github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

docs - helm consul k8s 1.1.x helm chart reference (#18057) 

* add helm chart changes
* ran again with updated values
Co-authored-by: Dan Stough <dan.stough@hashicorp.com>
pull/18064/head
David Yu 2023-07-10 12:39:58 -07:00 committed by GitHub
parent b7563515ce
commit e261d0a25a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 135 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

185
website/content/docs/k8s/helm.mdx
View File

@ -20,27 +20,22 @@ with Consul.
Use these links to navigate to a particular top-level stanza.
- [Helm Chart Reference](#helm-chart-reference)
- [Top-Level Stanzas](#top-level-stanzas)
- [All Values](#all-values)
- [`global`](#h-global)
- [`server`](#h-server)
- [`externalServers`](#h-externalservers)
- [`client`](#h-client)
- [`dns`](#h-dns)
- [`ui`](#h-ui)
- [`syncCatalog`](#h-synccatalog)
- [`connectInject`](#h-connectinject)
- [`meshGateway`](#h-meshgateway)
- [`ingressGateways`](#h-ingressgateways)
- [`terminatingGateways`](#h-terminatinggateways)
- [`apiGateway`](#h-apigateway)
- [`webhookCertManager`](#h-webhookcertmanager)
- [`prometheus`](#h-prometheus)
- [`tests`](#h-tests)
- [`telemetryCollector`](#h-telemetrycollector)
- [Helm Chart Examples](#helm-chart-examples)
- [Customizing the Helm Chart](#customizing-the-helm-chart)
- [`global`](#h-global)
- [`server`](#h-server)
- [`externalServers`](#h-externalservers)
- [`client`](#h-client)
- [`dns`](#h-dns)
- [`ui`](#h-ui)
- [`syncCatalog`](#h-synccatalog)
- [`connectInject`](#h-connectinject)
- [`meshGateway`](#h-meshgateway)
- [`ingressGateways`](#h-ingressgateways)
- [`terminatingGateways`](#h-terminatinggateways)
- [`apiGateway`](#h-apigateway)
- [`webhookCertManager`](#h-webhookcertmanager)
- [`prometheus`](#h-prometheus)
- [`tests`](#h-tests)
- [`telemetryCollector`](#h-telemetrycollector)
## All Values
@ -212,7 +207,7 @@ Use these links to navigate to a particular top-level stanza.
- `secretKey` ((#v-global-secretsbackend-vault-ca-secretkey)) (`string: ""`) - The key within the Kubernetes or Vault secret that holds the Vault CA certificate.
- `connectCA` ((#v-global-secretsbackend-vault-connectca)) - Configuration for the Vault service mesh CA provider.
- `connectCA` ((#v-global-secretsbackend-vault-connectca)) - Configuration for the Vault Connect CA provider.
The provider will be configured to use the Vault Kubernetes auth method
and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole`
to have permissions to the root and intermediate PKI paths.
@ -224,13 +219,13 @@ Use these links to navigate to a particular top-level stanza.
- `authMethodPath` ((#v-global-secretsbackend-vault-connectca-authmethodpath)) (`string: kubernetes`) - The mount path of the Kubernetes auth method in Vault.
- `rootPKIPath` ((#v-global-secretsbackend-vault-connectca-rootpkipath)) (`string: ""`) - The path to a PKI secrets engine for the root certificate.
For more details, please refer to [Vault service mesh CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath).
For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath).
- `intermediatePKIPath` ((#v-global-secretsbackend-vault-connectca-intermediatepkipath)) (`string: ""`) - The path to a PKI secrets engine for the generated intermediate certificate.
For more details, please refer to [Vault service mesh CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath).
For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath).
- `additionalConfig` ((#v-global-secretsbackend-vault-connectca-additionalconfig)) (`string: {}`) - Additional service mesh CA configuration in JSON format.
Please refer to [Vault service mesh CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration)
- `additionalConfig` ((#v-global-secretsbackend-vault-connectca-additionalconfig)) (`string: {}`) - Additional Connect CA configuration in JSON format.
Please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration)
for all configuration options available for that provider.
Example:
@ -251,14 +246,14 @@ Use these links to navigate to a particular top-level stanza.
- `caCert` ((#v-global-secretsbackend-vault-connectinject-cacert)) - Configuration to the Vault Secret that Kubernetes uses on
Kubernetes pod creation, deletion, and update, to get CA certificates
used issued from vault to send webhooks to the connect inject.
used issued from vault to send webhooks to the ConnectInject.
- `secretName` ((#v-global-secretsbackend-vault-connectinject-cacert-secretname)) (`string: null`) - The Vault secret path that contains the CA certificate for
connect inject webhooks.
Connect Inject webhooks.
- `tlsCert` ((#v-global-secretsbackend-vault-connectinject-tlscert)) - Configuration to the Vault Secret that Kubernetes uses on
Kubernetes pod creation, deletion, and update, to get TLS certificates
used issued from vault to send webhooks to the connect inject.
used issued from vault to send webhooks to the ConnectInject.
- `secretName` ((#v-global-secretsbackend-vault-connectinject-tlscert-secretname)) (`string: null`) - The Vault secret path that issues TLS certificates for connect
inject webhooks.
@ -410,6 +405,23 @@ Use these links to navigate to a particular top-level stanza.
- `secretKey` ((#v-global-acls-replicationtoken-secretkey)) (`string: null`) - The key within the Kubernetes or Vault secret that holds the replication token.
- `resources` ((#v-global-acls-resources)) (`map`) - The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods.
This should be a YAML map corresponding to a Kubernetes
[`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core)
object.
Example:
```yaml
resources:
requests:
memory: '200Mi'
cpu: '100m'
limits:
memory: '200Mi'
cpu: '100m'
```
- `partitionToken` ((#v-global-acls-partitiontoken)) - partitionToken references a Vault secret containing the ACL token to be used in non-default partitions.
This value should only be provided in the default partition and only when setting
the `global.secretsBackend.vault.enabled` value to true.
@ -689,10 +701,10 @@ Use these links to navigate to a particular top-level stanza.
contains best practices and recommendations for selecting suitable
hardware sizes for your Consul servers.
- `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true
- `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable [Connect](https://developer.hashicorp.com/consul/docs/connect). Setting this to true
_will not_ automatically secure pod communication, this
setting will only enable usage of the feature. Consul will automatically initialize
a new CA and set of certificates. Additional service mesh settings can be configured
a new CA and set of certificates. Additional Connect settings can be configured
by setting the `server.extraConfig` value.
- `serviceAccount` ((#v-server-serviceaccount))
@ -716,10 +728,10 @@ Use these links to navigate to a particular top-level stanza.
```yaml
resources:
requests:
memory: '100Mi'
memory: '200Mi'
cpu: '100m'
limits:
memory: '100Mi'
memory: '200Mi'
cpu: '100m'
```
@ -966,6 +978,56 @@ Use these links to navigate to a particular top-level stanza.
...
```
- `auditLogs` ((#v-server-auditlogs)) - <EnterpriseAlert inline /> Added in Consul 1.8, the audit object allow users to enable auditing
and configure a sink and filters for their audit logs. Please refer to
[audit logs](https://developer.hashicorp.com/consul/docs/enterprise/audit-logging) documentation
for further information.
- `enabled` ((#v-server-auditlogs-enabled)) (`boolean: false`) - Controls whether Consul logs out each time a user performs an operation.
global.acls.manageSystemACLs must be enabled to use this feature.
- `sinks` ((#v-server-auditlogs-sinks)) (`array<map>`) - A single entry of the sink object provides configuration for the destination to which Consul
will log auditing events.
Example:
```yaml
sinks:
- name: My Sink
type: file
format: json
path: /tmp/audit.json
delivery_guarantee: best-effort
rotate_duration: 24h
rotate_max_files: 15
rotate_bytes: 25165824
```
The sink object supports the following keys:
- `name` - Name of the sink.
- `type` - Type specifies what kind of sink this is. Currently only file sinks are available
- `format` - Format specifies what format the events will be emitted with. Currently only `json`
events are emitted.
- `path` - The directory and filename to write audit events to.
- `delivery_guarantee` - Specifies the rules governing how audit events are written. Consul
only supports `best-effort` event delivery.
- `mode` - The permissions to set on the audit log files.
- `rotate_duration` - Specifies the interval by which the system rotates to a new log file.
At least one of `rotate_duration` or `rotate_bytes` must be configured to enable audit logging.
- `rotate_bytes` - Specifies how large an individual log file can grow before Consul rotates to a new file.
At least one of rotate_bytes or rotate_duration must be configured to enable audit logging.
- `rotate_max_files` - Defines the limit that Consul should follow before it deletes old log files.
### externalServers ((#h-externalservers))
- `externalServers` ((#v-externalservers)) - Configuration for Consul servers when the servers are running outside of Kubernetes.
@ -1044,7 +1106,7 @@ Use these links to navigate to a particular top-level stanza.
- `grpc` ((#v-client-grpc)) (`boolean: true`) - If true, agents will enable their GRPC listener on
port 8502 and expose it to the host. This will use slightly more resources, but is
required for service mesh.
required for Connect.
- `nodeMeta` ((#v-client-nodemeta)) - nodeMeta specifies an arbitrary metadata key/value pair to associate with the node
(refer to [`-node-meta`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_node_meta))
@ -1245,7 +1307,7 @@ Use these links to navigate to a particular top-level stanza.
- `enabled` ((#v-dns-enabled)) (`boolean: -`)
- `enableRedirection` ((#v-dns-enableredirection)) (`boolean: -`) - If true, services using Consul service mesh will use Consul DNS
- `enableRedirection` ((#v-dns-enableredirection)) (`boolean: -`) - If true, services using Consul Connect will use Consul DNS
for default DNS resolution. The DNS lookups fall back to the nameserver IPs
listed in /etc/resolv.conf if not found in Consul.
@ -1568,9 +1630,9 @@ Use these links to navigate to a particular top-level stanza.
### connectInject ((#h-connectinject))
- `connectInject` ((#v-connectinject)) - Configures the automatic service mesh sidecar injector.
- `connectInject` ((#v-connectinject)) - Configures the automatic Connect sidecar injector.
- `enabled` ((#v-connectinject-enabled)) (`boolean: true`) - True if you want to enable service mesh sidecar injection. Set to "-" to inherit from
- `enabled` ((#v-connectinject-enabled)) (`boolean: true`) - True if you want to enable connect injection. Set to "-" to inherit from
global.enabled.
- `replicas` ((#v-connectinject-replicas)) (`integer: 1`) - The number of deployment replicas.
@ -1580,13 +1642,13 @@ Use these links to navigate to a particular top-level stanza.
- `default` ((#v-connectinject-default)) (`boolean: false`) - If true, the injector will inject the
Connect sidecar into all pods by default. Otherwise, pods must specify the
[injection annotation](https://developer.hashicorp.com/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject)
to opt-in to service mesh sidecar injection. If this is true, pods can use the same annotation
to opt-in to Connect injection. If this is true, pods can use the same annotation
to explicitly opt-out of injection.
- `transparentProxy` ((#v-connectinject-transparentproxy)) - Configures Transparent Proxy for Consul Service mesh services.
Using this feature requires Consul 1.10.0-beta1+.
- `defaultEnabled` ((#v-connectinject-transparentproxy-defaultenabled)) (`boolean: true`) - If true, then all Consul service mesh will run with transparent proxy enabled by default,
- `defaultEnabled` ((#v-connectinject-transparentproxy-defaultenabled)) (`boolean: true`) - If true, then all services registered with Consul service mesh will run with transparent proxy enabled by default,
i.e. we enforce that all traffic within the pod will go through the proxy.
This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation.
@ -1681,7 +1743,7 @@ Use these links to navigate to a particular top-level stanza.
persistent: true
```
- `metrics` ((#v-connectinject-metrics)) - Configures metrics for services in the Consul service mesh. All values are overridable
- `metrics` ((#v-connectinject-metrics)) - Configures metrics for Consul Connect services. All values are overridable
via annotations on a per-pod basis.
- `defaultEnabled` ((#v-connectinject-metrics-defaultenabled)) (`string: -`) - If true, the connect-injector will automatically
@ -1690,14 +1752,14 @@ Use these links to navigate to a particular top-level stanza.
metrics will depend on whether metrics merging is enabled:
- If metrics merging is enabled:
the consul-dataplane will run a merged metrics server
combining Envoy sidecar and mesh service metrics,
combining Envoy sidecar and Connect service metrics,
i.e. if your service exposes its own Prometheus metrics.
- If metrics merging is disabled:
the listener will just expose Envoy sidecar metrics.
This will inherit from `global.metrics.enabled`.
- `defaultEnableMerging` ((#v-connectinject-metrics-defaultenablemerging)) (`boolean: false`) - Configures the consul-dataplane to run a merged metrics server
to combine and serve both Envoy and mesh service metrics.
to combine and serve both Envoy and Connect service metrics.
This feature is available only in Consul v1.10.0 or greater.
- `defaultMergedMetricsPort` ((#v-connectinject-metrics-defaultmergedmetricsport)) (`integer: 20100`) - Configures the port at which the consul-dataplane will listen on to return
@ -1763,13 +1825,13 @@ Use these links to navigate to a particular top-level stanza.
- `requests` ((#v-connectinject-resources-requests))
- `memory` ((#v-connectinject-resources-requests-memory)) (`string: 50Mi`) - Recommended production default: 500Mi
- `memory` ((#v-connectinject-resources-requests-memory)) (`string: 200Mi`) - Recommended production default: 500Mi
- `cpu` ((#v-connectinject-resources-requests-cpu)) (`string: 50m`) - Recommended production default: 250m
- `limits` ((#v-connectinject-resources-limits))
- `memory` ((#v-connectinject-resources-limits-memory)) (`string: 50Mi`) - Recommended production default: 500Mi
- `memory` ((#v-connectinject-resources-limits-memory)) (`string: 200Mi`) - Recommended production default: 500Mi
- `cpu` ((#v-connectinject-resources-limits-cpu)) (`string: 50m`) - Recommended production default: 250m
@ -1798,13 +1860,13 @@ Use these links to navigate to a particular top-level stanza.
namespace-label: label-value
```
- `k8sAllowNamespaces` ((#v-connectinject-k8sallownamespaces)) (`array<string>: ["*"]`) - List of k8s namespaces to allow service mesh sidecar
- `k8sAllowNamespaces` ((#v-connectinject-k8sallownamespaces)) (`array<string>: ["*"]`) - List of k8s namespaces to allow Connect sidecar
injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`,
pods in that k8s namespace will not be injected even if they are explicitly
annotated. Use `["*"]` to automatically allow all k8s namespaces.
For example, `["namespace1", "namespace2"]` will only allow pods in the k8s
namespaces `namespace1` and `namespace2` to have service mesh sidecars injected
namespaces `namespace1` and `namespace2` to have Connect sidecars injected
and registered with Consul. All other k8s namespaces will be ignored.
To deny all namespaces, set this to `[]`.
@ -1813,7 +1875,7 @@ Use these links to navigate to a particular top-level stanza.
`namespaceSelector` takes precedence over both since it is applied first.
`kube-system` and `kube-public` are never injected, even if included here.
- `k8sDenyNamespaces` ((#v-connectinject-k8sdenynamespaces)) (`array<string>: []`) - List of k8s namespaces that should not allow service mesh
- `k8sDenyNamespaces` ((#v-connectinject-k8sdenynamespaces)) (`array<string>: []`) - List of k8s namespaces that should not allow Connect
sidecar injection. This list takes precedence over `k8sAllowNamespaces`.
`*` is not supported because then nothing would be allowed to be injected.
@ -1878,7 +1940,7 @@ Use these links to navigate to a particular top-level stanza.
auth method for Connect inject, set this to the name of your auth method.
- `aclInjectToken` ((#v-connectinject-aclinjecttoken)) - Refers to a Kubernetes secret that you have created that contains
an ACL token for your Consul cluster which allows the connect injector the correct
an ACL token for your Consul cluster which allows the Connect injector the correct
permissions. This is only needed if Consul namespaces <EnterpriseAlert inline /> and ACLs
are enabled on the Consul cluster and you are not setting
`global.acls.manageSystemACLs` to `true`.
@ -1922,7 +1984,26 @@ Use these links to navigate to a particular top-level stanza.
- `cpu` ((#v-connectinject-sidecarproxy-resources-limits-cpu)) (`string: null`) - Recommended production default: 100m
- `initContainer` ((#v-connectinject-initcontainer)) (`map`) - The resource settings for the connect injected init container. If null, the resources
- `lifecycle` ((#v-connectinject-sidecarproxy-lifecycle)) (`map`) - Set default lifecycle management configuration for sidecar proxy.
These settings can be overridden on a per-pod basis via these annotations:
- `consul.hashicorp.com/enable-sidecar-proxy-lifecycle`
- `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners`
- `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds`
- `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port`
- `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path`
- `defaultEnabled` ((#v-connectinject-sidecarproxy-lifecycle-defaultenabled)) (`boolean: true`)
- `defaultEnableShutdownDrainListeners` ((#v-connectinject-sidecarproxy-lifecycle-defaultenableshutdowndrainlisteners)) (`boolean: true`)
- `defaultShutdownGracePeriodSeconds` ((#v-connectinject-sidecarproxy-lifecycle-defaultshutdowngraceperiodseconds)) (`integer: 30`)
- `defaultGracefulPort` ((#v-connectinject-sidecarproxy-lifecycle-defaultgracefulport)) (`integer: 20600`)
- `defaultGracefulShutdownPath` ((#v-connectinject-sidecarproxy-lifecycle-defaultgracefulshutdownpath)) (`string: /graceful_shutdown`)
- `initContainer` ((#v-connectinject-initcontainer)) (`map`) - The resource settings for the Connect injected init container. If null, the resources
won't be set for the initContainer. The defaults are optimized for developer instances of
Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times.
@ -1942,11 +2023,11 @@ Use these links to navigate to a particular top-level stanza.
### meshGateway ((#h-meshgateway))
- `meshGateway` ((#v-meshgateway)) - [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul service mesh to work across Consul datacenters.
- `meshGateway` ((#v-meshgateway)) - [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters.
- `enabled` ((#v-meshgateway-enabled)) (`boolean: false`) - If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs
gateways and Consul service mesh will be configured to use gateways.
This setting is required for [cluster peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s).
gateways and Consul Connect will be configured to use gateways.
This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s).
Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``.
- `replicas` ((#v-meshgateway-replicas)) (`integer: 1`) - Number of replicas for the Deployment.