        - name: My Sink
          type: file
          format: json
          path: /tmp/audit.json
          delivery_guarantee: best-effort
          rotate_duration: 24h
          rotate_max_files: 15
          rotate_bytes: 25165824
      ```
      The sink object supports the following keys:
      - `name` - Name of the sink.
      - `type` - Type specifies what kind of sink this is. Currently only file sinks are available
      - `format` - Format specifies what format the events will be emitted with. Currently only `json`
        events are emitted.
      - `path` - The directory and filename to write audit events to.
      - `delivery_guarantee` - Specifies the rules governing how audit events are written. Consul
        only supports `best-effort` event delivery.
      - `mode` - The permissions to set on the audit log files.
      - `rotate_duration` - Specifies the interval by which the system rotates to a new log file.
         At least one of `rotate_duration` or `rotate_bytes` must be configured to enable audit logging.
      - `rotate_bytes` -  Specifies how large an individual log file can grow before Consul rotates to a new file.
         At least one of rotate_bytes or rotate_duration must be configured to enable audit logging.
      - `rotate_max_files` - Defines the limit that Consul should follow before it deletes old log files.
 ### externalServers ((#h-externalservers))
 - `externalServers` ((#v-externalservers)) - Configuration for Consul servers when the servers are running outside of Kubernetes.
@ -1044,7 +1106,7 @@ Use these links to navigate to a particular top-level stanza.
  - `grpc` ((#v-client-grpc)) (`boolean: true`) - If true, agents will enable their GRPC listener on
    port 8502 and expose it to the host. This will use slightly more resources, but is
-    required for service mesh.
+    required for Connect.
  - `nodeMeta` ((#v-client-nodemeta)) - nodeMeta specifies an arbitrary metadata key/value pair to associate with the node
    (refer to [`-node-meta`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_node_meta))
@ -1245,7 +1307,7 @@ Use these links to navigate to a particular top-level stanza.
  - `enabled` ((#v-dns-enabled)) (`boolean: -`)
-  - `enableRedirection` ((#v-dns-enableredirection)) (`boolean: -`) - If true, services using Consul service mesh will use Consul DNS
+  - `enableRedirection` ((#v-dns-enableredirection)) (`boolean: -`) - If true, services using Consul Connect will use Consul DNS
    for default DNS resolution. The DNS lookups fall back to the nameserver IPs
    listed in /etc/resolv.conf if not found in Consul.
@ -1568,9 +1630,9 @@ Use these links to navigate to a particular top-level stanza.
 ### connectInject ((#h-connectinject))
- `connectInject` ((#v-connectinject)) - Configures the automatic service mesh sidecar injector.
+- `connectInject` ((#v-connectinject)) - Configures the automatic Connect sidecar injector.
-  - `enabled` ((#v-connectinject-enabled)) (`boolean: true`) - True if you want to enable service mesh sidecar injection. Set to "-" to inherit from
+  - `enabled` ((#v-connectinject-enabled)) (`boolean: true`) - True if you want to enable connect injection. Set to "-" to inherit from
    global.enabled.
  - `replicas` ((#v-connectinject-replicas)) (`integer: 1`) - The number of deployment replicas.
@ -1580,13 +1642,13 @@ Use these links to navigate to a particular top-level stanza.
  - `default` ((#v-connectinject-default)) (`boolean: false`) - If true, the injector will inject the
    Connect sidecar into all pods by default. Otherwise, pods must specify the
    [injection annotation](https://developer.hashicorp.com/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject)
-    to opt-in to service mesh sidecar injection. If this is true, pods can use the same annotation
+    to opt-in to Connect injection. If this is true, pods can use the same annotation
    to explicitly opt-out of injection.
  - `transparentProxy` ((#v-connectinject-transparentproxy)) - Configures Transparent Proxy for Consul Service mesh services.
    Using this feature requires Consul 1.10.0-beta1+.
-    - `defaultEnabled` ((#v-connectinject-transparentproxy-defaultenabled)) (`boolean: true`) - If true, then all Consul service mesh will run with transparent proxy enabled by default,
+    - `defaultEnabled` ((#v-connectinject-transparentproxy-defaultenabled)) (`boolean: true`) - If true, then all services registered with Consul service mesh will run with transparent proxy enabled by default,
      i.e. we enforce that all traffic within the pod will go through the proxy.
      This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation.
@ -1681,7 +1743,7 @@ Use these links to navigate to a particular top-level stanza.
        persistent: true
      ```
-  - `metrics` ((#v-connectinject-metrics)) - Configures metrics for services in the Consul service mesh. All values are overridable
+  - `metrics` ((#v-connectinject-metrics)) - Configures metrics for Consul Connect services. All values are overridable
    via annotations on a per-pod basis.
    - `defaultEnabled` ((#v-connectinject-metrics-defaultenabled)) (`string: -`) - If true, the connect-injector will automatically
@ -1690,14 +1752,14 @@ Use these links to navigate to a particular top-level stanza.
      metrics will depend on whether metrics merging is enabled:
        - If metrics merging is enabled:
          the consul-dataplane will run a merged metrics server
-          combining Envoy sidecar and mesh service metrics,
+          combining Envoy sidecar and Connect service metrics,
          i.e. if your service exposes its own Prometheus metrics.
        - If metrics merging is disabled:
          the listener will just expose Envoy sidecar metrics.
      This will inherit from `global.metrics.enabled`.
    - `defaultEnableMerging` ((#v-connectinject-metrics-defaultenablemerging)) (`boolean: false`) - Configures the consul-dataplane to run a merged metrics server
-      to combine and serve both Envoy and mesh service metrics.
+      to combine and serve both Envoy and Connect service metrics.
      This feature is available only in Consul v1.10.0 or greater.
    - `defaultMergedMetricsPort` ((#v-connectinject-metrics-defaultmergedmetricsport)) (`integer: 20100`) - Configures the port at which the consul-dataplane will listen on to return
@ -1763,13 +1825,13 @@ Use these links to navigate to a particular top-level stanza.
    - `requests` ((#v-connectinject-resources-requests))
-      - `memory` ((#v-connectinject-resources-requests-memory)) (`string: 50Mi`) - Recommended production default: 500Mi
+      - `memory` ((#v-connectinject-resources-requests-memory)) (`string: 200Mi`) - Recommended production default: 500Mi
      - `cpu` ((#v-connectinject-resources-requests-cpu)) (`string: 50m`) - Recommended production default: 250m
    - `limits` ((#v-connectinject-resources-limits))
-      - `memory` ((#v-connectinject-resources-limits-memory)) (`string: 50Mi`) - Recommended production default: 500Mi
+      - `memory` ((#v-connectinject-resources-limits-memory)) (`string: 200Mi`) - Recommended production default: 500Mi
      - `cpu` ((#v-connectinject-resources-limits-cpu)) (`string: 50m`) - Recommended production default: 250m
@ -1798,13 +1860,13 @@ Use these links to navigate to a particular top-level stanza.
        namespace-label: label-value
    ```
-  - `k8sAllowNamespaces` ((#v-connectinject-k8sallownamespaces)) (`array<string>: ["*"]`) - List of k8s namespaces to allow service mesh sidecar
+  - `k8sAllowNamespaces` ((#v-connectinject-k8sallownamespaces)) (`array<string>: ["*"]`) - List of k8s namespaces to allow Connect sidecar
    injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`,
    pods in that k8s namespace will not be injected even if they are explicitly
    annotated. Use `["*"]` to automatically allow all k8s namespaces.
    For example, `["namespace1", "namespace2"]` will only allow pods in the k8s
-    namespaces `namespace1` and `namespace2` to have service mesh sidecars injected
+    namespaces `namespace1` and `namespace2` to have Connect sidecars injected
    and registered with Consul. All other k8s namespaces will be ignored.
    To deny all namespaces, set this to `[]`.
@ -1813,7 +1875,7 @@ Use these links to navigate to a particular top-level stanza.
    `namespaceSelector` takes precedence over both since it is applied first.
    `kube-system` and `kube-public` are never injected, even if included here.
-  - `k8sDenyNamespaces` ((#v-connectinject-k8sdenynamespaces)) (`array<string>: []`) - List of k8s namespaces that should not allow service mesh
+  - `k8sDenyNamespaces` ((#v-connectinject-k8sdenynamespaces)) (`array<string>: []`) - List of k8s namespaces that should not allow Connect
    sidecar injection. This list takes precedence over `k8sAllowNamespaces`.
    `*` is not supported because then nothing would be allowed to be injected.
@ -1878,7 +1940,7 @@ Use these links to navigate to a particular top-level stanza.
    auth method for Connect inject, set this to the name of your auth method.
  - `aclInjectToken` ((#v-connectinject-aclinjecttoken)) - Refers to a Kubernetes secret that you have created that contains
-    an ACL token for your Consul cluster which allows the connect injector the correct
+    an ACL token for your Consul cluster which allows the Connect injector the correct
    permissions. This is only needed if Consul namespaces <EnterpriseAlert inline /> and ACLs
    are enabled on the Consul cluster and you are not setting
    `global.acls.manageSystemACLs` to `true`.
@ -1922,7 +1984,26 @@ Use these links to navigate to a particular top-level stanza.
        - `cpu` ((#v-connectinject-sidecarproxy-resources-limits-cpu)) (`string: null`) - Recommended production default: 100m
-  - `initContainer` ((#v-connectinject-initcontainer)) (`map`) - The resource settings for the connect injected init container. If null, the resources
+    - `lifecycle` ((#v-connectinject-sidecarproxy-lifecycle)) (`map`) - Set default lifecycle management configuration for sidecar proxy.
      These settings can be overridden on a per-pod basis via these annotations:
      - `consul.hashicorp.com/enable-sidecar-proxy-lifecycle`
      - `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners`
      - `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds`
      - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port`
      - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path`
      - `defaultEnabled` ((#v-connectinject-sidecarproxy-lifecycle-defaultenabled)) (`boolean: true`)
      - `defaultEnableShutdownDrainListeners` ((#v-connectinject-sidecarproxy-lifecycle-defaultenableshutdowndrainlisteners)) (`boolean: true`)
      - `defaultShutdownGracePeriodSeconds` ((#v-connectinject-sidecarproxy-lifecycle-defaultshutdowngraceperiodseconds)) (`integer: 30`)
      - `defaultGracefulPort` ((#v-connectinject-sidecarproxy-lifecycle-defaultgracefulport)) (`integer: 20600`)
      - `defaultGracefulShutdownPath` ((#v-connectinject-sidecarproxy-lifecycle-defaultgracefulshutdownpath)) (`string: /graceful_shutdown`)
  - `initContainer` ((#v-connectinject-initcontainer)) (`map`) - The resource settings for the Connect injected init container. If null, the resources
    won't be set for the initContainer. The defaults are optimized for developer instances of
    Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times.
@ -1942,11 +2023,11 @@ Use these links to navigate to a particular top-level stanza.
 ### meshGateway ((#h-meshgateway))
- `meshGateway` ((#v-meshgateway)) - [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul service mesh to work across Consul datacenters.
+- `meshGateway` ((#v-meshgateway)) - [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters.
  - `enabled` ((#v-meshgateway-enabled)) (`boolean: false`) - If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs
-    gateways and Consul service mesh will be configured to use gateways.
+    gateways and Consul Connect will be configured to use gateways.
-    This setting is required for [cluster peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s).
+    This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s).
    Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``.
  - `replicas` ((#v-meshgateway-replicas)) (`integer: 1`) - Number of replicas for the Deployment.
@ -2228,7 +2309,7 @@ Use these links to navigate to a particular top-level stanza.
    `defaults`. Values defined here override the defaults except in the
    case of annotations where both will be applied.
-  - `name` ((#v-ingressgateways-gateways-name)) (`string: ingress-gateway`)
+    - `name` ((#v-ingressgateways-gateways-name)) (`string: ingress-gateway`)
 ### terminatingGateways ((#h-terminatinggateways))
@ -2344,7 +2425,7 @@ Use these links to navigate to a particular top-level stanza.
    `defaults`. Values defined here override the defaults except in the
    case of annotations where both will be applied.
-  - `name` ((#v-terminatinggateways-gateways-name)) (`string: terminating-gateway`)
+    - `name` ((#v-terminatinggateways-gateways-name)) (`string: terminating-gateway`)
 ### apiGateway ((#h-apigateway))