3050 lines
114 KiB
YAML
3050 lines
114 KiB
YAML
# Available parameters and their default values for the Consul chart.
|
||
|
||
# Holds values that affect multiple components of the chart.
|
||
global:
|
||
# The main enabled/disabled setting. If true, servers,
|
||
# clients, Consul DNS and the Consul UI will be enabled. Each component can override
|
||
# this default via its component-specific "enabled" config. If false, no components
|
||
# will be installed by default and per-component opt-in is required, such as by
|
||
# setting `server.enabled` to true.
|
||
enabled: true
|
||
|
||
# The default log level to apply to all components which do not otherwise override this setting.
|
||
# It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity.
|
||
# One of "debug", "info", "warn", or "error".
|
||
# @type: string
|
||
logLevel: "info"
|
||
|
||
# Enable all component logs to be output in JSON format.
|
||
# @type: boolean
|
||
logJSON: false
|
||
|
||
# Set the prefix used for all resources in the Helm chart. If not set,
|
||
# the prefix will be `<helm release name>-consul`.
|
||
# @type: string
|
||
name: null
|
||
|
||
# The domain Consul will answer DNS queries for
|
||
# (see `-domain` (https://www.consul.io/docs/agent/config/cli-flags#_domain)) and the domain services synced from
|
||
# Consul into Kubernetes will have, e.g. `service-name.service.consul`.
|
||
domain: consul
|
||
|
||
# Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+.
|
||
peering:
|
||
# If true, the Helm chart enables Cluster Peering for the cluster. This option enables peering controllers and
|
||
# allows use of the PeeringAcceptor and PeeringDialer CRDs for establishing service mesh peerings.
|
||
enabled: false
|
||
|
||
# [Enterprise Only] Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters.
|
||
# It additionally indicates that you are running Consul Enterprise v1.11+ with a valid Consul Enterprise
|
||
# license. Admin partitions enables deploying services across partitions, while sharing
|
||
# a set of Consul servers.
|
||
adminPartitions:
|
||
# If true, the Helm chart will enable Admin Partitions for the cluster. The clients in the server cluster
|
||
# must be installed in the default partition. Creation of Admin Partitions is only supported during installation.
|
||
# Admin Partitions cannot be installed via a Helm upgrade operation. Only Helm installs are supported.
|
||
enabled: false
|
||
|
||
# The name of the Admin Partition. The partition name cannot be modified once the partition has been installed.
|
||
# Changing the partition name would require an un-install and a re-install with the updated name.
|
||
# Must be "default" in the server cluster ie the Kubernetes cluster that the Consul server pods are deployed onto.
|
||
name: "default"
|
||
|
||
# The name (and tag) of the Consul Docker image for clients and servers.
|
||
# This can be overridden per component. This should be pinned to a specific
|
||
# version tag, otherwise you may inadvertently upgrade your Consul version.
|
||
#
|
||
# Examples:
|
||
#
|
||
# ```yaml
|
||
# # Consul 1.10.0
|
||
# image: "consul:1.10.0"
|
||
# # Consul Enterprise 1.10.0
|
||
# image: "hashicorp/consul-enterprise:1.10.0-ent"
|
||
# ```
|
||
# @default: hashicorp/consul:<latest version>
|
||
image: "hashicorp/consul:1.14.2"
|
||
|
||
# Array of objects containing image pull secret names that will be applied to each service account.
|
||
# This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image.
|
||
# See https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry for reference.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# imagePullSecrets:
|
||
# - name: pull-secret-name
|
||
# - name: pull-secret-name-2
|
||
# ```
|
||
# @type: array<map>
|
||
imagePullSecrets: [ ]
|
||
|
||
# The name (and tag) of the consul-k8s-control-plane Docker
|
||
# image that is used for functionality such as catalog sync.
|
||
# This can be overridden per component.
|
||
# @default: hashicorp/consul-k8s-control-plane:<latest version>
|
||
imageK8S: hashicorp/consul-k8s-control-plane:1.0.2
|
||
|
||
# The name of the datacenter that the agents should
|
||
# register as. This can't be changed once the Consul cluster is up and running
|
||
# since Consul doesn't support an automatic way to change this value currently:
|
||
# https://github.com/hashicorp/consul/issues/1858.
|
||
datacenter: dc1
|
||
|
||
# Controls whether pod security policies are created for the Consul components
|
||
# created by this chart. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/.
|
||
enablePodSecurityPolicies: false
|
||
|
||
# secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation.
|
||
# The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled
|
||
# and have necessary secrets, policies and roles created prior to installing Consul.
|
||
# See https://www.consul.io/docs/k8s/installation/vault for full instructions.
|
||
#
|
||
# The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend
|
||
# as that would cause a circular dependency.
|
||
# Vault can have Consul as its storage backend as long as that Consul cluster is not running on this Kubernetes cluster
|
||
# and is being managed separately from this Helm installation.
|
||
#
|
||
# Note: When using Vault KV2 secrets engines the "data" field is implicitly required for Vault API calls,
|
||
# secretName should be in the form of "vault-kv2-mount-path/data/secret-name".
|
||
# secretKey should be in the form of "key".
|
||
secretsBackend:
|
||
vault:
|
||
# Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets.
|
||
enabled: false
|
||
|
||
# The Vault role for the Consul server.
|
||
# The role must be connected to the Consul server's service account.
|
||
# The role must also have a policy with read capabilities for the following secrets:
|
||
# - gossip encryption key defined by the `global.gossipEncryption.secretName` value
|
||
# - certificate issue path defined by the `server.serverCert.secretName` value
|
||
# - CA certificate defined by the `global.tls.caCert.secretName` value
|
||
# - replication token defined by the `global.acls.replicationToken.secretName` value if `global.federation.enabled` is `true`
|
||
# To discover the service account name of the Consul server, run
|
||
# ```shell-session
|
||
# $ helm template --show-only templates/server-serviceaccount.yaml <release-name> hashicorp/consul
|
||
# ```
|
||
# and check the name of `metadata.name`.
|
||
consulServerRole: ""
|
||
|
||
# The Vault role for the Consul client.
|
||
# The role must be connected to the Consul client's service account.
|
||
# The role must also have a policy with read capabilities for the gossip encryption
|
||
# key defined by the `global.gossipEncryption.secretName` value.
|
||
# To discover the service account name of the Consul client, run
|
||
# ```shell-session
|
||
# $ helm template --show-only templates/client-serviceaccount.yaml <release-name> hashicorp/consul
|
||
# ```
|
||
# and check the name of `metadata.name`.
|
||
consulClientRole: ""
|
||
|
||
# A Vault role for the Consul `server-acl-init` job, which manages setting ACLs so that clients and components can obtain ACL tokens.
|
||
# The role must be connected to the `server-acl-init` job's service account.
|
||
# The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens
|
||
# To discover the service account name of the `server-acl-init` job, run
|
||
# ```shell-session
|
||
# $ helm template --show-only templates/server-acl-init-serviceaccount.yaml \
|
||
# --set global.acls.manageSystemACLs=true <release-name> hashicorp/consul
|
||
# ```
|
||
# and check the name of `metadata.name`.
|
||
manageSystemACLsRole: ""
|
||
|
||
# [Enterprise Only] A Vault role that allows the Consul `partition-init` job to read a Vault secret for the partition ACL token.
|
||
# The `partition-init` job bootstraps Admin Partitions on Consul servers.
|
||
# .
|
||
# This role must be bound the `partition-init` job's service account.
|
||
# To discover the service account name of the `partition-init` job, run with Helm values for the client cluster:
|
||
# ```shell-session
|
||
# $ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml <release-name> hashicorp/consul
|
||
# ```
|
||
# and check the name of `metadata.name`.
|
||
adminPartitionsRole: ""
|
||
|
||
# The Vault role to read Consul controller's webhook's
|
||
# CA and issue a certificate and private key.
|
||
# A Vault policy must be created which grants issue capabilities to
|
||
# `global.secretsBackend.vault.controller.tlsCert.secretName`.
|
||
controllerRole: ""
|
||
|
||
# The Vault role to read Consul connect-injector webhook's CA
|
||
# and issue a certificate and private key.
|
||
# A Vault policy must be created which grants issue capabilities to
|
||
# `global.secretsBackend.vault.connectInject.tlsCert.secretName`.
|
||
connectInjectRole: ""
|
||
|
||
# The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated).
|
||
# The role should be connected to the service accounts of all Consul components, or alternatively `*` since it
|
||
# will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants
|
||
# read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`.
|
||
consulCARole: ""
|
||
|
||
# This value defines additional annotations for
|
||
# Vault agent on any pods where it'll be running.
|
||
# This should be formatted as a multi-line string.
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "sample/annotation1": "foo"
|
||
# "sample/annotation2": "bar"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
agentAnnotations: null
|
||
|
||
# Configuration for Vault server CA certificate. This certificate will be mounted
|
||
# to any pod where Vault agent needs to run.
|
||
ca:
|
||
# The name of the Kubernetes or Vault secret that holds the Vault CA certificate.
|
||
# A Kubernetes secret must be in the same namespace that Consul is installed into.
|
||
secretName: ""
|
||
# The key within the Kubernetes or Vault secret that holds the Vault CA certificate.
|
||
secretKey: ""
|
||
|
||
# Configuration for the Vault Connect CA provider.
|
||
# The provider will be configured to use the Vault Kubernetes auth method
|
||
# and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole`
|
||
# to have permissions to the root and intermediate PKI paths.
|
||
# Please see https://www.consul.io/docs/connect/ca/vault#vault-acl-policies
|
||
# for information on how to configure the Vault policies.
|
||
connectCA:
|
||
# The address of the Vault server.
|
||
address: ""
|
||
|
||
# The mount path of the Kubernetes auth method in Vault.
|
||
authMethodPath: "kubernetes"
|
||
|
||
# The path to a PKI secrets engine for the root certificate.
|
||
# For more details, please refer to [Vault Connect CA configuration](https://www.consul.io/docs/connect/ca/vault#rootpkipath).
|
||
rootPKIPath: ""
|
||
|
||
# The path to a PKI secrets engine for the generated intermediate certificate.
|
||
# For more details, please refer to [Vault Connect CA configuration](https://www.consul.io/docs/connect/ca/vault#intermediatepkipath).
|
||
intermediatePKIPath: ""
|
||
|
||
# Additional Connect CA configuration in JSON format.
|
||
# Please refer to [Vault Connect CA configuration](https://www.consul.io/docs/connect/ca/vault#configuration)
|
||
# for all configuration options available for that provider.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# additionalConfig: |
|
||
# {
|
||
# "connect": [{
|
||
# "ca_config": [{
|
||
# "namespace": "my-vault-ns",
|
||
# "leaf_cert_ttl": "36h"
|
||
# }]
|
||
# }]
|
||
# }
|
||
# ```
|
||
additionalConfig: |
|
||
{}
|
||
|
||
controller:
|
||
# Configuration to the Vault Secret that Kubernetes will use on
|
||
# Kubernetes CRD creation, deletion, and update, to get TLS certificates
|
||
# used issued from vault to send webhooks to the controller.
|
||
tlsCert:
|
||
# The Vault secret path that issues TLS certificates for controller
|
||
# webhooks.
|
||
# @type: string
|
||
secretName: null
|
||
|
||
# Configuration to the Vault Secret that Kubernetes will use on
|
||
# Kubernetes CRD creation, deletion, and update, to get CA certificates
|
||
# used issued from vault to send webhooks to the controller.
|
||
caCert:
|
||
# The Vault secret path that contains the CA certificate for controller
|
||
# webhooks.
|
||
# @type: string
|
||
secretName: null
|
||
|
||
connectInject:
|
||
# Configuration to the Vault Secret that Kubernetes will use on
|
||
# Kubernetes pod creation, deletion, and update, to get CA certificates
|
||
# used issued from vault to send webhooks to the ConnectInject.
|
||
caCert:
|
||
# The Vault secret path that contains the CA certificate for
|
||
# Connect Inject webhooks.
|
||
# @type: string
|
||
secretName: null
|
||
|
||
# Configuration to the Vault Secret that Kubernetes will use on
|
||
# Kubernetes pod creation, deletion, and update, to get TLS certificates
|
||
# used issued from vault to send webhooks to the ConnectInject.
|
||
tlsCert:
|
||
# The Vault secret path that issues TLS certificates for connect
|
||
# inject webhooks.
|
||
# @type: string
|
||
secretName: null
|
||
|
||
# Configures Consul's gossip encryption key.
|
||
# (see `-encrypt` (https://www.consul.io/docs/agent/config/cli-flags#_encrypt)).
|
||
# By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually.
|
||
# The recommended method is to automatically generate the key.
|
||
# To automatically generate and set a gossip encryption key, set autoGenerate to true.
|
||
# Values for secretName and secretKey should not be set if autoGenerate is true.
|
||
# To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate
|
||
# a key, saving this as a Kubernetes secret or Vault secret path and key.
|
||
# If `global.secretsBackend.vault.enabled=true`, be sure to add the "data" component of the secretName path as required by
|
||
# the Vault KV-2 secrets engine [see example].
|
||
#
|
||
# ```shell-session
|
||
# $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen)
|
||
# ```
|
||
#
|
||
# Vault CLI Example:
|
||
# ```shell-session
|
||
# $ vault kv put consul/secrets/gossip key=$(consul keygen)
|
||
# ```
|
||
# `gossipEncryption.secretName="consul/data/secrets/gossip"`
|
||
# `gossipEncryption.secretKey="key"`
|
||
|
||
gossipEncryption:
|
||
# Automatically generate a gossip encryption key and save it to a Kubernetes or Vault secret.
|
||
autoGenerate: false
|
||
# The name of the Kubernetes secret or Vault secret path that holds the gossip
|
||
# encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into.
|
||
secretName: ""
|
||
# The key within the Kubernetes secret or Vault secret key that holds the gossip
|
||
# encryption key.
|
||
secretKey: ""
|
||
|
||
# A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries.
|
||
# These values are given as `-recursor` flags to Consul servers and clients.
|
||
# See https://www.consul.io/docs/agent/config/cli-flags#_recursor for more details.
|
||
# If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`).
|
||
# @type: array<string>
|
||
recursors: [ ]
|
||
|
||
# Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure)
|
||
# across the cluster to verify authenticity of the Consul servers and clients.
|
||
# Requires Consul v1.4.1+.
|
||
tls:
|
||
# If true, the Helm chart will enable TLS for Consul
|
||
# servers and clients and all consul-k8s-control-plane components, as well as generate certificate
|
||
# authority (optional) and server and client certificates.
|
||
# This setting is required for [Cluster Peering](/docs/connect/cluster-peering/k8s).
|
||
enabled: false
|
||
|
||
# If true, turns on the auto-encrypt feature on clients and servers.
|
||
# It also switches consul-k8s-control-plane components to retrieve the CA from the servers
|
||
# via the API. Requires Consul 1.7.1+.
|
||
enableAutoEncrypt: false
|
||
|
||
# A list of additional DNS names to set as Subject Alternative Names (SANs)
|
||
# in the server certificate. This is useful when you need to access the
|
||
# Consul server(s) externally, for example, if you're using the UI.
|
||
# @type: array<string>
|
||
serverAdditionalDNSSANs: [ ]
|
||
|
||
# A list of additional IP addresses to set as Subject Alternative Names (SANs)
|
||
# in the server certificate. This is useful when you need to access the
|
||
# Consul server(s) externally, for example, if you're using the UI.
|
||
# @type: array<string>
|
||
serverAdditionalIPSANs: [ ]
|
||
|
||
# If true, `verify_outgoing`, `verify_server_hostname`,
|
||
# and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients.
|
||
# Set this to false to incrementally roll out TLS on an existing Consul cluster.
|
||
# Please see https://consul.io/docs/k8s/operations/tls-on-existing-cluster
|
||
# for more details.
|
||
verify: true
|
||
|
||
# If true, the Helm chart will configure Consul to disable the HTTP port on
|
||
# both clients and servers and to only accept HTTPS connections.
|
||
httpsOnly: true
|
||
|
||
# A secret containing the certificate of the CA to use for TLS communication within the Consul cluster.
|
||
# If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret
|
||
# in Kubernetes:
|
||
#
|
||
# ```shell-session
|
||
# $ kubectl create secret generic consul-ca-cert \
|
||
# --from-file='tls.crt=./consul-agent-ca.pem'
|
||
# ```
|
||
# If you are using Vault as a secrets backend with TLS, `caCert.secretName` must be provided and should reference
|
||
# the CA path for your PKI secrets engine. This should be of the form `pki/cert/ca` where `pki` is the mount point of your PKI secrets engine.
|
||
# A read policy must be created and associated with the CA cert path for `global.tls.caCert.secretName`.
|
||
# This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components.
|
||
# When using Vault the secretKey is not used.
|
||
caCert:
|
||
# The name of the Kubernetes or Vault secret that holds the CA certificate.
|
||
# @type: string
|
||
secretName: null
|
||
# The key within the Kubernetes or Vault secret that holds the CA certificate.
|
||
# @type: string
|
||
secretKey: null
|
||
|
||
# A Kubernetes or Vault secret containing the private key of the CA to use for
|
||
# TLS communication within the Consul cluster. If you have generated the CA yourself
|
||
# with the consul CLI, you could use the following command to create the secret
|
||
# in Kubernetes:
|
||
#
|
||
# ```shell-session
|
||
# $ kubectl create secret generic consul-ca-key \
|
||
# --from-file='tls.key=./consul-agent-ca-key.pem'
|
||
# ```
|
||
#
|
||
# Note that we need the CA key so that we can generate server and client certificates.
|
||
# It is particularly important for the client certificates since they need to have host IPs
|
||
# as Subject Alternative Names. In the future, we may support bringing your own server
|
||
# certificates.
|
||
caKey:
|
||
# The name of the Kubernetes or Vault secret that holds the CA key.
|
||
# @type: string
|
||
secretName: null
|
||
# The key within the Kubernetes or Vault secret that holds the CA key.
|
||
# @type: string
|
||
secretKey: null
|
||
|
||
# [Enterprise Only] `enableConsulNamespaces` indicates that you are running
|
||
# Consul Enterprise v1.7+ with a valid Consul Enterprise license and would
|
||
# like to make use of configuration beyond registering everything into
|
||
# the `default` Consul namespace. Additional configuration
|
||
# options are found in the `consulNamespaces` section of both the catalog sync
|
||
# and connect injector.
|
||
enableConsulNamespaces: false
|
||
|
||
# Configure ACLs.
|
||
acls:
|
||
|
||
# If true, the Helm chart will automatically manage ACL tokens and policies
|
||
# for all Consul and consul-k8s-control-plane components.
|
||
# This requires Consul >= 1.4.
|
||
manageSystemACLs: false
|
||
|
||
# A Kubernetes or Vault secret containing the bootstrap token to use for
|
||
# creating policies and tokens for all Consul and consul-k8s-control-plane components.
|
||
# If set, we will skip ACL bootstrapping of the servers and will only
|
||
# initialize ACLs for the Consul clients and consul-k8s-control-plane system components.
|
||
bootstrapToken:
|
||
# The name of the Kubernetes or Vault secret that holds the bootstrap token.
|
||
secretName: null
|
||
# The key within the Kubernetes or Vault secret that holds the bootstrap token.
|
||
secretKey: null
|
||
|
||
# If true, an ACL token will be created that can be used in secondary
|
||
# datacenters for replication. This should only be set to true in the
|
||
# primary datacenter since the replication token must be created from that
|
||
# datacenter.
|
||
# In secondary datacenters, the secret needs to be imported from the primary
|
||
# datacenter and referenced via `global.acls.replicationToken`.
|
||
createReplicationToken: false
|
||
|
||
# replicationToken references a secret containing the replication ACL token.
|
||
# This token will be used by secondary datacenters to perform ACL replication
|
||
# and create ACL tokens and policies.
|
||
# This value is ignored if `bootstrapToken` is also set.
|
||
replicationToken:
|
||
# The name of the Kubernetes or Vault secret that holds the replication token.
|
||
# @type: string
|
||
secretName: null
|
||
# The key within the Kubernetes or Vault secret that holds the replication token.
|
||
# @type: string
|
||
secretKey: null
|
||
|
||
# partitionToken references a Vault secret containing the ACL token to be used in non-default partitions.
|
||
# This value should only be provided in the default partition and only when setting
|
||
# the `global.secretsBackend.vault.enabled` value to true.
|
||
# Consul will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the
|
||
# secret as the secretID for the token.
|
||
# In non-default, partitions set this secret as the `bootstrapToken`.
|
||
partitionToken:
|
||
# The name of the Vault secret that holds the partition token.
|
||
# @type: string
|
||
secretName: null
|
||
# The key within the Vault secret that holds the parition token.
|
||
# @type: string
|
||
secretKey: null
|
||
|
||
# tolerations configures the taints and tolerations for the server-acl-init
|
||
# and server-acl-init-cleanup jobs. This should be a multi-line string matching the
|
||
# Tolerations (https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec.
|
||
tolerations: ""
|
||
|
||
# This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
|
||
# labels for the server-acl-init and server-acl-init-cleanup jobs pod assignment, formatted as a multi-line string.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# nodeSelector: |
|
||
# beta.kubernetes.io/arch: amd64
|
||
# ```
|
||
#
|
||
# @type: string
|
||
nodeSelector: null
|
||
|
||
# [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created
|
||
# that contains your enterprise license. It is required if you are using an
|
||
# enterprise binary. Defining it here applies it to your cluster once a leader
|
||
# has been elected. If you are not using an enterprise image or if you plan to
|
||
# introduce the license key via another route, then set these fields to null.
|
||
# Note: the job to apply license runs on both Helm installs and upgrades.
|
||
enterpriseLicense:
|
||
# The name of the Kubernetes or Vault secret that holds the enterprise license.
|
||
# A Kubernetes secret must be in the same namespace that Consul is installed into.
|
||
# @type: string
|
||
secretName: null
|
||
# The key within the Kubernetes or Vault secret that holds the enterprise license.
|
||
# @type: string
|
||
secretKey: null
|
||
# Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+.
|
||
enableLicenseAutoload: true
|
||
|
||
# Configure federation.
|
||
federation:
|
||
# If enabled, this datacenter will be federation-capable. Only federation
|
||
# via mesh gateways is supported.
|
||
# Mesh gateways and servers will be configured to allow federation.
|
||
# Requires `global.tls.enabled`, `meshGateway.enabled` and `connectInject.enabled`
|
||
# to be true. Requires Consul 1.8+.
|
||
enabled: false
|
||
|
||
# If true, the chart will create a Kubernetes secret that can be imported
|
||
# into secondary datacenters so they can federate with this datacenter. The
|
||
# secret contains all the information secondary datacenters need to contact
|
||
# and authenticate with this datacenter. This should only be set to true
|
||
# in your primary datacenter. The secret name is
|
||
# `<global.name>-federation` (if setting `global.name`), otherwise
|
||
# `<helm-release-name>-consul-federation`.
|
||
createFederationSecret: false
|
||
|
||
# The name of the primary datacenter.
|
||
# @type: string
|
||
primaryDatacenter: null
|
||
|
||
# A list of addresses of the primary mesh gateways in the form `<ip>:<port>`.
|
||
# (e.g. ["1.1.1.1:443", "2.3.4.5:443"]
|
||
# @type: array<string>
|
||
primaryGateways: [ ]
|
||
|
||
# If you are setting `global.federation.enabled` to true and are in a secondary datacenter,
|
||
# set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter.
|
||
# This address must be reachable from the Consul servers in the primary datacenter.
|
||
# This auth method will be used to provision ACL tokens for Consul components and is different
|
||
# from the one used by the Consul Service Mesh.
|
||
# Please see the [Kubernetes Auth Method documentation](https://consul.io/docs/acl/auth-methods/kubernetes).
|
||
#
|
||
# You can retrieve this value from your `kubeconfig` by running:
|
||
#
|
||
# ```shell-session
|
||
# $ kubectl config view \
|
||
# -o jsonpath="{.clusters[?(@.name=='<your cluster name>')].cluster.server}"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
k8sAuthMethodHost: null
|
||
|
||
# Configures metrics for Consul service mesh
|
||
metrics:
|
||
# Configures the Helm chart’s components
|
||
# to expose Prometheus metrics for the Consul service mesh. By default
|
||
# this includes gateway metrics and sidecar metrics.
|
||
# @type: boolean
|
||
enabled: false
|
||
|
||
# Configures consul agent metrics. Only applicable if
|
||
# `global.metrics.enabled` is true.
|
||
# @type: boolean
|
||
enableAgentMetrics: false
|
||
|
||
# Configures the retention time for metrics in Consul clients and
|
||
# servers. This must be greater than 0 for Consul clients and servers
|
||
# to expose any metrics at all.
|
||
# Only applicable if `global.metrics.enabled` is true.
|
||
# @type: string
|
||
agentMetricsRetentionTime: 1m
|
||
|
||
# If true, mesh, terminating, and ingress gateways will expose their
|
||
# Envoy metrics on port `20200` at the `/metrics` path and all gateway pods
|
||
# will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true.
|
||
# @type: boolean
|
||
enableGatewayMetrics: true
|
||
|
||
# The name (and tag) of the consul-dataplane Docker image used for the
|
||
# connect-injected sidecar proxies and mesh, terminating, and ingress gateways.
|
||
# @default: hashicorp/consul-dataplane:<latest supported version>
|
||
imageConsulDataplane: "hashicorp/consul-dataplane:1.0.0"
|
||
|
||
# Configuration for running this Helm chart on the Red Hat OpenShift platform.
|
||
# This Helm chart currently supports OpenShift v4.x+.
|
||
openshift:
|
||
# If true, the Helm chart will create necessary configuration for running
|
||
# its components on OpenShift.
|
||
enabled: false
|
||
|
||
# The time in seconds that the consul API client will wait for a response from
|
||
# the API before cancelling the request.
|
||
consulAPITimeout: 5s
|
||
|
||
# Enables installing an HCP Consul self-managed cluster.
|
||
# Requires Consul v1.14+.
|
||
cloud:
|
||
# If true, the Helm chart will enable the installation of an HCP Consul
|
||
# self-managed cluster.
|
||
enabled: false
|
||
|
||
# The name of the Kubernetes secret that holds the HCP resource id.
|
||
# This is required when global.cloud.enabled is true.
|
||
resourceId:
|
||
# The name of the Kubernetes secret that holds the resource id.
|
||
# @type: string
|
||
secretName: null
|
||
# The key within the Kubernetes secret that holds the resource id.
|
||
# @type: string
|
||
secretKey: null
|
||
|
||
# The name of the Kubernetes secret that holds the HCP cloud client id.
|
||
# This is required when global.cloud.enabled is true.
|
||
clientId:
|
||
# The name of the Kubernetes secret that holds the client id.
|
||
# @type: string
|
||
secretName: null
|
||
# The key within the Kubernetes secret that holds the client id.
|
||
# @type: string
|
||
secretKey: null
|
||
|
||
# The name of the Kubernetes secret that holds the HCP cloud client secret.
|
||
# This is required when global.cloud.enabled is true.
|
||
clientSecret:
|
||
# The name of the Kubernetes secret that holds the client secret.
|
||
# @type: string
|
||
secretName: null
|
||
# The key within the Kubernetes secret that holds the client secret.
|
||
# @type: string
|
||
secretKey: null
|
||
|
||
# The name of the Kubernetes secret that holds the HCP cloud client id.
|
||
# This is optional when global.cloud.enabled is true.
|
||
apiHost:
|
||
# The name of the Kubernetes secret that holds the api hostname.
|
||
# @type: string
|
||
secretName: null
|
||
# The key within the Kubernetes secret that holds the api hostname.
|
||
# @type: string
|
||
secretKey: null
|
||
|
||
# The name of the Kubernetes secret that holds the HCP cloud authorization url.
|
||
# This is optional when global.cloud.enabled is true.
|
||
authUrl:
|
||
# The name of the Kubernetes secret that holds the authorization url.
|
||
# @type: string
|
||
secretName: null
|
||
# The key within the Kubernetes secret that holds the authorization url.
|
||
# @type: string
|
||
secretKey: null
|
||
|
||
# The name of the Kubernetes secret that holds the HCP cloud scada address.
|
||
# This is optional when global.cloud.enabled is true.
|
||
scadaAddress:
|
||
# The name of the Kubernetes secret that holds the scada address.
|
||
# @type: string
|
||
secretName: null
|
||
# The key within the Kubernetes secret that holds the scada address.
|
||
# @type: string
|
||
secretKey: null
|
||
|
||
# Server, when enabled, configures a server cluster to run. This should
|
||
# be disabled if you plan on connecting to a Consul cluster external to
|
||
# the Kube cluster.
|
||
server:
|
||
|
||
# If true, the chart will install all the resources necessary for a
|
||
# Consul server cluster. If you're running Consul externally and want agents
|
||
# within Kubernetes to join that cluster, this should probably be false.
|
||
# @default: global.enabled
|
||
# @type: boolean
|
||
enabled: "-"
|
||
|
||
# The name of the Docker image (including any tag) for the containers running
|
||
# Consul server agents.
|
||
# @type: string
|
||
image: null
|
||
|
||
# The number of server agents to run. This determines the fault tolerance of
|
||
# the cluster. Please see the deployment table (https://consul.io/docs/internals/consensus#deployment-table)
|
||
# for more information.
|
||
replicas: 1
|
||
|
||
# The number of servers that are expected to be running.
|
||
# It defaults to server.replicas.
|
||
# In most cases the default should be used, however if there are more
|
||
# servers in this datacenter than server.replicas it might make sense
|
||
# to override the default. This would be the case if two kube clusters
|
||
# were joined into the same datacenter and each cluster ran a certain number
|
||
# of servers.
|
||
# @type: int
|
||
bootstrapExpect: null
|
||
|
||
# A secret containing a certificate & key for the server agents to use
|
||
# for TLS communication within the Consul cluster. Cert needs to be provided with
|
||
# additional DNS name SANs so that it will work within the Kubernetes cluster:
|
||
#
|
||
# Kubernetes Secrets backend:
|
||
# ```bash
|
||
# consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \
|
||
# -key=consul-agent-ca-key.pem -dc={{datacenter}} \
|
||
# -additional-dnsname="{{fullname}}-server" \
|
||
# -additional-dnsname="*.{{fullname}}-server" \
|
||
# -additional-dnsname="*.{{fullname}}-server.{{namespace}}" \
|
||
# -additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \
|
||
# -additional-dnsname="*.server.{{datacenter}}.{{domain}}" \
|
||
# -additional-dnsname="server.{{datacenter}}.{{domain}}"
|
||
# ```
|
||
#
|
||
# If you have generated the server-cert yourself with the consul CLI, you could use the following command
|
||
# to create the secret in Kubernetes:
|
||
#
|
||
# ```bash
|
||
# kubectl create secret generic consul-server-cert \
|
||
# --from-file='tls.crt=./dc1-server-consul-0.pem'
|
||
# --from-file='tls.key=./dc1-server-consul-0-key.pem'
|
||
# ```
|
||
#
|
||
# Vault Secrets backend:
|
||
# If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]`
|
||
# capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`.
|
||
# Please see the following guide for steps to generate a compatible certificate:
|
||
# https://learn.hashicorp.com/tutorials/consul/vault-pki-consul-secure-tls
|
||
# Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine
|
||
# must be provided.
|
||
serverCert:
|
||
# The name of the Vault secret that holds the PEM encoded server certificate.
|
||
# @type: string
|
||
secretName: null
|
||
|
||
# Exposes the servers' gossip and RPC ports as hostPorts. To enable a client
|
||
# agent outside of the k8s cluster to join the datacenter, you would need to
|
||
# enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and
|
||
# set `server.ports.serflan.port` to a port not being used on the host. Since
|
||
# `client.exposeGossipPorts` uses the hostPort 8301,
|
||
# `server.ports.serflan.port` must be set to something other than 8301.
|
||
exposeGossipAndRPCPorts: false
|
||
|
||
# Configures ports for the consul servers.
|
||
ports:
|
||
# Configures the LAN gossip port for the consul servers. If you choose to
|
||
# enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`,
|
||
# that will configure the LAN gossip ports on the servers and clients to be
|
||
# hostPorts, so if you are running clients and servers on the same node the
|
||
# ports will conflict if they are both 8301. When you enable
|
||
# `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must
|
||
# change this from the default to an unused port on the host, e.g. 9301. By
|
||
# default the LAN gossip port is 8301 and configured as a containerPort on
|
||
# the consul server Pods.
|
||
serflan:
|
||
port: 8301
|
||
|
||
# This defines the disk size for configuring the
|
||
# servers' StatefulSet storage. For dynamically provisioned storage classes, this is the
|
||
# desired size. For manually defined persistent volumes, this should be set to
|
||
# the disk size of the attached volume.
|
||
storage: 10Gi
|
||
|
||
# The StorageClass to use for the servers' StatefulSet storage. It must be
|
||
# able to be dynamically provisioned if you want the storage
|
||
# to be automatically created. For example, to use
|
||
# local(https://kubernetes.io/docs/concepts/storage/storage-classes/#local)
|
||
# storage classes, the PersistentVolumeClaims would need to be manually created.
|
||
# A `null` value will use the Kubernetes cluster's default StorageClass. If a default
|
||
# StorageClass does not exist, you will need to create one.
|
||
# Refer to the [Read/Write Tuning](https://www.consul.io/docs/install/performance#read-write-tuning)
|
||
# section of the Server Performance Requirements documentation for considerations
|
||
# around choosing a performant storage class.
|
||
#
|
||
# ~> **Note:** The [Reference Architecture](https://learn.hashicorp.com/tutorials/consul/reference-architecture#hardware-sizing-for-consul-servers)
|
||
# contains best practices and recommendations for selecting suitable
|
||
# hardware sizes for your Consul servers.
|
||
# @type: string
|
||
storageClass: null
|
||
|
||
# This will enable/disable Connect (https://consul.io/docs/connect). Setting this to true
|
||
# _will not_ automatically secure pod communication, this
|
||
# setting will only enable usage of the feature. Consul will automatically initialize
|
||
# a new CA and set of certificates. Additional Connect settings can be configured
|
||
# by setting the `server.extraConfig` value.
|
||
connect: true
|
||
|
||
serviceAccount:
|
||
# This value defines additional annotations for the server service account. This should be formatted as a multi-line
|
||
# string.
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "sample/annotation1": "foo"
|
||
# "sample/annotation2": "bar"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# The resource requests (CPU, memory, etc.)
|
||
# for each of the server agents. This should be a YAML map corresponding to a Kubernetes
|
||
# ResourceRequirements (https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core)
|
||
# object. NOTE: The use of a YAML string is deprecated.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# resources:
|
||
# requests:
|
||
# memory: '100Mi'
|
||
# cpu: '100m'
|
||
# limits:
|
||
# memory: '100Mi'
|
||
# cpu: '100m'
|
||
# ```
|
||
#
|
||
# @recurse: false
|
||
# @type: map
|
||
resources:
|
||
requests:
|
||
memory: "100Mi"
|
||
cpu: "100m"
|
||
limits:
|
||
memory: "100Mi"
|
||
cpu: "100m"
|
||
|
||
# The security context for the server pods. This should be a YAML map corresponding to a
|
||
# Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object.
|
||
# By default, servers will run as non-root, with user ID `100` and group ID `1000`,
|
||
# which correspond to the consul user and group created by the Consul docker image.
|
||
# Note: if running on OpenShift, this setting is ignored because the user and group are set automatically
|
||
# by the OpenShift platform.
|
||
# @type: map
|
||
# @recurse: false
|
||
securityContext:
|
||
runAsNonRoot: true
|
||
runAsGroup: 1000
|
||
runAsUser: 100
|
||
fsGroup: 1000
|
||
|
||
# The container securityContext for each container in the server pods. In
|
||
# addition to the Pod's SecurityContext this can
|
||
# set the capabilities of processes running in the container and ensure the
|
||
# root file systems in the container is read-only.
|
||
# @type: map
|
||
# @recurse: true
|
||
containerSecurityContext:
|
||
# The consul server agent container
|
||
# @type: map
|
||
# @recurse: false
|
||
server: null
|
||
|
||
# This value is used to carefully
|
||
# control a rolling update of Consul server agents. This value specifies the
|
||
# partition (https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions)
|
||
# for performing a rolling update. Please read the linked Kubernetes documentation
|
||
# and https://www.consul.io/docs/k8s/upgrade#upgrading-consul-servers for more information.
|
||
updatePartition: 0
|
||
|
||
# This configures the PodDisruptionBudget (https://kubernetes.io/docs/tasks/run-application/configure-pdb/)
|
||
# for the server cluster.
|
||
disruptionBudget:
|
||
# This will enable/disable registering a PodDisruptionBudget for the server
|
||
# cluster. If this is enabled, it will only register the budget so long as
|
||
# the server cluster is enabled.
|
||
enabled: true
|
||
|
||
# The maximum number of unavailable pods. By default, this will be
|
||
# automatically computed based on the `server.replicas` value to be `(n/2)-1`.
|
||
# If you need to set this to `0`, you will need to add a
|
||
# --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation
|
||
# command because of a limitation in the Helm templating language.
|
||
# @type: integer
|
||
maxUnavailable: null
|
||
|
||
# A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul
|
||
# servers. This will be saved as-is into a ConfigMap that is read by the Consul
|
||
# server agents. This can be used to add additional configuration that
|
||
# isn't directly exposed by the chart.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# extraConfig: |
|
||
# {
|
||
# "log_level": "DEBUG"
|
||
# }
|
||
# ```
|
||
#
|
||
# This can also be set using Helm's `--set` flag using the following syntax:
|
||
#
|
||
# ```shell-session
|
||
# --set 'server.extraConfig="{"log_level": "DEBUG"}"'
|
||
# ```
|
||
extraConfig: |
|
||
{}
|
||
|
||
# A list of extra volumes to mount for server agents. This
|
||
# is useful for bringing in extra data that can be referenced by other configurations
|
||
# at a well known path, such as TLS certificates or Gossip encryption keys. The
|
||
# value of this should be a list of objects.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# extraVolumes:
|
||
# - type: secret
|
||
# name: consul-certs
|
||
# load: false
|
||
# ```
|
||
#
|
||
# Each object supports the following keys:
|
||
#
|
||
# - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive.
|
||
#
|
||
# - `name` - Name of the configMap or secret to be mounted. This also controls
|
||
# the path that it is mounted to. The volume will be mounted to `/consul/userconfig/<name>`.
|
||
#
|
||
# - `load` - If true, then the agent will be
|
||
# configured to automatically load HCL/JSON configuration files from this volume
|
||
# with `-config-dir`. This defaults to false.
|
||
#
|
||
# @type: array<map>
|
||
extraVolumes: [ ]
|
||
|
||
# A list of sidecar containers.
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# extraContainers:
|
||
# - name: extra-container
|
||
# image: example-image:latest
|
||
# command:
|
||
# - ...
|
||
# ```
|
||
# @type: array<map>
|
||
extraContainers: [ ]
|
||
|
||
# This value defines the affinity (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
|
||
# for server pods. It defaults to allowing only a single server pod on each node, which
|
||
# minimizes risk of the cluster becoming unusable if a node is lost. If you need
|
||
# to run more pods per node (for example, testing on Minikube), set this value
|
||
# to `null`.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# affinity: |
|
||
# podAntiAffinity:
|
||
# requiredDuringSchedulingIgnoredDuringExecution:
|
||
# - labelSelector:
|
||
# matchLabels:
|
||
# app: {{ template "consul.name" . }}
|
||
# release: "{{ .Release.Name }}"
|
||
# component: server
|
||
# topologyKey: kubernetes.io/hostname
|
||
# ```
|
||
affinity: |
|
||
podAntiAffinity:
|
||
requiredDuringSchedulingIgnoredDuringExecution:
|
||
- labelSelector:
|
||
matchLabels:
|
||
app: {{ template "consul.name" . }}
|
||
release: "{{ .Release.Name }}"
|
||
component: server
|
||
topologyKey: kubernetes.io/hostname
|
||
|
||
# Toleration settings for server pods. This
|
||
# should be a multi-line string matching the Tolerations
|
||
# (https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec.
|
||
tolerations: ""
|
||
|
||
# Pod topology spread constraints for server pods.
|
||
# This should be a multi-line YAML string matching the `topologySpreadConstraints` array
|
||
# (https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) in a Pod Spec.
|
||
#
|
||
# This requires K8S >= 1.18 (beta) or 1.19 (stable).
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# topologySpreadConstraints: |
|
||
# - maxSkew: 1
|
||
# topologyKey: topology.kubernetes.io/zone
|
||
# whenUnsatisfiable: DoNotSchedule
|
||
# labelSelector:
|
||
# matchLabels:
|
||
# app: {{ template "consul.name" . }}
|
||
# release: "{{ .Release.Name }}"
|
||
# component: server
|
||
# ```
|
||
topologySpreadConstraints: ""
|
||
|
||
# This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
|
||
# labels for server pod assignment, formatted as a multi-line string.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# nodeSelector: |
|
||
# beta.kubernetes.io/arch: amd64
|
||
# ```
|
||
#
|
||
# @type: string
|
||
nodeSelector: null
|
||
|
||
# This value references an existing
|
||
# Kubernetes `priorityClassName` (https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority)
|
||
# that can be assigned to server pods.
|
||
priorityClassName: ""
|
||
|
||
# Extra labels to attach to the server pods. This should be a YAML map.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# extraLabels:
|
||
# labelKey: label-value
|
||
# anotherLabelKey: another-label-value
|
||
# ```
|
||
#
|
||
# @type: map
|
||
extraLabels: null
|
||
|
||
# This value defines additional annotations for
|
||
# server pods. This should be formatted as a multi-line string.
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "sample/annotation1": "foo"
|
||
# "sample/annotation2": "bar"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# Configures a service to expose ports on the Consul servers over a Kubernetes Service.
|
||
exposeService:
|
||
# When enabled, deploys a Kubernetes Service to reach the Consul servers.
|
||
# @type: boolean
|
||
enabled: "-"
|
||
# Type of service, supports LoadBalancer or NodePort.
|
||
# @type: string
|
||
type: LoadBalancer
|
||
# If service is of type NodePort, configures the nodePorts.
|
||
nodePort:
|
||
# Configures the nodePort to expose the Consul server http port.
|
||
# @type: integer
|
||
http: null
|
||
# Configures the nodePort to expose the Consul server https port.
|
||
# @type: integer
|
||
https: null
|
||
# Configures the nodePort to expose the Consul server serf port.
|
||
# @type: integer
|
||
serf: null
|
||
# Configures the nodePort to expose the Consul server rpc port.
|
||
# @type: integer
|
||
rpc: null
|
||
# Configures the nodePort to expose the Consul server grpc port.
|
||
# @type: integer
|
||
grpc: null
|
||
# This value defines additional annotations for
|
||
# server pods. This should be formatted as a multi-line string.
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "sample/annotation1": "foo"
|
||
# "sample/annotation2": "bar"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# Server service properties.
|
||
service:
|
||
# Annotations to apply to the server service.
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "annotation-key": "annotation-value"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# A list of extra environment variables to set within the stateful set.
|
||
# These could be used to include proxy settings required for cloud auto-join
|
||
# feature, in case kubernetes cluster is behind egress http proxies. Additionally,
|
||
# it could be used to configure custom consul parameters.
|
||
# @type: map
|
||
extraEnvironmentVars: { }
|
||
|
||
# [Enterprise Only] Values for setting up and running snapshot agents
|
||
# (https://consul.io/commands/snapshot/agent)
|
||
# within the Consul clusters. They run as a sidecar with Consul servers.
|
||
snapshotAgent:
|
||
# If true, the chart will install resources necessary to run the snapshot agent.
|
||
enabled: false
|
||
|
||
# Interval at which to perform snapshots.
|
||
# See https://www.consul.io/commands/snapshot/agent#interval
|
||
# @type: string
|
||
interval: 1h
|
||
|
||
# A Kubernetes or Vault secret that should be manually created to contain the entire
|
||
# config to be used on the snapshot agent.
|
||
# This is the preferred method of configuration since there are usually storage
|
||
# credentials present. Please see Snapshot agent config (https://consul.io/commands/snapshot/agent#config-file-options)
|
||
# for details.
|
||
configSecret:
|
||
# The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config.
|
||
# @type: string
|
||
secretName: null
|
||
# The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config.
|
||
# @type: string
|
||
secretKey: null
|
||
|
||
# The resource settings for snapshot agent pods.
|
||
# @recurse: false
|
||
# @type: map
|
||
resources:
|
||
requests:
|
||
memory: "50Mi"
|
||
cpu: "50m"
|
||
limits:
|
||
memory: "50Mi"
|
||
cpu: "50m"
|
||
|
||
# Optional PEM-encoded CA certificate that will be added to the trusted system CAs.
|
||
# Useful if using an S3-compatible storage exposing a self-signed certificate.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# caCert: |
|
||
# -----BEGIN CERTIFICATE-----
|
||
# MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx
|
||
# ...
|
||
# ```
|
||
# @type: string
|
||
caCert: null
|
||
|
||
# Configuration for Consul servers when the servers are running outside of Kubernetes.
|
||
# When running external servers, configuring these values is recommended
|
||
# if setting `global.tls.enableAutoEncrypt` to true
|
||
# or `global.acls.manageSystemACLs` to true.
|
||
externalServers:
|
||
# If true, the Helm chart will be configured to talk to the external servers.
|
||
# If setting this to true, you must also set `server.enabled` to false.
|
||
enabled: false
|
||
|
||
# An array of external Consul server hosts that are used to make
|
||
# HTTPS connections from the components in this Helm chart.
|
||
# Valid values include an IP, a DNS name, or an [exec=](https://github.com/hashicorp/go-netaddrs) string.
|
||
# The port must be provided separately below.
|
||
# Note: This slice can only contain a single element.
|
||
# Note: If enabling clients, `client.join` must also be set to the hosts that should be
|
||
# used to join the cluster. In most cases, the `client.join` values
|
||
# should be the same, however, they may be different if you
|
||
# wish to use separate hosts for the HTTPS connections.
|
||
# @type: array<string>
|
||
hosts: [ ]
|
||
|
||
# The HTTPS port of the Consul servers.
|
||
httpsPort: 8501
|
||
|
||
# The GRPC port of the Consul servers.
|
||
grpcPort: 8502
|
||
|
||
# The server name to use as the SNI host header when connecting with HTTPS.
|
||
# @type: string
|
||
tlsServerName: null
|
||
|
||
# If true, consul-k8s-control-plane components will ignore the CA set in
|
||
# `global.tls.caCert` when making HTTPS calls to Consul servers and
|
||
# will instead use the consul-k8s-control-plane image's system CAs for TLS verification.
|
||
# If false, consul-k8s-control-plane components will use `global.tls.caCert` when
|
||
# making HTTPS calls to Consul servers.
|
||
# **NOTE:** This does not affect Consul's internal RPC communication which will
|
||
# always use `global.tls.caCert`.
|
||
useSystemRoots: false
|
||
|
||
# If you are setting `global.acls.manageSystemACLs` and
|
||
# `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server.
|
||
# This address must be reachable from the Consul servers.
|
||
# Please see the Kubernetes Auth Method documentation (https://consul.io/docs/acl/auth-methods/kubernetes).
|
||
#
|
||
# You could retrieve this value from your `kubeconfig` by running:
|
||
#
|
||
# ```shell-session
|
||
# $ kubectl config view \
|
||
# -o jsonpath="{.clusters[?(@.name=='<your cluster name>')].cluster.server}"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
k8sAuthMethodHost: null
|
||
|
||
# If true, setting this prevents the consul-dataplane and consul-k8s components from watching the Consul servers for changes. This is
|
||
# useful for situations where Consul servers are behind a load balancer.
|
||
skipServerWatch: false
|
||
|
||
# Values that configure running a Consul client on Kubernetes nodes.
|
||
client:
|
||
# If true, the chart will install all
|
||
# the resources necessary for a Consul client on every Kubernetes node. This _does not_ require
|
||
# `server.enabled`, since the agents can be configured to join an external cluster.
|
||
# @type: boolean
|
||
enabled: false
|
||
|
||
# The name of the Docker image (including any tag) for the containers
|
||
# running Consul client agents.
|
||
# @type: string
|
||
image: null
|
||
|
||
# A list of valid `-retry-join` values (https://www.consul.io/docs/agent/config/cli-flags#_retry_join).
|
||
# If this is `null` (default), then the clients will attempt to automatically
|
||
# join the server cluster running within Kubernetes.
|
||
# This means that with `server.enabled` set to true, clients will automatically
|
||
# join that cluster. If `server.enabled` is not true, then a value must be
|
||
# specified so the clients can join a valid cluster.
|
||
# @type: array<string>
|
||
join: null
|
||
|
||
# An absolute path to a directory on the host machine to use as the Consul
|
||
# client data directory. If set to the empty string or null, the Consul agent
|
||
# will store its data in the Pod's local filesystem (which will
|
||
# be lost if the Pod is deleted). Security Warning: If setting this, Pod Security
|
||
# Policies _must_ be enabled on your cluster and in this Helm chart (via the
|
||
# `global.enablePodSecurityPolicies` setting) to prevent other pods from
|
||
# mounting the same host path and gaining access to all of Consul's data.
|
||
# Consul's data is not encrypted at rest.
|
||
# @type: string
|
||
dataDirectoryHostPath: null
|
||
|
||
# If true, agents will enable their GRPC listener on
|
||
# port 8502 and expose it to the host. This will use slightly more resources, but is
|
||
# required for Connect.
|
||
grpc: true
|
||
|
||
# nodeMeta specifies an arbitrary metadata key/value pair to associate with the node
|
||
# (see https://www.consul.io/docs/agent/config/cli-flags#_node_meta)
|
||
nodeMeta:
|
||
pod-name: ${HOSTNAME}
|
||
host-ip: ${HOST_IP}
|
||
|
||
# If true, the Helm chart will expose the clients' gossip ports as hostPorts.
|
||
# This is only necessary if pod IPs in the k8s cluster are not directly routable
|
||
# and the Consul servers are outside of the k8s cluster.
|
||
# This also changes the clients' advertised IP to the `hostIP` rather than `podIP`.
|
||
exposeGossipPorts: false
|
||
|
||
serviceAccount:
|
||
# This value defines additional annotations for the client service account. This should be formatted as a multi-line
|
||
# string.
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "sample/annotation1": "foo"
|
||
# "sample/annotation2": "bar"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# The resource settings for Client agents.
|
||
# NOTE: The use of a YAML string is deprecated. Instead, set directly as a
|
||
# YAML map.
|
||
# @recurse: false
|
||
# @type: map
|
||
resources:
|
||
requests:
|
||
memory: "100Mi"
|
||
cpu: "100m"
|
||
limits:
|
||
memory: "100Mi"
|
||
cpu: "100m"
|
||
|
||
# The security context for the client pods. This should be a YAML map corresponding to a
|
||
# Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object.
|
||
# By default, servers will run as non-root, with user ID `100` and group ID `1000`,
|
||
# which correspond to the consul user and group created by the Consul docker image.
|
||
# Note: if running on OpenShift, this setting is ignored because the user and group are set automatically
|
||
# by the OpenShift platform.
|
||
# @type: map
|
||
# @recurse: false
|
||
securityContext:
|
||
runAsNonRoot: true
|
||
runAsGroup: 1000
|
||
runAsUser: 100
|
||
fsGroup: 1000
|
||
|
||
# The container securityContext for each container in the client pods. In
|
||
# addition to the Pod's SecurityContext this can
|
||
# set the capabilities of processes running in the container and ensure the
|
||
# root file systems in the container is read-only.
|
||
# @type: map
|
||
# @recurse: true
|
||
containerSecurityContext:
|
||
# The consul client agent container
|
||
# @type: map
|
||
# @recurse: false
|
||
client: null
|
||
# The acl-init initContainer
|
||
# @type: map
|
||
# @recurse: false
|
||
aclInit: null
|
||
# The tls-init initContainer
|
||
# @type: map
|
||
# @recurse: false
|
||
tlsInit: null
|
||
|
||
# A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul
|
||
# clients. This will be saved as-is into a ConfigMap that is read by the Consul
|
||
# client agents. This can be used to add additional configuration that
|
||
# isn't directly exposed by the chart.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# extraConfig: |
|
||
# {
|
||
# "log_level": "DEBUG"
|
||
# }
|
||
# ```
|
||
#
|
||
# This can also be set using Helm's `--set` flag using the following syntax:
|
||
#
|
||
# ```shell-session
|
||
# --set 'client.extraConfig="{"log_level": "DEBUG"}"'
|
||
# ```
|
||
extraConfig: |
|
||
{}
|
||
|
||
# A list of extra volumes to mount for client agents. This
|
||
# is useful for bringing in extra data that can be referenced by other configurations
|
||
# at a well known path, such as TLS certificates or Gossip encryption keys. The
|
||
# value of this should be a list of objects.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# extraVolumes:
|
||
# - type: secret
|
||
# name: consul-certs
|
||
# load: false
|
||
# ```
|
||
#
|
||
# Each object supports the following keys:
|
||
#
|
||
# - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive.
|
||
#
|
||
# - `name` - Name of the configMap or secret to be mounted. This also controls
|
||
# the path that it is mounted to. The volume will be mounted to `/consul/userconfig/<name>`.
|
||
#
|
||
# - `load` - If true, then the agent will be
|
||
# configured to automatically load HCL/JSON configuration files from this volume
|
||
# with `-config-dir`. This defaults to false.
|
||
#
|
||
# @type: array<map>
|
||
extraVolumes: [ ]
|
||
|
||
# A list of sidecar containers.
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# extraContainers:
|
||
# - name: extra-container
|
||
# image: example-image:latest
|
||
# command:
|
||
# - ...
|
||
# ```
|
||
# @type: array<map>
|
||
extraContainers: [ ]
|
||
|
||
# Toleration Settings for Client pods
|
||
# This should be a multi-line string matching the Toleration array
|
||
# in a PodSpec.
|
||
# The example below will allow Client pods to run on every node
|
||
# regardless of taints
|
||
#
|
||
# ```yaml
|
||
# tolerations: |
|
||
# - operator: Exists
|
||
# ```
|
||
tolerations: ""
|
||
|
||
# nodeSelector labels for client pod assignment, formatted as a multi-line string.
|
||
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# nodeSelector: |
|
||
# beta.kubernetes.io/arch: amd64
|
||
# ```
|
||
# @type: string
|
||
nodeSelector: null
|
||
|
||
# Affinity Settings for Client pods, formatted as a multi-line YAML string.
|
||
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# affinity: |
|
||
# nodeAffinity:
|
||
# requiredDuringSchedulingIgnoredDuringExecution:
|
||
# nodeSelectorTerms:
|
||
# - matchExpressions:
|
||
# - key: node-role.kubernetes.io/master
|
||
# operator: DoesNotExist
|
||
# ```
|
||
# @type: string
|
||
affinity: null
|
||
|
||
# This value references an existing
|
||
# Kubernetes `priorityClassName` (https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority)
|
||
# that can be assigned to client pods.
|
||
priorityClassName: ""
|
||
|
||
# This value defines additional annotations for
|
||
# client pods. This should be formatted as a multi-line string.
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "sample/annotation1": "foo"
|
||
# "sample/annotation2": "bar"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# Extra labels to attach to the client pods. This should be a regular YAML map.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# extraLabels:
|
||
# labelKey: label-value
|
||
# anotherLabelKey: another-label-value
|
||
# ```
|
||
#
|
||
# @type: map
|
||
extraLabels: null
|
||
|
||
# A list of extra environment variables to set within the stateful set.
|
||
# These could be used to include proxy settings required for cloud auto-join
|
||
# feature, in case kubernetes cluster is behind egress http proxies. Additionally,
|
||
# it could be used to configure custom consul parameters.
|
||
# @type: map
|
||
extraEnvironmentVars: { }
|
||
|
||
# This value defines the Pod DNS policy (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy)
|
||
# for client pods to use.
|
||
# @type: string
|
||
dnsPolicy: null
|
||
|
||
# hostNetwork defines whether or not we use host networking instead of hostPort in the event
|
||
# that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended
|
||
# as doing so gives the consul client unnecessary access to all network traffic on the host.
|
||
# In most cases, pod network and host network are on different networks so this should be
|
||
# combined with `dnsPolicy: ClusterFirstWithHostNet`
|
||
hostNetwork: false
|
||
|
||
# updateStrategy for the DaemonSet.
|
||
# See https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy.
|
||
# This should be a multi-line string mapping directly to the updateStrategy
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# updateStrategy: |
|
||
# rollingUpdate:
|
||
# maxUnavailable: 5
|
||
# type: RollingUpdate
|
||
# ```
|
||
#
|
||
# @type: string
|
||
updateStrategy: null
|
||
|
||
# Configuration for DNS configuration within the Kubernetes cluster.
|
||
# This creates a service that routes to all agents (client or server)
|
||
# for serving DNS requests. This DOES NOT automatically configure kube-dns
|
||
# today, so you must still manually configure a `stubDomain` with kube-dns
|
||
# for this to have any effect:
|
||
# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers
|
||
dns:
|
||
# @type: boolean
|
||
enabled: "-"
|
||
|
||
# If true, services using Consul Connect will use Consul DNS
|
||
# for default DNS resolution. The DNS lookups fall back to the nameserver IPs
|
||
# listed in /etc/resolv.conf if not found in Consul.
|
||
# @type: boolean
|
||
enableRedirection: "-"
|
||
|
||
# Used to control the type of service created. For
|
||
# example, setting this to "LoadBalancer" will create an external load
|
||
# balancer (for supported K8S installations)
|
||
type: ClusterIP
|
||
|
||
# Set a predefined cluster IP for the DNS service.
|
||
# Useful if you need to reference the DNS service's IP
|
||
# address in CoreDNS config.
|
||
# @type: string
|
||
clusterIP: null
|
||
|
||
# Extra annotations to attach to the dns service
|
||
# This should be a multi-line string of
|
||
# annotations to apply to the dns Service
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# Additional ServiceSpec values
|
||
# This should be a multi-line string mapping directly to a Kubernetes
|
||
# ServiceSpec object.
|
||
# @type: string
|
||
additionalSpec: null
|
||
|
||
# Values that configure the Consul UI.
|
||
ui:
|
||
# If true, the UI will be enabled. This will
|
||
# only _enable_ the UI, it doesn't automatically register any service for external
|
||
# access. The UI will only be enabled on server agents. If `server.enabled` is
|
||
# false, then this setting has no effect. To expose the UI in some way, you must
|
||
# configure `ui.service`.
|
||
# @default: global.enabled
|
||
# @type: boolean
|
||
enabled: "-"
|
||
|
||
# Configure the service for the Consul UI.
|
||
service:
|
||
# This will enable/disable registering a
|
||
# Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is
|
||
# true and taking effect.
|
||
enabled: true
|
||
|
||
# The service type to register.
|
||
# @type: string
|
||
type: null
|
||
|
||
# Set the port value of the UI service.
|
||
port:
|
||
|
||
# HTTP port.
|
||
http: 80
|
||
|
||
# HTTPS port.
|
||
https: 443
|
||
|
||
# Optionally set the nodePort value of the ui service if using a NodePort service.
|
||
# If not set and using a NodePort service, Kubernetes will automatically assign
|
||
# a port.
|
||
nodePort:
|
||
|
||
# HTTP node port
|
||
# @type: integer
|
||
http: null
|
||
|
||
# HTTPS node port
|
||
# @type: integer
|
||
https: null
|
||
|
||
# Annotations to apply to the UI service.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# 'annotation-key': annotation-value
|
||
# ```
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# Additional ServiceSpec values
|
||
# This should be a multi-line string mapping directly to a Kubernetes
|
||
# ServiceSpec object.
|
||
# @type: string
|
||
additionalSpec: null
|
||
|
||
# Configure Ingress for the Consul UI.
|
||
# If `global.tls.enabled` is set to `true`, the Ingress will expose
|
||
# the port 443 on the UI service. Please ensure the Ingress Controller
|
||
# supports SSL pass-through and it is enabled to ensure traffic forwarded
|
||
# to port 443 has not been TLS terminated.
|
||
ingress:
|
||
# This will create an Ingress resource for the Consul UI.
|
||
# @type: boolean
|
||
enabled: false
|
||
|
||
# Optionally set the ingressClassName.
|
||
ingressClassName: ""
|
||
|
||
# pathType override - see: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types
|
||
pathType: Prefix
|
||
|
||
# hosts is a list of host name to create Ingress rules.
|
||
#
|
||
# ```yaml
|
||
# hosts:
|
||
# - host: foo.bar
|
||
# paths:
|
||
# - /example
|
||
# - /test
|
||
# ```
|
||
#
|
||
# @type: array<map>
|
||
hosts: [ ]
|
||
|
||
# tls is a list of hosts and secret name in an Ingress
|
||
# which tells the Ingress controller to secure the channel.
|
||
#
|
||
# ```yaml
|
||
# tls:
|
||
# - hosts:
|
||
# - chart-example.local
|
||
# secretName: testsecret-tls
|
||
# ```
|
||
# @type: array<map>
|
||
tls: [ ]
|
||
|
||
# Annotations to apply to the UI ingress.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# 'annotation-key': annotation-value
|
||
# ```
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# Configurations for displaying metrics in the UI.
|
||
metrics:
|
||
# Enable displaying metrics in the UI. The default value of "-"
|
||
# will inherit from `global.metrics.enabled` value.
|
||
# @type: boolean
|
||
# @default: global.metrics.enabled
|
||
enabled: "-"
|
||
# Provider for metrics. See
|
||
# https://www.consul.io/docs/agent/options#ui_config_metrics_provider
|
||
# This value is only used if `ui.enabled` is set to true.
|
||
# @type: string
|
||
provider: "prometheus"
|
||
|
||
# baseURL is the URL of the prometheus server, usually the service URL.
|
||
# This value is only used if `ui.enabled` is set to true.
|
||
# @type: string
|
||
baseURL: http://prometheus-server
|
||
|
||
# Corresponds to https://www.consul.io/docs/agent/options#ui_config_dashboard_url_templates configuration.
|
||
dashboardURLTemplates:
|
||
# Sets https://www.consul.io/docs/agent/options#ui_config_dashboard_url_templates_service.
|
||
service: ""
|
||
|
||
# Configure the catalog sync process to sync K8S with Consul
|
||
# services. This can run bidirectional (default) or unidirectionally (Consul
|
||
# to K8S or K8S to Consul only).
|
||
#
|
||
# This process assumes that a Consul agent is available on the host IP.
|
||
# This is done automatically if clients are enabled. If clients are not
|
||
# enabled then set the node selection so that it chooses a node with a
|
||
# Consul agent.
|
||
syncCatalog:
|
||
# True if you want to enable the catalog sync. Set to "-" to inherit from
|
||
# global.enabled.
|
||
enabled: false
|
||
|
||
# The name of the Docker image (including any tag) for consul-k8s-control-plane
|
||
# to run the sync program.
|
||
# @type: string
|
||
image: null
|
||
|
||
# If true, all valid services in K8S are
|
||
# synced by default. If false, the service must be annotated
|
||
# (https://consul.io/docs/k8s/service-sync#sync-enable-disable) properly to sync.
|
||
# In either case an annotation can override the default.
|
||
default: true
|
||
|
||
# Optional priorityClassName.
|
||
priorityClassName: ""
|
||
|
||
# If true, will sync Kubernetes services to Consul. This can be disabled to
|
||
# have a one-way sync.
|
||
toConsul: true
|
||
|
||
# If true, will sync Consul services to Kubernetes. This can be disabled to
|
||
# have a one-way sync.
|
||
toK8S: true
|
||
|
||
# Service prefix to prepend to services before registering
|
||
# with Kubernetes. For example "consul-" will register all services
|
||
# prepended with "consul-". (Consul -> Kubernetes sync)
|
||
# @type: string
|
||
k8sPrefix: null
|
||
|
||
# List of k8s namespaces to sync the k8s services from.
|
||
# If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`,
|
||
# services in that k8s namespace will not be synced even if they are explicitly
|
||
# annotated. Use `["*"]` to automatically allow all k8s namespaces.
|
||
#
|
||
# For example, `["namespace1", "namespace2"]` will only allow services in the k8s
|
||
# namespaces `namespace1` and `namespace2` to be synced and registered
|
||
# with Consul. All other k8s namespaces will be ignored.
|
||
#
|
||
# To deny all namespaces, set this to `[]`.
|
||
#
|
||
# Note: `k8sDenyNamespaces` takes precedence over values defined here.
|
||
# @type: array<string>
|
||
k8sAllowNamespaces: [ "*" ]
|
||
|
||
# List of k8s namespaces that should not have their
|
||
# services synced. This list takes precedence over `k8sAllowNamespaces`.
|
||
# `*` is not supported because then nothing would be allowed to sync.
|
||
#
|
||
# For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is
|
||
# `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1`
|
||
# and `namespace2` will be synced.
|
||
# @type: array<string>
|
||
k8sDenyNamespaces: [ "kube-system", "kube-public" ]
|
||
|
||
# [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For
|
||
# backwards compatibility, if both this and the allow/deny lists are set,
|
||
# the allow/deny lists will be ignored.
|
||
# k8sSourceNamespace is the Kubernetes namespace to watch for service
|
||
# changes and sync to Consul. If this is not set then it will default
|
||
# to all namespaces.
|
||
# @type: string
|
||
k8sSourceNamespace: null
|
||
|
||
# [Enterprise Only] These settings manage the catalog sync's interaction with
|
||
# Consul namespaces (requires consul-ent v1.7+).
|
||
# Also, `global.enableConsulNamespaces` must be true.
|
||
consulNamespaces:
|
||
# Name of the Consul namespace to register all
|
||
# k8s services into. If the Consul namespace does not already exist,
|
||
# it will be created. This will be ignored if `mirroringK8S` is true.
|
||
consulDestinationNamespace: "default"
|
||
|
||
# If true, k8s services will be registered into a Consul namespace
|
||
# of the same name as their k8s namespace, optionally prefixed if
|
||
# `mirroringK8SPrefix` is set below. If the Consul namespace does not
|
||
# already exist, it will be created. Turning this on overrides the
|
||
# `consulDestinationNamespace` setting.
|
||
# `addK8SNamespaceSuffix` may no longer be needed if enabling this option.
|
||
# If mirroring is enabled, avoid creating any Consul resources in the following
|
||
# Kubernetes namespaces, as Consul currently reserves these namespaces for
|
||
# system use: "system", "universal", "operator", "root".
|
||
mirroringK8S: true
|
||
|
||
# If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace
|
||
# to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a
|
||
# service in the k8s `staging` namespace will be registered into the
|
||
# `k8s-staging` Consul namespace.
|
||
mirroringK8SPrefix: ""
|
||
|
||
# Appends Kubernetes namespace suffix to
|
||
# each service name synced to Consul, separated by a dash.
|
||
# For example, for a service 'foo' in the default namespace,
|
||
# the sync process will create a Consul service named 'foo-default'.
|
||
# Set this flag to true to avoid registering services with the same name
|
||
# but in different namespaces as instances for the same Consul service.
|
||
# Namespace suffix is not added if 'annotationServiceName' is provided.
|
||
addK8SNamespaceSuffix: true
|
||
|
||
# Service prefix which prepends itself
|
||
# to Kubernetes services registered within Consul
|
||
# For example, "k8s-" will register all services prepended with "k8s-".
|
||
# (Kubernetes -> Consul sync)
|
||
# consulPrefix is ignored when 'annotationServiceName' is provided.
|
||
# NOTE: Updating this property to a non-null value for an existing installation will result in deregistering
|
||
# of existing services in Consul and registering them with a new name.
|
||
# @type: string
|
||
consulPrefix: null
|
||
|
||
# Optional tag that is applied to all of the Kubernetes services
|
||
# that are synced into Consul. If nothing is set, defaults to "k8s".
|
||
# (Kubernetes -> Consul sync)
|
||
# @type: string
|
||
k8sTag: null
|
||
|
||
# Defines the Consul synthetic node that all services
|
||
# will be registered to.
|
||
# NOTE: Changing the node name and upgrading the Helm chart will leave
|
||
# all of the previously sync'd services registered with Consul and
|
||
# register them again under the new Consul node name. The out-of-date
|
||
# registrations will need to be explicitly removed.
|
||
consulNodeName: "k8s-sync"
|
||
|
||
# Syncs services of the ClusterIP type, which may
|
||
# or may not be broadly accessible depending on your Kubernetes cluster.
|
||
# Set this to false to skip syncing ClusterIP services.
|
||
syncClusterIPServices: true
|
||
|
||
# Configures the type of syncing that happens for NodePort
|
||
# services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst.
|
||
#
|
||
# - ExternalOnly will only use a node's ExternalIP address for the sync
|
||
# - InternalOnly use's the node's InternalIP address
|
||
# - ExternalFirst will preferentially use the node's ExternalIP address, but
|
||
# if it doesn't exist, it will use the node's InternalIP address instead.
|
||
nodePortSyncType: ExternalFirst
|
||
|
||
# Refers to a Kubernetes secret that you have created that contains
|
||
# an ACL token for your Consul cluster which allows the sync process the correct
|
||
# permissions. This is only needed if ACLs are managed manually within the Consul cluster, i.e. `global.acls.manageSystemACLs` is `false`.
|
||
aclSyncToken:
|
||
# The name of the Kubernetes secret that holds the acl sync token.
|
||
# @type: string
|
||
secretName: null
|
||
# The key within the Kubernetes secret that holds the acl sync token.
|
||
# @type: string
|
||
secretKey: null
|
||
|
||
# This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
|
||
# labels for catalog sync pod assignment, formatted as a multi-line string.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# nodeSelector: |
|
||
# beta.kubernetes.io/arch: amd64
|
||
# ```
|
||
#
|
||
# @type: string
|
||
nodeSelector: null
|
||
|
||
# Affinity Settings
|
||
# This should be a multi-line string matching the affinity object
|
||
# @type: string
|
||
affinity: null
|
||
|
||
# Toleration Settings
|
||
# This should be a multi-line string matching the Toleration array
|
||
# in a PodSpec.
|
||
# @type: string
|
||
tolerations: null
|
||
|
||
serviceAccount:
|
||
# This value defines additional annotations for the mesh gateways' service account. This should be formatted as a
|
||
# multi-line string.
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "sample/annotation1": "foo"
|
||
# "sample/annotation2": "bar"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# The resource settings for sync catalog pods.
|
||
# @recurse: false
|
||
# @type: map
|
||
resources:
|
||
requests:
|
||
memory: "50Mi"
|
||
cpu: "50m"
|
||
limits:
|
||
memory: "50Mi"
|
||
cpu: "50m"
|
||
|
||
# Override global log verbosity level. One of "debug", "info", "warn", or "error".
|
||
# @type: string
|
||
logLevel: ""
|
||
|
||
# Override the default interval to perform syncing operations creating Consul services.
|
||
# @type: string
|
||
consulWriteInterval: null
|
||
|
||
# Extra labels to attach to the sync catalog pods. This should be a YAML map.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# extraLabels:
|
||
# labelKey: label-value
|
||
# anotherLabelKey: another-label-value
|
||
# ```
|
||
#
|
||
# @type: map
|
||
extraLabels: null
|
||
|
||
# This value defines additional annotations for
|
||
# the catalog sync pods. This should be formatted as a multi-line string.
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "sample/annotation1": "foo"
|
||
# "sample/annotation2": "bar"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# Configures the automatic Connect sidecar injector.
|
||
connectInject:
|
||
# True if you want to enable connect injection. Set to "-" to inherit from
|
||
# global.enabled.
|
||
enabled: true
|
||
|
||
# The number of deployment replicas.
|
||
replicas: 1
|
||
|
||
# Image for consul-k8s-control-plane that contains the injector.
|
||
# @type: string
|
||
image: null
|
||
|
||
# If true, the injector will inject the
|
||
# Connect sidecar into all pods by default. Otherwise, pods must specify the
|
||
# injection annotation (https://consul.io/docs/k8s/connect#consul-hashicorp-com-connect-inject)
|
||
# to opt-in to Connect injection. If this is true, pods can use the same annotation
|
||
# to explicitly opt-out of injection.
|
||
default: false
|
||
|
||
# Configures Transparent Proxy for Consul Service mesh services.
|
||
# Using this feature requires Consul 1.10.0-beta1+.
|
||
transparentProxy:
|
||
# If true, then all Consul Service mesh will run with transparent proxy enabled by default,
|
||
# i.e. we enforce that all traffic within the pod will go through the proxy.
|
||
# This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation.
|
||
defaultEnabled: true
|
||
|
||
# If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead.
|
||
# This setting is recommended because with traffic being enforced to go through the Envoy proxy,
|
||
# the probes on the pod will fail because kube-proxy doesn't have the right certificates
|
||
# to talk to Envoy.
|
||
# This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation.
|
||
# Note: This value has no effect if transparent proxy is disabled on the pod.
|
||
defaultOverwriteProbes: true
|
||
|
||
# This configures the PodDisruptionBudget (https://kubernetes.io/docs/tasks/run-application/configure-pdb/)
|
||
# for the service mesh sidecar injector.
|
||
disruptionBudget:
|
||
# This will enable/disable registering a PodDisruptionBudget for the
|
||
# service mesh sidecar injector. If this is enabled, it will only register the budget so long as
|
||
# the service mesh is enabled.
|
||
enabled: true
|
||
|
||
# The maximum number of unavailable pods. By default, this will be
|
||
# automatically computed based on the `connectInject.replicas` value to be `(n/2)-1`.
|
||
# If you need to set this to `0`, you will need to add a
|
||
# --set 'connectInject.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation
|
||
# command because of a limitation in the Helm templating language.
|
||
# @type: integer
|
||
maxUnavailable: null
|
||
|
||
# The minimum number of available pods.
|
||
# Takes precedence over maxUnavailable if set.
|
||
# @type: integer
|
||
minAvailable: null
|
||
|
||
# Configures consul-cni plugin for Consul Service mesh services
|
||
cni:
|
||
# If true, then all traffic redirection setup will use the consul-cni plugin.
|
||
# Requires connectInject.enabled to also be true.
|
||
# @type: boolean
|
||
enabled: false
|
||
|
||
# Log level for the installer and plugin. Overrides global.logLevel
|
||
# @type: string
|
||
logLevel: null
|
||
|
||
# Set the namespace to install the CNI plugin into. Overrides global namespace settings for CNI resources.
|
||
# Ex: "kube-system"
|
||
# @type: string
|
||
namespace: null
|
||
|
||
# Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/'
|
||
# Example on GKE:
|
||
#
|
||
# ```yaml
|
||
# cniBinDir: "/home/kubernetes/bin"
|
||
# ```
|
||
# @type: string
|
||
cniBinDir: "/opt/cni/bin"
|
||
|
||
# Location on the kubernetes node of all CNI configuration. Should be the absolute path and start with a '/'
|
||
# @type: string
|
||
cniNetDir: "/etc/cni/net.d"
|
||
|
||
# If multus CNI plugin is enabled with consul-cni. When enabled, consul-cni will not be installed as a chained
|
||
# CNI plugin. Instead, a NetworkAttachementDefinition CustomResourceDefinition (CRD) will be created in the helm
|
||
# release namespace. Following multus plugin standards, an annotation is required in order for the consul-cni plugin
|
||
# to be executed and for your service to be added to the Consul Service Mesh.
|
||
#
|
||
# Add the annotation `'k8s.v1.cni.cncf.io/networks': '[{ "name":"consul-cni","namespace": "consul" }]'` to your pod
|
||
# to use the default installed NetworkAttachementDefinition CRD.
|
||
#
|
||
# Please refer to the [Multus Quickstart Guide](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md)
|
||
# for more information about using multus.
|
||
# @type: string
|
||
multus: false
|
||
|
||
# The resource settings for CNI installer daemonset.
|
||
# @recurse: false
|
||
# @type: map
|
||
resources:
|
||
requests:
|
||
memory: "75Mi"
|
||
cpu: "75m"
|
||
limits:
|
||
memory: "100Mi"
|
||
cpu: "100m"
|
||
|
||
# Resource quotas for running the daemonset as system critical pods
|
||
resourceQuota:
|
||
pods: 5000
|
||
|
||
# The security context for the CNI installer daemonset. This should be a YAML map corresponding to a
|
||
# Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object.
|
||
# By default, servers will run as root, with user ID `0` and group ID `0`.
|
||
# Note: if running on OpenShift, this setting is ignored because the user and group are set automatically
|
||
# by the OpenShift platform.
|
||
# @type: map
|
||
# @recurse: false
|
||
securityContext:
|
||
runAsNonRoot: false
|
||
runAsGroup: 0
|
||
runAsUser: 0
|
||
|
||
# updateStrategy for the CNI installer DaemonSet.
|
||
# See https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy.
|
||
# This should be a multi-line string mapping directly to the updateStrategy
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# updateStrategy: |
|
||
# rollingUpdate:
|
||
# maxUnavailable: 5
|
||
# type: RollingUpdate
|
||
# ```
|
||
#
|
||
# @type: string
|
||
updateStrategy: null
|
||
|
||
consulNode:
|
||
# meta specifies an arbitrary metadata key/value pair to associate with the node.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# meta:
|
||
# cluster: test-cluster
|
||
# persistent: true
|
||
# ```
|
||
#
|
||
# @type: map
|
||
meta: null
|
||
|
||
|
||
# Configures metrics for Consul Connect services. All values are overridable
|
||
# via annotations on a per-pod basis.
|
||
metrics:
|
||
# If true, the connect-injector will automatically
|
||
# add prometheus annotations to connect-injected pods. It will also
|
||
# add a listener on the Envoy sidecar to expose metrics. The exposed
|
||
# metrics will depend on whether metrics merging is enabled:
|
||
# - If metrics merging is enabled:
|
||
# the consul-dataplane will run a merged metrics server
|
||
# combining Envoy sidecar and Connect service metrics,
|
||
# i.e. if your service exposes its own Prometheus metrics.
|
||
# - If metrics merging is disabled:
|
||
# the listener will just expose Envoy sidecar metrics.
|
||
# This will inherit from `global.metrics.enabled`.
|
||
defaultEnabled: "-"
|
||
# Configures the consul-dataplane to run a merged metrics server
|
||
# to combine and serve both Envoy and Connect service metrics.
|
||
# This feature is available only in Consul v1.10.0 or greater.
|
||
defaultEnableMerging: false
|
||
# Configures the port at which the consul-dataplane will listen on to return
|
||
# combined metrics. This port only needs to be changed if it conflicts with
|
||
# the application's ports.
|
||
defaultMergedMetricsPort: 20100
|
||
# Configures the port Prometheus will scrape metrics from, by configuring
|
||
# the Pod annotation `prometheus.io/port` and the corresponding listener in
|
||
# the Envoy sidecar.
|
||
# NOTE: This is *not* the port that your application exposes metrics on.
|
||
# That can be configured with the
|
||
# `consul.hashicorp.com/service-metrics-port` annotation.
|
||
defaultPrometheusScrapePort: 20200
|
||
# Configures the path Prometheus will scrape metrics from, by configuring the pod
|
||
# annotation `prometheus.io/path` and the corresponding handler in the Envoy
|
||
# sidecar.
|
||
# NOTE: This is *not* the path that your application exposes metrics on.
|
||
# That can be configured with the
|
||
# `consul.hashicorp.com/service-metrics-path` annotation.
|
||
defaultPrometheusScrapePath: "/metrics"
|
||
|
||
# Used to pass arguments to the injected envoy sidecar.
|
||
# Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli
|
||
# e.g "--log-level debug --disable-hot-restart"
|
||
# @type: string
|
||
envoyExtraArgs: null
|
||
|
||
# Optional priorityClassName.
|
||
priorityClassName: ""
|
||
|
||
# Extra labels to attach to the connect inject pods. This should be a YAML map.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# extraLabels:
|
||
# labelKey: label-value
|
||
# anotherLabelKey: another-label-value
|
||
# ```
|
||
#
|
||
# @type: map
|
||
extraLabels: null
|
||
|
||
# This value defines additional annotations for
|
||
# connect inject pods. This should be formatted as a multi-line string.
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "sample/annotation1": "foo"
|
||
# "sample/annotation2": "bar"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# The Docker image for Consul to use when performing Connect injection.
|
||
# Defaults to global.image.
|
||
# @type: string
|
||
imageConsul: null
|
||
|
||
# Override global log verbosity level. One of "debug", "info", "warn", or "error".
|
||
# @type: string
|
||
logLevel: ""
|
||
|
||
serviceAccount:
|
||
# This value defines additional annotations for the injector service account. This should be formatted as a
|
||
# multi-line string.
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "sample/annotation1": "foo"
|
||
# "sample/annotation2": "bar"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# The resource settings for connect inject pods.
|
||
# @recurse: false
|
||
# @type: map
|
||
resources:
|
||
requests:
|
||
memory: "50Mi"
|
||
cpu: "50m"
|
||
limits:
|
||
memory: "50Mi"
|
||
cpu: "50m"
|
||
|
||
# Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook
|
||
# is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline.
|
||
# Once the webhook is back online the pod will be scheduled.
|
||
# In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running
|
||
# which can lead to hangs. In these environments it is recommend to use "Ignore" instead.
|
||
# This setting can be safely disabled by setting to "Ignore".
|
||
failurePolicy: "Fail"
|
||
|
||
# Selector for restricting the webhook to only specific namespaces.
|
||
# Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string.
|
||
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
|
||
# for more details.
|
||
#
|
||
# By default, we exclude the kube-system namespace since usually users won't
|
||
# want those pods injected and also the local-path-storage namespace so that
|
||
# Kind (Kubernetes In Docker) can provision Pods used to create PVCs.
|
||
# Note that this exclusion is only supported in Kubernetes v1.21.1+.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# namespaceSelector: |
|
||
# matchLabels:
|
||
# namespace-label: label-value
|
||
# ```
|
||
# @type: string
|
||
namespaceSelector: |
|
||
matchExpressions:
|
||
- key: "kubernetes.io/metadata.name"
|
||
operator: "NotIn"
|
||
values: ["kube-system","local-path-storage"]
|
||
|
||
# List of k8s namespaces to allow Connect sidecar
|
||
# injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`,
|
||
# pods in that k8s namespace will not be injected even if they are explicitly
|
||
# annotated. Use `["*"]` to automatically allow all k8s namespaces.
|
||
#
|
||
# For example, `["namespace1", "namespace2"]` will only allow pods in the k8s
|
||
# namespaces `namespace1` and `namespace2` to have Connect sidecars injected
|
||
# and registered with Consul. All other k8s namespaces will be ignored.
|
||
#
|
||
# To deny all namespaces, set this to `[]`.
|
||
#
|
||
# Note: `k8sDenyNamespaces` takes precedence over values defined here and
|
||
# `namespaceSelector` takes precedence over both since it is applied first.
|
||
# `kube-system` and `kube-public` are never injected, even if included here.
|
||
# @type: array<string>
|
||
k8sAllowNamespaces: [ "*" ]
|
||
|
||
# List of k8s namespaces that should not allow Connect
|
||
# sidecar injection. This list takes precedence over `k8sAllowNamespaces`.
|
||
# `*` is not supported because then nothing would be allowed to be injected.
|
||
#
|
||
# For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is
|
||
# `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1"
|
||
# and "namespace2" will be available for injection.
|
||
#
|
||
# Note: `namespaceSelector` takes precedence over this since it is applied first.
|
||
# `kube-system` and `kube-public` are never injected.
|
||
# @type: array<string>
|
||
k8sDenyNamespaces: [ ]
|
||
|
||
# [Enterprise Only] These settings manage the connect injector's interaction with
|
||
# Consul namespaces (requires consul-ent v1.7+).
|
||
# Also, `global.enableConsulNamespaces` must be true.
|
||
consulNamespaces:
|
||
# Name of the Consul namespace to register all
|
||
# k8s pods into. If the Consul namespace does not already exist,
|
||
# it will be created. This will be ignored if `mirroringK8S` is true.
|
||
consulDestinationNamespace: "default"
|
||
|
||
# Causes k8s pods to be registered into a Consul namespace
|
||
# of the same name as their k8s namespace, optionally prefixed if
|
||
# `mirroringK8SPrefix` is set below. If the Consul namespace does not
|
||
# already exist, it will be created. Turning this on overrides the
|
||
# `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul
|
||
# resources in the following Kubernetes namespaces, as Consul currently reserves these
|
||
# namespaces for system use: "system", "universal", "operator", "root".
|
||
mirroringK8S: true
|
||
|
||
# If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace
|
||
# to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a
|
||
# pod in the k8s `staging` namespace will be registered into the
|
||
# `k8s-staging` Consul namespace.
|
||
mirroringK8SPrefix: ""
|
||
|
||
# Selector labels for connectInject pod assignment, formatted as a multi-line string.
|
||
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# nodeSelector: |
|
||
# beta.kubernetes.io/arch: amd64
|
||
# ```
|
||
# @type: string
|
||
nodeSelector: null
|
||
|
||
# Affinity Settings
|
||
# This should be a multi-line string matching the affinity object
|
||
# @type: string
|
||
affinity: null
|
||
|
||
# Toleration Settings
|
||
# This should be a multi-line string matching the Toleration array
|
||
# in a PodSpec.
|
||
# @type: string
|
||
tolerations: null
|
||
|
||
# Query that defines which Service Accounts
|
||
# can authenticate to Consul and receive an ACL token during Connect injection.
|
||
# The default setting, i.e. serviceaccount.name!=default, prevents the
|
||
# 'default' Service Account from logging in.
|
||
# If set to an empty string all service accounts can log in.
|
||
# This only has effect if ACLs are enabled.
|
||
#
|
||
# See https://www.consul.io/docs/acl/acl-auth-methods.html#binding-rules
|
||
# and https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes
|
||
# for more details.
|
||
# Requires Consul >= v1.5.
|
||
aclBindingRuleSelector: "serviceaccount.name!=default"
|
||
|
||
# If you are not using global.acls.manageSystemACLs and instead manually setting up an
|
||
# auth method for Connect inject, set this to the name of your auth method.
|
||
overrideAuthMethodName: ""
|
||
|
||
# Refers to a Kubernetes secret that you have created that contains
|
||
# an ACL token for your Consul cluster which allows the Connect injector the correct
|
||
# permissions. This is only needed if Consul namespaces [Enterprise Only] and ACLs
|
||
# are enabled on the Consul cluster and you are not setting
|
||
# `global.acls.manageSystemACLs` to `true`.
|
||
# This token needs to have `operator = "write"` privileges to be able to
|
||
# create Consul namespaces.
|
||
aclInjectToken:
|
||
# The name of the Vault secret that holds the ACL inject token.
|
||
# @type: string
|
||
secretName: null
|
||
# The key within the Vault secret that holds the ACL inject token.
|
||
# @type: string
|
||
secretKey: null
|
||
|
||
sidecarProxy:
|
||
# The number of worker threads to be used by the Envoy proxy.
|
||
# By default the threading model of Envoy will use one thread per CPU core per envoy proxy. This
|
||
# leads to unnecessary thread and memory usage and leaves unnecessary idle connections open. It is
|
||
# advised to keep this number low for sidecars and high for edge proxies.
|
||
# This will control the `--concurrency` flag to Envoy.
|
||
# For additional information see also: https://blog.envoyproxy.io/envoy-threading-model-a8d44b922310
|
||
#
|
||
# This setting can be overridden on a per-pod basis via this annotation:
|
||
# - `consul.hashicorp.com/consul-envoy-proxy-concurrency`
|
||
# @type: string
|
||
concurrency: 2
|
||
|
||
# Set default resources for sidecar proxy. If null, that resource won't
|
||
# be set.
|
||
# These settings can be overridden on a per-pod basis via these annotations:
|
||
#
|
||
# - `consul.hashicorp.com/sidecar-proxy-cpu-limit`
|
||
# - `consul.hashicorp.com/sidecar-proxy-cpu-request`
|
||
# - `consul.hashicorp.com/sidecar-proxy-memory-limit`
|
||
# - `consul.hashicorp.com/sidecar-proxy-memory-request`
|
||
# @type: map
|
||
resources:
|
||
requests:
|
||
# Recommended default: 100Mi
|
||
# @type: string
|
||
memory: null
|
||
# Recommended default: 100m
|
||
# @type: string
|
||
cpu: null
|
||
limits:
|
||
# Recommended default: 100Mi
|
||
# @type: string
|
||
memory: null
|
||
# Recommended default: 100m
|
||
# @type: string
|
||
cpu: null
|
||
|
||
# The resource settings for the Connect injected init container.
|
||
# @recurse: false
|
||
# @type: map
|
||
initContainer:
|
||
resources:
|
||
requests:
|
||
memory: "25Mi"
|
||
cpu: "50m"
|
||
limits:
|
||
memory: "150Mi"
|
||
cpu: "50m"
|
||
|
||
# [Mesh Gateways](/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters.
|
||
meshGateway:
|
||
# If [mesh gateways](/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs
|
||
# gateways and Consul Connect will be configured to use gateways.
|
||
# This setting is required for [Cluster Peering](/docs/connect/cluster-peering/k8s).
|
||
# Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``.
|
||
enabled: false
|
||
|
||
# Number of replicas for the Deployment.
|
||
replicas: 1
|
||
|
||
# What gets registered as WAN address for the gateway.
|
||
wanAddress:
|
||
# source configures where to retrieve the WAN address (and possibly port)
|
||
# for the mesh gateway from.
|
||
# Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`.
|
||
#
|
||
# - `Service` - Determine the address based on the service type.
|
||
#
|
||
# - If `service.type=LoadBalancer` use the external IP or hostname of
|
||
# the service. Use the port set by `service.port`.
|
||
#
|
||
# - If `service.type=NodePort` use the Node IP. The port will be set to
|
||
# `service.nodePort` so `service.nodePort` cannot be null.
|
||
#
|
||
# - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to
|
||
# `service.port`.
|
||
#
|
||
# - `service.type=ExternalName` is not supported.
|
||
#
|
||
# - `NodeIP` - The node IP as provided by the Kubernetes downward API.
|
||
#
|
||
# - `NodeName` - The name of the node as provided by the Kubernetes downward
|
||
# API. This is useful if the node names are DNS entries that
|
||
# are routable from other datacenters.
|
||
#
|
||
# - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`.
|
||
source: "Service"
|
||
|
||
# Port that gets registered for WAN traffic.
|
||
# If source is set to "Service" then this setting will have no effect.
|
||
# See the documentation for source as to which port will be used in that
|
||
# case.
|
||
port: 443
|
||
|
||
# If source is set to "Static" then this value will be used as the WAN
|
||
# address of the mesh gateways. This is useful if you've configured a
|
||
# DNS entry to point to your mesh gateways.
|
||
static: ""
|
||
|
||
# The service option configures the Service that fronts the Gateway Deployment.
|
||
service:
|
||
# Type of service, ex. LoadBalancer, ClusterIP.
|
||
type: LoadBalancer
|
||
|
||
# Port that the service will be exposed on.
|
||
# The targetPort will be set to meshGateway.containerPort.
|
||
port: 443
|
||
|
||
# Optionally set the nodePort value of the service if using a NodePort service.
|
||
# If not set and using a NodePort service, Kubernetes will automatically assign
|
||
# a port.
|
||
# @type: integer
|
||
nodePort: null
|
||
|
||
# Annotations to apply to the mesh gateway service.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# 'annotation-key': annotation-value
|
||
# ```
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# Optional YAML string that will be appended to the Service spec.
|
||
# @type: string
|
||
additionalSpec: null
|
||
|
||
# If set to true, gateway Pods will run on the host network.
|
||
hostNetwork: false
|
||
|
||
# dnsPolicy to use.
|
||
# @type: string
|
||
dnsPolicy: null
|
||
|
||
# Consul service name for the mesh gateways.
|
||
# Cannot be set to anything other than "mesh-gateway" if
|
||
# global.acls.manageSystemACLs is true since the ACL token
|
||
# generated is only for the name 'mesh-gateway'.
|
||
consulServiceName: "mesh-gateway"
|
||
|
||
# Port that the gateway will run on inside the container.
|
||
containerPort: 8443
|
||
|
||
# Optional hostPort for the gateway to be exposed on.
|
||
# This can be used with wanAddress.port and wanAddress.useNodeIP
|
||
# to expose the gateways directly from the node.
|
||
# If hostNetwork is true, this must be null or set to the same port as
|
||
# containerPort.
|
||
# NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul
|
||
# agent.
|
||
# @type: integer
|
||
hostPort: null
|
||
|
||
serviceAccount:
|
||
# This value defines additional annotations for the mesh gateways' service account. This should be formatted as a
|
||
# multi-line string.
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "sample/annotation1": "foo"
|
||
# "sample/annotation2": "bar"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# The resource settings for mesh gateway pods.
|
||
# NOTE: The use of a YAML string is deprecated. Instead, set directly as a
|
||
# YAML map.
|
||
# @recurse: false
|
||
# @type: map
|
||
resources:
|
||
requests:
|
||
memory: "100Mi"
|
||
cpu: "100m"
|
||
limits:
|
||
memory: "100Mi"
|
||
cpu: "100m"
|
||
|
||
# The resource settings for the `service-init` init container.
|
||
# @recurse: false
|
||
# @type: map
|
||
initServiceInitContainer:
|
||
resources:
|
||
requests:
|
||
memory: "50Mi"
|
||
cpu: "50m"
|
||
limits:
|
||
memory: "50Mi"
|
||
cpu: "50m"
|
||
|
||
# This value defines the affinity (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
|
||
# for mesh gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer
|
||
# a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value
|
||
# to the value in the example below.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# affinity: |
|
||
# podAntiAffinity:
|
||
# requiredDuringSchedulingIgnoredDuringExecution:
|
||
# - labelSelector:
|
||
# matchLabels:
|
||
# app: {{ template "consul.name" . }}
|
||
# release: "{{ .Release.Name }}"
|
||
# component: mesh-gateway
|
||
# topologyKey: kubernetes.io/hostname
|
||
# ```
|
||
# @type: string
|
||
affinity: null
|
||
|
||
# Optional YAML string to specify tolerations.
|
||
# @type: string
|
||
tolerations: null
|
||
|
||
# Pod topology spread constraints for mesh gateway pods.
|
||
# This should be a multi-line YAML string matching the `topologySpreadConstraints` array
|
||
# (https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) in a Pod Spec.
|
||
#
|
||
# This requires K8S >= 1.18 (beta) or 1.19 (stable).
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# topologySpreadConstraints: |
|
||
# - maxSkew: 1
|
||
# topologyKey: topology.kubernetes.io/zone
|
||
# whenUnsatisfiable: DoNotSchedule
|
||
# labelSelector:
|
||
# matchLabels:
|
||
# app: {{ template "consul.name" . }}
|
||
# release: "{{ .Release.Name }}"
|
||
# component: mesh-gateway
|
||
# ```
|
||
topologySpreadConstraints: ""
|
||
|
||
# Optional YAML string to specify a nodeSelector config.
|
||
# @type: string
|
||
nodeSelector: null
|
||
|
||
# Optional priorityClassName.
|
||
priorityClassName: ""
|
||
|
||
# Annotations to apply to the mesh gateway deployment.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# 'annotation-key': annotation-value
|
||
# ```
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# Configuration options for ingress gateways. Default values for all
|
||
# ingress gateways are defined in `ingressGateways.defaults`. Any of
|
||
# these values may be overridden in `ingressGateways.gateways` for a
|
||
# specific gateway with the exception of annotations. Annotations will
|
||
# include both the default annotations and any additional ones defined
|
||
# for a specific gateway.
|
||
# Requirements: consul >= 1.8.0
|
||
ingressGateways:
|
||
# Enable ingress gateway deployment. Requires `connectInject.enabled=true`
|
||
# and `client.enabled=true`.
|
||
enabled: false
|
||
|
||
# Defaults sets default values for all gateway fields. With the exception
|
||
# of annotations, defining any of these values in the `gateways` list
|
||
# will override the default values provided here. Annotations will
|
||
# include both the default annotations and any additional ones defined
|
||
# for a specific gateway.
|
||
defaults:
|
||
# Number of replicas for each ingress gateway defined.
|
||
replicas: 1
|
||
|
||
# The service options configure the Service that fronts the gateway Deployment.
|
||
service:
|
||
# Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service
|
||
# type, you must set the desired nodePorts in the `ports` setting below.
|
||
type: ClusterIP
|
||
|
||
# Ports that will be exposed on the service and gateway container. Any
|
||
# ports defined as ingress listeners on the gateway's Consul configuration
|
||
# entry should be included here. The first port will be used as part of
|
||
# the Consul service registration for the gateway and be listed in its
|
||
# SRV record. If using a NodePort service type, you must specify the
|
||
# desired nodePort for each exposed port.
|
||
# @type: array<map>
|
||
# @default: [{port: 8080, port: 8443}]
|
||
# @recurse: false
|
||
ports:
|
||
- port: 8080
|
||
nodePort: null
|
||
- port: 8443
|
||
nodePort: null
|
||
|
||
# Annotations to apply to the ingress gateway service. Annotations defined
|
||
# here will be applied to all ingress gateway services in addition to any
|
||
# service annotations defined for a specific gateway in `ingressGateways.gateways`.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# 'annotation-key': annotation-value
|
||
# ```
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# Optional YAML string that will be appended to the Service spec.
|
||
# @type: string
|
||
additionalSpec: null
|
||
|
||
serviceAccount:
|
||
# This value defines additional annotations for the ingress gateways' service account. This should be formatted
|
||
# as a multi-line string.
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "sample/annotation1": "foo"
|
||
# "sample/annotation2": "bar"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# Resource limits for all ingress gateway pods
|
||
# @recurse: false
|
||
# @type: map
|
||
resources:
|
||
requests:
|
||
memory: "100Mi"
|
||
cpu: "100m"
|
||
limits:
|
||
memory: "100Mi"
|
||
cpu: "100m"
|
||
|
||
# This value defines the affinity (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
|
||
# for ingress gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer
|
||
# a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value
|
||
# to the value in the example below.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# affinity: |
|
||
# podAntiAffinity:
|
||
# requiredDuringSchedulingIgnoredDuringExecution:
|
||
# - labelSelector:
|
||
# matchLabels:
|
||
# app: {{ template "consul.name" . }}
|
||
# release: "{{ .Release.Name }}"
|
||
# component: ingress-gateway
|
||
# topologyKey: kubernetes.io/hostname
|
||
# ```
|
||
# @type: string
|
||
affinity: null
|
||
|
||
# Optional YAML string to specify tolerations.
|
||
# @type: string
|
||
tolerations: null
|
||
|
||
# Pod topology spread constraints for ingress gateway pods.
|
||
# This should be a multi-line YAML string matching the `topologySpreadConstraints` array
|
||
# (https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) in a Pod Spec.
|
||
#
|
||
# This requires K8S >= 1.18 (beta) or 1.19 (stable).
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# topologySpreadConstraints: |
|
||
# - maxSkew: 1
|
||
# topologyKey: topology.kubernetes.io/zone
|
||
# whenUnsatisfiable: DoNotSchedule
|
||
# labelSelector:
|
||
# matchLabels:
|
||
# app: {{ template "consul.name" . }}
|
||
# release: "{{ .Release.Name }}"
|
||
# component: ingress-gateway
|
||
# ```
|
||
topologySpreadConstraints: ""
|
||
|
||
# Optional YAML string to specify a nodeSelector config.
|
||
# @type: string
|
||
nodeSelector: null
|
||
|
||
# Optional priorityClassName.
|
||
priorityClassName: ""
|
||
|
||
# Amount of seconds to wait for graceful termination before killing the pod.
|
||
terminationGracePeriodSeconds: 10
|
||
|
||
# Annotations to apply to the ingress gateway deployment. Annotations defined
|
||
# here will be applied to all ingress gateway deployments in addition to any
|
||
# annotations defined for a specific gateway in `ingressGateways.gateways`.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "annotation-key": 'annotation-value'
|
||
# ```
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# [Enterprise Only] `consulNamespace` defines the Consul namespace to register
|
||
# the gateway into. Requires `global.enableConsulNamespaces` to be true and
|
||
# Consul Enterprise v1.7+ with a valid Consul Enterprise license.
|
||
# Note: The Consul namespace MUST exist before the gateway is deployed.
|
||
consulNamespace: "default"
|
||
|
||
# Gateways is a list of gateway objects. The only required field for
|
||
# each is `name`, though they can also contain any of the fields in
|
||
# `defaults`. Values defined here override the defaults except in the
|
||
# case of annotations where both will be applied.
|
||
# @type: array<map>
|
||
gateways:
|
||
- name: ingress-gateway
|
||
|
||
# Configuration options for terminating gateways. Default values for all
|
||
# terminating gateways are defined in `terminatingGateways.defaults`. Any of
|
||
# these values may be overridden in `terminatingGateways.gateways` for a
|
||
# specific gateway with the exception of annotations. Annotations will
|
||
# include both the default annotations and any additional ones defined
|
||
# for a specific gateway.
|
||
# Requirements: consul >= 1.8.0
|
||
terminatingGateways:
|
||
# Enable terminating gateway deployment. Requires `connectInject.enabled=true`
|
||
# and `client.enabled=true`.
|
||
enabled: false
|
||
|
||
# Defaults sets default values for all gateway fields. With the exception
|
||
# of annotations, defining any of these values in the `gateways` list
|
||
# will override the default values provided here. Annotations will
|
||
# include both the default annotations and any additional ones defined
|
||
# for a specific gateway.
|
||
defaults:
|
||
# Number of replicas for each terminating gateway defined.
|
||
replicas: 1
|
||
|
||
# A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig/<name>/`.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# extraVolumes:
|
||
# - type: secret
|
||
# name: my-secret
|
||
# items: # optional items array
|
||
# - key: key
|
||
# path: path # secret will now mount to /consul/userconfig/my-secret/path
|
||
# ```
|
||
# @type: array<map>
|
||
extraVolumes: [ ]
|
||
|
||
# Resource limits for all terminating gateway pods
|
||
# @recurse: false
|
||
# @type: map
|
||
resources:
|
||
requests:
|
||
memory: "100Mi"
|
||
cpu: "100m"
|
||
limits:
|
||
memory: "100Mi"
|
||
cpu: "100m"
|
||
|
||
# This value defines the affinity (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
|
||
# for terminating gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer
|
||
# a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value
|
||
# to the value in the example below.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# affinity: |
|
||
# podAntiAffinity:
|
||
# requiredDuringSchedulingIgnoredDuringExecution:
|
||
# - labelSelector:
|
||
# matchLabels:
|
||
# app: {{ template "consul.name" . }}
|
||
# release: "{{ .Release.Name }}"
|
||
# component: terminating-gateway
|
||
# topologyKey: kubernetes.io/hostname
|
||
# ```
|
||
# @type: string
|
||
affinity: null
|
||
|
||
# Optional YAML string to specify tolerations.
|
||
# @type: string
|
||
tolerations: null
|
||
|
||
# Pod topology spread constraints for terminating gateway pods.
|
||
# This should be a multi-line YAML string matching the `topologySpreadConstraints` array
|
||
# (https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) in a Pod Spec.
|
||
#
|
||
# This requires K8S >= 1.18 (beta) or 1.19 (stable).
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# topologySpreadConstraints: |
|
||
# - maxSkew: 1
|
||
# topologyKey: topology.kubernetes.io/zone
|
||
# whenUnsatisfiable: DoNotSchedule
|
||
# labelSelector:
|
||
# matchLabels:
|
||
# app: {{ template "consul.name" . }}
|
||
# release: "{{ .Release.Name }}"
|
||
# component: terminating-gateway
|
||
# ```
|
||
topologySpreadConstraints: ""
|
||
|
||
# Optional YAML string to specify a nodeSelector config.
|
||
# @type: string
|
||
nodeSelector: null
|
||
|
||
# Optional priorityClassName.
|
||
# @type: string
|
||
priorityClassName: ""
|
||
|
||
# Annotations to apply to the terminating gateway deployment. Annotations defined
|
||
# here will be applied to all terminating gateway deployments in addition to any
|
||
# annotations defined for a specific gateway in `terminatingGateways.gateways`.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# 'annotation-key': annotation-value
|
||
# ```
|
||
# @type: string
|
||
annotations: null
|
||
|
||
serviceAccount:
|
||
# This value defines additional annotations for the terminating gateways' service account. This should be
|
||
# formatted as a multi-line string.
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "sample/annotation1": "foo"
|
||
# "sample/annotation2": "bar"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# [Enterprise Only] `consulNamespace` defines the Consul namespace to register
|
||
# the gateway into. Requires `global.enableConsulNamespaces` to be true and
|
||
# Consul Enterprise v1.7+ with a valid Consul Enterprise license.
|
||
# Note: The Consul namespace MUST exist before the gateway is deployed.
|
||
consulNamespace: "default"
|
||
|
||
# Gateways is a list of gateway objects. The only required field for
|
||
# each is `name`, though they can also contain any of the fields in
|
||
# `defaults`. Values defined here override the defaults except in the
|
||
# case of annotations where both will be applied.
|
||
# @type: array<map>
|
||
gateways:
|
||
- name: terminating-gateway
|
||
|
||
# Configuration settings for the Consul API Gateway integration
|
||
apiGateway:
|
||
# When true the helm chart will install the Consul API Gateway controller
|
||
enabled: false
|
||
|
||
# Image to use for the api-gateway-controller pods and gateway instances
|
||
#
|
||
# ~> **Note:** Using API Gateway <= 0.4 with external servers requires setting `client.enabled: true`.
|
||
# @type: string
|
||
image: null
|
||
|
||
# The name (and tag) of the Envoy Docker image used for the
|
||
# apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane.
|
||
# @default: envoyproxy/envoy:<latest supported version>
|
||
imageEnvoy: "envoyproxy/envoy:v1.23.1"
|
||
|
||
# Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error".
|
||
# @type: string
|
||
logLevel: info
|
||
|
||
# Configuration settings for the optional GatewayClass installed by consul-k8s (enabled by default)
|
||
managedGatewayClass:
|
||
# When true a GatewayClass is configured to automatically work with Consul as installed by helm.
|
||
enabled: true
|
||
|
||
# This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
|
||
# labels for gateway pod assignment, formatted as a multi-line string.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# nodeSelector: |
|
||
# beta.kubernetes.io/arch: amd64
|
||
# ```
|
||
#
|
||
# @type: string
|
||
nodeSelector: null
|
||
|
||
# This value defines the tolerations that will be assigned to a gateway pod.
|
||
# This should be a multi-line string matching the
|
||
# Tolerations (https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec.
|
||
#
|
||
# @type: string
|
||
tolerations: null
|
||
|
||
# This value defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP)
|
||
serviceType: LoadBalancer
|
||
|
||
# This value toggles if the gateway ports should be mapped to host ports
|
||
useHostPorts: false
|
||
|
||
# Configuration settings for annotations to be copied from the Gateway to other child resources.
|
||
copyAnnotations:
|
||
# This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# service:
|
||
# annotations: |
|
||
# - external-dns.alpha.kubernetes.io/hostname
|
||
# ```
|
||
#
|
||
# @type: string
|
||
service: null
|
||
|
||
# This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# deployment:
|
||
# defaultInstances: 3
|
||
# maxInstances: 8
|
||
# minInstances: 1
|
||
# ```
|
||
#
|
||
# @type: map
|
||
deployment: null
|
||
|
||
# Configuration for the ServiceAccount created for the api-gateway component
|
||
serviceAccount:
|
||
# This value defines additional annotations for the client service account. This should be formatted as a multi-line
|
||
# string.
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "sample/annotation1": "foo"
|
||
# "sample/annotation2": "bar"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# Configuration for the api-gateway controller component
|
||
controller:
|
||
# This value sets the number of controller replicas to deploy.
|
||
replicas: 1
|
||
|
||
# Annotations to apply to the api-gateway-controller pods.
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "annotation-key": "annotation-value"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# This value references an existing
|
||
# Kubernetes `priorityClassName` (https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority)
|
||
# that can be assigned to api-gateway-controller pods.
|
||
priorityClassName: ""
|
||
|
||
# This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
|
||
# labels for api-gateway-controller pod assignment, formatted as a multi-line string.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# nodeSelector: |
|
||
# beta.kubernetes.io/arch: amd64
|
||
# ```
|
||
#
|
||
# @type: string
|
||
nodeSelector: null
|
||
|
||
# This value defines the tolerations for api-gateway-controller pod, this should be a multi-line string matching the
|
||
# Tolerations (https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec.
|
||
#
|
||
# @type: string
|
||
tolerations: null
|
||
|
||
# Configuration for the Service created for the api-gateway-controller
|
||
service:
|
||
# Annotations to apply to the api-gateway-controller service.
|
||
#
|
||
# ```yaml
|
||
# annotations: |
|
||
# "annotation-key": "annotation-value"
|
||
# ```
|
||
#
|
||
# @type: string
|
||
annotations: null
|
||
|
||
# The resource settings for api gateway pods.
|
||
# @recurse: false
|
||
# @type: map
|
||
resources:
|
||
requests:
|
||
memory: "100Mi"
|
||
cpu: "100m"
|
||
limits:
|
||
memory: "100Mi"
|
||
cpu: "100m"
|
||
|
||
# The resource settings for the `copy-consul-bin` init container.
|
||
# @recurse: false
|
||
# @type: map
|
||
initCopyConsulContainer:
|
||
resources:
|
||
requests:
|
||
memory: "25Mi"
|
||
cpu: "50m"
|
||
limits:
|
||
memory: "150Mi"
|
||
cpu: "50m"
|
||
|
||
# Configuration settings for the webhook-cert-manager
|
||
# `webhook-cert-manager` ensures that cert bundles are up to date for the mutating webhook.
|
||
webhookCertManager:
|
||
|
||
# Toleration Settings
|
||
# This should be a multi-line string matching the Toleration array
|
||
# in a PodSpec.
|
||
# @type: string
|
||
tolerations: null
|
||
|
||
# This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
|
||
# labels for the webhook-cert-manager pod assignment, formatted as a multi-line string.
|
||
#
|
||
# Example:
|
||
#
|
||
# ```yaml
|
||
# nodeSelector: |
|
||
# beta.kubernetes.io/arch: amd64
|
||
# ```
|
||
#
|
||
# @type: string
|
||
nodeSelector: null
|
||
|
||
# Configures a demo Prometheus installation.
|
||
prometheus:
|
||
# When true, the Helm chart will install a demo Prometheus server instance
|
||
# alongside Consul.
|
||
enabled: false
|
||
|
||
# Control whether a test Pod manifest is generated when running helm template.
|
||
# When using helm install, the test Pod is not submitted to the cluster so this
|
||
# is only useful when running helm template.
|
||
tests:
|
||
enabled: true
|