· 4 years ago · Jul 17, 2021, 05:02 PM
1# Available parameters and their default values for the Consul chart.
2
3# Holds values that affect multiple components of the chart.
4global:
5 # The main enabled/disabled setting. If true, servers,
6 # clients, Consul DNS and the Consul UI will be enabled. Each component can override
7 # this default via its component-specific "enabled" config. If false, no components
8 # will be installed by default and per-component opt-in is required, such as by
9 # setting `server.enabled` to true.
10 enabled: true
11
12 # The default log level to apply to all components which do not otherwise override this setting.
13 # It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity.
14 # One of "debug", "info", "warn", or "error".
15 # @type: string
16 logLevel: "info"
17
18 # Enable all component logs to be output in JSON format.
19 # @type: boolean
20 logJSON: false
21
22 # Set the prefix used for all resources in the Helm chart. If not set,
23 # the prefix will be `<helm release name>-consul`.
24 # @type: string
25 name: "consul"
26
27 # The domain Consul will answer DNS queries for
28 # (see `-domain` (https://consul.io/docs/agent/options#_domain)) and the domain services synced from
29 # Consul into Kubernetes will have, e.g. `service-name.service.consul`.
30 domain: consul
31
32 # The name (and tag) of the Consul Docker image for clients and servers.
33 # This can be overridden per component. This should be pinned to a specific
34 # version tag, otherwise you may inadvertently upgrade your Consul version.
35 #
36 # Examples:
37 #
38 # ```yaml
39 # # Consul 1.10.0
40 # image: "consul:1.10.0"
41 # # Consul Enterprise 1.10.0
42 # image: "hashicorp/consul-enterprise:1.10.0-ent"
43 # ```
44 # @default: hashicorp/consul:<latest version>
45 image: "hashicorp/consul:1.10.0"
46
47 # Array of objects containing image pull secret names that will be applied to each service account.
48 # This can be used to reference image pull secrets if using a custom consul or consul-k8s Docker image.
49 # See https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry for reference.
50 #
51 # Example:
52 #
53 # ```yaml
54 # imagePullSecrets:
55 # - name: pull-secret-name
56 # - name: pull-secret-name-2
57 # ```
58 # @type: array<map>
59 imagePullSecrets: []
60
61 # The name (and tag) of the consul-k8s (https://github.com/hashicorp/consul-k8s)
62 # Docker image that is used for functionality such the catalog sync.
63 # This can be overridden per component.
64 # @default: hashicorp/consul-k8s:<latest version>
65 imageK8S: "hashicorp/consul-k8s:0.26.0"
66
67 # The name of the datacenter that the agents should
68 # register as. This can't be changed once the Consul cluster is up and running
69 # since Consul doesn't support an automatic way to change this value currently:
70 # https://github.com/hashicorp/consul/issues/1858.
71 datacenter: dc1
72
73 # Controls whether pod security policies are created for the Consul components
74 # created by this chart. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/.
75 enablePodSecurityPolicies: false
76
77 # Configures which Kubernetes secret to retrieve Consul's
78 # gossip encryption key from (see `-encrypt` (https://consul.io/docs/agent/options#_encrypt)). If secretName or
79 # secretKey are not set, gossip encryption will not be enabled. The secret must
80 # be in the same namespace that Consul is installed into.
81 #
82 # The secret can be created by running:
83 #
84 # ```shell
85 # $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen)
86 # ```
87 #
88 # To reference, use:
89 #
90 # ```yaml
91 # global:
92 # gossipEncryption:
93 # secretName: consul-gossip-encryption-key
94 # secretKey: key
95 # ```
96 gossipEncryption:
97 # secretName is the name of the Kubernetes secret that holds the gossip
98 # encryption key. The secret must be in the same namespace that Consul is installed into.
99 secretName: ""
100 # secretKey is the key within the Kubernetes secret that holds the gossip
101 # encryption key.
102 secretKey: ""
103
104 # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries.
105 # These values are given as `-recursor` flags to Consul servers and clients.
106 # See https://www.consul.io/docs/agent/options#_recursor for more details.
107 # If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`).
108 # @type: array<string>
109 recursors: []
110
111 # Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure)
112 # across the cluster to verify authenticity of the Consul servers and clients.
113 # Requires Consul v1.4.1+ and consul-k8s v0.16.2+
114 tls:
115 # If true, the Helm chart will enable TLS for Consul
116 # servers and clients and all consul-k8s components, as well as generate certificate
117 # authority (optional) and server and client certificates.
118 enabled: false
119
120 # If true, turns on the auto-encrypt feature on clients and servers.
121 # It also switches consul-k8s components to retrieve the CA from the servers
122 # via the API. Requires Consul 1.7.1+ and consul-k8s 0.13.0
123 enableAutoEncrypt: false
124
125 # A list of additional DNS names to set as Subject Alternative Names (SANs)
126 # in the server certificate. This is useful when you need to access the
127 # Consul server(s) externally, for example, if you're using the UI.
128 # @type: array<string>
129 serverAdditionalDNSSANs: []
130
131 # A list of additional IP addresses to set as Subject Alternative Names (SANs)
132 # in the server certificate. This is useful when you need to access the
133 # Consul server(s) externally, for example, if you're using the UI.
134 # @type: array<string>
135 serverAdditionalIPSANs: []
136
137 # If true, `verify_outgoing`, `verify_server_hostname`,
138 # and `verify_incoming_rpc` will be set to `true` for Consul servers and clients.
139 # Set this to false to incrementally roll out TLS on an existing Consul cluster.
140 # Please see https://consul.io/docs/k8s/operations/tls-on-existing-cluster
141 # for more details.
142 verify: true
143
144 # If true, the Helm chart will configure Consul to disable the HTTP port on
145 # both clients and servers and to only accept HTTPS connections.
146 httpsOnly: true
147
148 # A Kubernetes secret containing the certificate of the CA to use for
149 # TLS communication within the Consul cluster. If you have generated the CA yourself
150 # with the consul CLI, you could use the following command to create the secret
151 # in Kubernetes:
152 #
153 # ```bash
154 # kubectl create secret generic consul-ca-cert \
155 # --from-file='tls.crt=./consul-agent-ca.pem'
156 # ```
157 caCert:
158 # The name of the Kubernetes secret.
159 secretName: null
160 # The key of the Kubernetes secret.
161 secretKey: null
162
163 # A Kubernetes secret containing the private key of the CA to use for
164 # TLS communication within the Consul cluster. If you have generated the CA yourself
165 # with the consul CLI, you could use the following command to create the secret
166 # in Kubernetes:
167 #
168 # ```bash
169 # kubectl create secret generic consul-ca-key \
170 # --from-file='tls.key=./consul-agent-ca-key.pem'
171 # ```
172 #
173 # Note that we need the CA key so that we can generate server and client certificates.
174 # It is particularly important for the client certificates since they need to have host IPs
175 # as Subject Alternative Names. In the future, we may support bringing your own server
176 # certificates.
177 caKey:
178 # The name of the Kubernetes secret.
179 secretName: null
180 # The key of the Kubernetes secret.
181 secretKey: null
182
183 # [Enterprise Only] `enableConsulNamespaces` indicates that you are running
184 # Consul Enterprise v1.7+ with a valid Consul Enterprise license and would
185 # like to make use of configuration beyond registering everything into
186 # the `default` Consul namespace. Requires consul-k8s v0.12+. Additional configuration
187 # options are found in the `consulNamespaces` section of both the catalog sync
188 # and connect injector.
189 enableConsulNamespaces: false
190
191 # Configure ACLs.
192 acls:
193
194 # If true, the Helm chart will automatically manage ACL tokens and policies
195 # for all Consul and consul-k8s components.
196 # This requires Consul >= 1.4 and consul-k8s >= 0.14.0.
197 manageSystemACLs: false
198
199 # A Kubernetes secret containing the bootstrap token to use for
200 # creating policies and tokens for all Consul and consul-k8s components.
201 # If set, we will skip ACL bootstrapping of the servers and will only
202 # initialize ACLs for the Consul clients and consul-k8s system components.
203 # Requires consul-k8s >= 0.14.0.
204 bootstrapToken:
205 # The name of the Kubernetes secret.
206 secretName: null
207 # The key of the Kubernetes secret.
208 secretKey: null
209
210 # If true, an ACL token will be created that can be used in secondary
211 # datacenters for replication. This should only be set to true in the
212 # primary datacenter since the replication token must be created from that
213 # datacenter.
214 # In secondary datacenters, the secret needs to be imported from the primary
215 # datacenter and referenced via `global.acls.replicationToken`.
216 # Requires consul-k8s >= 0.13.0.
217 createReplicationToken: false
218
219 # replicationToken references a secret containing the replication ACL token.
220 # This token will be used by secondary datacenters to perform ACL replication
221 # and create ACL tokens and policies.
222 # This value is ignored if `bootstrapToken` is also set.
223 # Requires consul-k8s >= 0.13.0.
224 replicationToken:
225 # The name of the Kubernetes secret.
226 secretName: null
227 # The key of the Kubernetes secret.
228 secretKey: null
229
230 # Configure federation.
231 federation:
232 # If enabled, this datacenter will be federation-capable. Only federation
233 # via mesh gateways is supported.
234 # Mesh gateways and servers will be configured to allow federation.
235 # Requires `global.tls.enabled`, `meshGateway.enabled` and `connectInject.enabled`
236 # to be true. Requires Consul 1.8+.
237 enabled: false
238
239 # If true, the chart will create a Kubernetes secret that can be imported
240 # into secondary datacenters so they can federate with this datacenter. The
241 # secret contains all the information secondary datacenters need to contact
242 # and authenticate with this datacenter. This should only be set to true
243 # in your primary datacenter. The secret name is
244 # `<global.name>-federation` (if setting `global.name`), otherwise
245 # `<helm-release-name>-consul-federation`. Requires consul-k8s 0.15.0+.
246 createFederationSecret: false
247
248 # Configures metrics for Consul service mesh
249 metrics:
250 # Configures the Helm chart’s components
251 # to expose Prometheus metrics for the Consul service mesh. By default
252 # this includes gateway metrics and sidecar metrics.
253 # @type: boolean
254 enabled: false
255
256 # Configures consul agent metrics. Only applicable if
257 # `global.metrics.enabled` is true.
258 # @type: boolean
259 enableAgentMetrics: false
260
261 # Configures the retention time for metrics in Consul clients and
262 # servers. This must be greater than 0 for Consul clients and servers
263 # to expose any metrics at all.
264 # Only applicable if `global.metrics.enabled` is true.
265 # @type: string
266 agentMetricsRetentionTime: 1m
267
268 # If true, mesh, terminating, and ingress gateways will expose their
269 # Envoy metrics on port `20200` at the `/metrics` path and all gateway pods
270 # will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true.
271 # @type: boolean
272 enableGatewayMetrics: true
273
274 # The consul sidecar ensures the Consul services
275 # are always registered with their local Consul clients and is used by the
276 # ingress/terminating/mesh gateways as well as with every Connect-injected service.
277 # @recurse: false
278 # @type: map
279 consulSidecarContainer:
280 resources:
281 requests:
282 memory: "25Mi"
283 cpu: "20m"
284 limits:
285 memory: "50Mi"
286 cpu: "20m"
287
288 # The name (and tag) of the Envoy Docker image used for the
289 # connect-injected sidecar proxies and mesh, terminating, and ingress gateways.
290 # See https://www.consul.io/docs/connect/proxies/envoy for full compatibility matrix between Consul and Envoy.
291 # @default: envoyproxy/envoy-alpine:<latest supported version>
292 imageEnvoy: "envoyproxy/envoy-alpine:v1.18.3"
293
294 # Configuration for running this Helm chart on the Red Hat OpenShift platform.
295 # This Helm chart currently supports OpenShift v4.x+.
296 openshift:
297 # If true, the Helm chart will create necessary configuration for running
298 # its components on OpenShift.
299 enabled: false
300
301# Server, when enabled, configures a server cluster to run. This should
302# be disabled if you plan on connecting to a Consul cluster external to
303# the Kube cluster.
304server:
305
306 # If true, the chart will install all the resources necessary for a
307 # Consul server cluster. If you're running Consul externally and want agents
308 # within Kubernetes to join that cluster, this should probably be false.
309 # @default: global.enabled
310 # @type: boolean
311 enabled: "-"
312
313 # The name of the Docker image (including any tag) for the containers running
314 # Consul server agents.
315 # @type: string
316 image: null
317
318 # The number of server agents to run. This determines the fault tolerance of
319 # the cluster. Please see the deployment table (https://consul.io/docs/internals/consensus#deployment-table)
320 # for more information.
321 replicas: 3
322
323 # The number of servers that are expected to be running.
324 # It defaults to server.replicas.
325 # In most cases the default should be used, however if there are more
326 # servers in this datacenter than server.replicas it might make sense
327 # to override the default. This would be the case if two kube clusters
328 # were joined into the same datacenter and each cluster ran a certain number
329 # of servers.
330 # @type: int
331 bootstrapExpect: null
332
333 # [Enterprise Only] This value refers to a Kubernetes secret that you have created
334 # that contains your enterprise license. It is required if you are using an
335 # enterprise binary. Defining it here applies it to your cluster once a leader
336 # has been elected. If you are not using an enterprise image or if you plan to
337 # introduce the license key via another route, then set these fields to null.
338 # Note: the job to apply license runs on both Helm installs and upgrades.
339 enterpriseLicense:
340 # The name of the Kubernetes secret that holds the enterprise license.
341 # The secret must be in the same namespace that Consul is installed into.
342 secretName: null
343 # The key within the Kubernetes secret that holds the enterprise license.
344 secretKey: null
345 # Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+.
346 enableLicenseAutoload: true
347
348 # Exposes the servers' gossip and RPC ports as hostPorts. To enable a client
349 # agent outside of the k8s cluster to join the datacenter, you would need to
350 # enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and
351 # set `server.ports.serflan.port` to a port not being used on the host. Since
352 # `client.exposeGossipPorts` uses the hostPort 8301,
353 # `server.ports.serflan.port` must be set to something other than 8301.
354 exposeGossipAndRPCPorts: false
355
356 # Configures ports for the consul servers.
357 ports:
358 # Configures the LAN gossip port for the consul servers. If you choose to
359 # enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`,
360 # that will configure the LAN gossip ports on the servers and clients to be
361 # hostPorts, so if you are running clients and servers on the same node the
362 # ports will conflict if they are both 8301. When you enable
363 # `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must
364 # change this from the default to an unused port on the host, e.g. 9301. By
365 # default the LAN gossip port is 8301 and configured as a containerPort on
366 # the consul server Pods.
367 serflan:
368 port: 8301
369
370 # This defines the disk size for configuring the
371 # servers' StatefulSet storage. For dynamically provisioned storage classes, this is the
372 # desired size. For manually defined persistent volumes, this should be set to
373 # the disk size of the attached volume.
374 storage: 10Gi
375
376 # The StorageClass to use for the servers' StatefulSet storage. It must be
377 # able to be dynamically provisioned if you want the storage
378 # to be automatically created. For example, to use local
379 # (https://kubernetes.io/docs/concepts/storage/storage-classes/#local)
380 # storage classes, the PersistentVolumeClaims would need to be manually created.
381 # A `null` value will use the Kubernetes cluster's default StorageClass. If a default
382 # StorageClass does not exist, you will need to create one.
383 # @type: string
384 storageClass: null
385
386 # This will enable/disable Connect (https://consul.io/docs/connect). Setting this to true
387 # _will not_ automatically secure pod communication, this
388 # setting will only enable usage of the feature. Consul will automatically initialize
389 # a new CA and set of certificates. Additional Connect settings can be configured
390 # by setting the `server.extraConfig` value.
391 connect: true
392
393 serviceAccount:
394 # This value defines additional annotations for the server service account. This should be formatted as a multi-line
395 # string.
396 #
397 # ```yaml
398 # annotations: |
399 # "sample/annotation1": "foo"
400 # "sample/annotation2": "bar"
401 # ```
402 #
403 # @type: string
404 annotations: null
405
406 # The resource requests (CPU, memory, etc.)
407 # for each of the server agents. This should be a YAML map corresponding to a Kubernetes
408 # ResourceRequirements (https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core)
409 # object. NOTE: The use of a YAML string is deprecated.
410 #
411 # Example:
412 #
413 # ```yaml
414 # resources:
415 # requests:
416 # memory: '100Mi'
417 # cpu: '100m'
418 # limits:
419 # memory: '100Mi'
420 # cpu: '100m'
421 # ```
422 #
423 # @recurse: false
424 # @type: map
425 resources:
426 requests:
427 memory: "100Mi"
428 cpu: "100m"
429 limits:
430 memory: "100Mi"
431 cpu: "100m"
432
433 # The security context for the server pods. This should be a YAML map corresponding to a
434 # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object.
435 # By default, servers will run as non-root, with user ID `100` and group ID `1000`,
436 # which correspond to the consul user and group created by the Consul docker image.
437 # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically
438 # by the OpenShift platform.
439 # @type: map
440 # @recurse: false
441 securityContext:
442 runAsNonRoot: true
443 runAsGroup: 1000
444 runAsUser: 100
445 fsGroup: 1000
446
447 # This value is used to carefully
448 # control a rolling update of Consul server agents. This value specifies the
449 # partition (https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions)
450 # for performing a rolling update. Please read the linked Kubernetes documentation
451 # and https://www.consul.io/docs/k8s/upgrade#upgrading-consul-servers for more information.
452 updatePartition: 0
453
454 # This configures the PodDisruptionBudget (https://kubernetes.io/docs/tasks/run-application/configure-pdb/)
455 # for the server cluster.
456 disruptionBudget:
457 # This will enable/disable registering a PodDisruptionBudget for the server
458 # cluster. If this is enabled, it will only register the budget so long as
459 # the server cluster is enabled.
460 enabled: true
461
462 # The maximum number of unavailable pods. By default, this will be
463 # automatically computed based on the `server.replicas` value to be `(n/2)-1`.
464 # If you need to set this to `0`, you will need to add a
465 # --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation
466 # command because of a limitation in the Helm templating language.
467 # @type: integer
468 maxUnavailable: null
469
470 # A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul
471 # servers. This will be saved as-is into a ConfigMap that is read by the Consul
472 # server agents. This can be used to add additional configuration that
473 # isn't directly exposed by the chart.
474 #
475 # Example:
476 #
477 # ```yaml
478 # extraConfig: |
479 # {
480 # "log_level": "DEBUG"
481 # }
482 # ```
483 #
484 # This can also be set using Helm's `--set` flag using the following syntax:
485 #
486 # ```shell
487 # --set 'server.extraConfig="{"log_level": "DEBUG"}"'
488 # ```
489 extraConfig: |
490 {}
491
492 # A list of extra volumes to mount for server agents. This
493 # is useful for bringing in extra data that can be referenced by other configurations
494 # at a well known path, such as TLS certificates or Gossip encryption keys. The
495 # value of this should be a list of objects.
496 #
497 # Example:
498 #
499 # ```yaml
500 # extraVolumes:
501 # - type: secret
502 # name: consul-certs
503 # load: false
504 # ```
505 #
506 # Each object supports the following keys:
507 #
508 # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive.
509 #
510 # - `name` - Name of the configMap or secret to be mounted. This also controls
511 # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/<name>`.
512 #
513 # - `load` - If true, then the agent will be
514 # configured to automatically load HCL/JSON configuration files from this volume
515 # with `-config-dir`. This defaults to false.
516 #
517 # @type: array<map>
518 extraVolumes: []
519
520 # This value defines the affinity (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
521 # for server pods. It defaults to allowing only a single server pod on each node, which
522 # minimizes risk of the cluster becoming unusable if a node is lost. If you need
523 # to run more pods per node (for example, testing on Minikube), set this value
524 # to `null`.
525 #
526 # Example:
527 #
528 # ```yaml
529 # affinity: |
530 # podAntiAffinity:
531 # requiredDuringSchedulingIgnoredDuringExecution:
532 # - labelSelector:
533 # matchLabels:
534 # app: {{ template "consul.name" . }}
535 # release: "{{ .Release.Name }}"
536 # component: server
537 # topologyKey: kubernetes.io/hostname
538 # ```
539 affinity: |
540 podAntiAffinity:
541 requiredDuringSchedulingIgnoredDuringExecution:
542 - labelSelector:
543 matchLabels:
544 app: {{ template "consul.name" . }}
545 release: "{{ .Release.Name }}"
546 component: server
547 topologyKey: kubernetes.io/hostname
548
549 # Toleration settings for server pods. This
550 # should be a multi-line string matching the Tolerations
551 # (https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec.
552 tolerations: ""
553
554 # Pod topology spread constraints for server pods.
555 # This should be a multi-line YAML string matching the `topologySpreadConstraints` array
556 # (https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) in a Pod Spec.
557 #
558 # This requires K8S >= 1.18 (beta) or 1.19 (stable).
559 #
560 # Example:
561 #
562 # ```yaml
563 # topologySpreadConstraints: |
564 # - maxSkew: 1
565 # topologyKey: topology.kubernetes.io/zone
566 # whenUnsatisfiable: DoNotSchedule
567 # labelSelector:
568 # matchLabels:
569 # app: {{ template "consul.name" . }}
570 # release: "{{ .Release.Name }}"
571 # component: server
572 # ```
573 topologySpreadConstraints: ""
574
575 # This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
576 # labels for server pod assignment, formatted as a multi-line string.
577 #
578 # Example:
579 #
580 # ```yaml
581 # nodeSelector: |
582 # beta.kubernetes.io/arch: amd64
583 # ```
584 #
585 # @type: string
586 nodeSelector: null
587
588 # This value references an existing
589 # Kubernetes `priorityClassName` (https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority)
590 # that can be assigned to server pods.
591 priorityClassName: ""
592
593 # Extra labels to attach to the server pods. This should be a YAML map.
594 #
595 # Example:
596 #
597 # ```yaml
598 # extraLabels:
599 # labelKey: label-value
600 # anotherLabelKey: another-label-value
601 # ```
602 #
603 # @type: map
604 extraLabels: null
605
606 # This value defines additional annotations for
607 # server pods. This should be formatted as a multi-line string.
608 #
609 # ```yaml
610 # annotations: |
611 # "sample/annotation1": "foo"
612 # "sample/annotation2": "bar"
613 # ```
614 #
615 # @type: string
616 annotations: null
617
618 # Server service properties.
619 service:
620 # Annotations to apply to the server service.
621 #
622 # ```yaml
623 # annotations: |
624 # "annotation-key": "annotation-value"
625 # ```
626 #
627 # @type: string
628 annotations: null
629
630 # A list of extra environment variables to set within the stateful set.
631 # These could be used to include proxy settings required for cloud auto-join
632 # feature, in case kubernetes cluster is behind egress http proxies. Additionally,
633 # it could be used to configure custom consul parameters.
634 # @type: map
635 extraEnvironmentVars: {}
636
637# Configuration for Consul servers when the servers are running outside of Kubernetes.
638# When running external servers, configuring these values is recommended
639# if setting `global.tls.enableAutoEncrypt` to true (requires consul-k8s >= 0.13.0)
640# or `global.acls.manageSystemACLs` to true (requires consul-k8s >= 0.14.0).
641externalServers:
642 # If true, the Helm chart will be configured to talk to the external servers.
643 # If setting this to true, you must also set `server.enabled` to false.
644 enabled: false
645
646 # An array of external Consul server hosts that are used to make
647 # HTTPS connections from the components in this Helm chart.
648 # Valid values include IPs, DNS names, or Cloud auto-join string.
649 # The port must be provided separately below.
650 # Note: `client.join` must also be set to the hosts that should be
651 # used to join the cluster. In most cases, the `client.join` values
652 # should be the same, however, they may be different if you
653 # wish to use separate hosts for the HTTPS connections.
654 # @type: array<string>
655 hosts: []
656
657 # The HTTPS port of the Consul servers.
658 httpsPort: 8501
659
660 # The server name to use as the SNI host header when connecting with HTTPS.
661 # @type: string
662 tlsServerName: null
663
664 # If true, consul-k8s components will ignore the CA set in
665 # `global.tls.caCert` when making HTTPS calls to Consul servers and
666 # will instead use the consul-k8s image's system CAs for TLS verification.
667 # If false, consul-k8s components will use `global.tls.caCert` when
668 # making HTTPS calls to Consul servers.
669 # **NOTE:** This does not affect Consul's internal RPC communication which will
670 # always use `global.tls.caCert`.
671 useSystemRoots: false
672
673 # If you are setting `global.acls.manageSystemACLs` and
674 # `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server.
675 # This address must be reachable from the Consul servers.
676 # Please see the Kubernetes Auth Method documentation (https://consul.io/docs/acl/auth-methods/kubernetes).
677 # Requires consul-k8s >= 0.14.0.
678 #
679 # You could retrieve this value from your `kubeconfig` by running:
680 #
681 # ```shell
682 # kubectl config view \
683 # -o jsonpath="{.clusters[?(@.name=='<your cluster name>')].cluster.server}"
684 # ```
685 #
686 # @type: string
687 k8sAuthMethodHost: null
688
689# Values that configure running a Consul client on Kubernetes nodes.
690client:
691 # If true, the chart will install all
692 # the resources necessary for a Consul client on every Kubernetes node. This _does not_ require
693 # `server.enabled`, since the agents can be configured to join an external cluster.
694 # @default: global.enabled
695 # @type: boolean
696 enabled: "-"
697
698 # The name of the Docker image (including any tag) for the containers
699 # running Consul client agents.
700 # @type: string
701 image: null
702
703 # A list of valid `-retry-join` values (https://consul.io/docs/agent/options#retry-join).
704 # If this is `null` (default), then the clients will attempt to automatically
705 # join the server cluster running within Kubernetes.
706 # This means that with `server.enabled` set to true, clients will automatically
707 # join that cluster. If `server.enabled` is not true, then a value must be
708 # specified so the clients can join a valid cluster.
709 # @type: array<string>
710 join: null
711
712 # An absolute path to a directory on the host machine to use as the Consul
713 # client data directory. If set to the empty string or null, the Consul agent
714 # will store its data in the Pod's local filesystem (which will
715 # be lost if the Pod is deleted). Security Warning: If setting this, Pod Security
716 # Policies _must_ be enabled on your cluster and in this Helm chart (via the
717 # `global.enablePodSecurityPolicies` setting) to prevent other pods from
718 # mounting the same host path and gaining access to all of Consul's data.
719 # Consul's data is not encrypted at rest.
720 # @type: string
721 dataDirectoryHostPath: null
722
723 # If true, agents will enable their GRPC listener on
724 # port 8502 and expose it to the host. This will use slightly more resources, but is
725 # required for Connect.
726 grpc: true
727
728 # nodeMeta specifies an arbitrary metadata key/value pair to associate with the node
729 # (see https://www.consul.io/docs/agent/options.html#_node_meta)
730 nodeMeta:
731 pod-name: ${HOSTNAME}
732 host-ip: ${HOST_IP}
733
734 # If true, the Helm chart will expose the clients' gossip ports as hostPorts.
735 # This is only necessary if pod IPs in the k8s cluster are not directly routable
736 # and the Consul servers are outside of the k8s cluster.
737 # This also changes the clients' advertised IP to the `hostIP` rather than `podIP`.
738 exposeGossipPorts: false
739
740 serviceAccount:
741 # This value defines additional annotations for the client service account. This should be formatted as a multi-line
742 # string.
743 #
744 # ```yaml
745 # annotations: |
746 # "sample/annotation1": "foo"
747 # "sample/annotation2": "bar"
748 # ```
749 #
750 # @type: string
751 annotations: null
752
753 # Resource settings for Client agents.
754 # NOTE: The use of a YAML string is deprecated. Instead, set directly as a
755 # YAML map.
756 # @recurse: false
757 # @type: map
758 resources:
759 requests:
760 memory: "100Mi"
761 cpu: "100m"
762 limits:
763 memory: "100Mi"
764 cpu: "100m"
765
766 # The security context for the client pods. This should be a YAML map corresponding to a
767 # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object.
768 # By default, servers will run as non-root, with user ID `100` and group ID `1000`,
769 # which correspond to the consul user and group created by the Consul docker image.
770 # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically
771 # by the OpenShift platform.
772 # @type: map
773 # @recurse: false
774 securityContext:
775 runAsNonRoot: true
776 runAsGroup: 1000
777 runAsUser: 100
778 fsGroup: 1000
779
780 # A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul
781 # clients. This will be saved as-is into a ConfigMap that is read by the Consul
782 # client agents. This can be used to add additional configuration that
783 # isn't directly exposed by the chart.
784 #
785 # Example:
786 #
787 # ```yaml
788 # extraConfig: |
789 # {
790 # "log_level": "DEBUG"
791 # }
792 # ```
793 #
794 # This can also be set using Helm's `--set` flag using the following syntax:
795 #
796 # ```shell
797 # --set 'client.extraConfig="{"log_level": "DEBUG"}"'
798 # ```
799 extraConfig: |
800 {}
801
802 # A list of extra volumes to mount for client agents. This
803 # is useful for bringing in extra data that can be referenced by other configurations
804 # at a well known path, such as TLS certificates or Gossip encryption keys. The
805 # value of this should be a list of objects.
806 #
807 # Example:
808 #
809 # ```yaml
810 # extraVolumes:
811 # - type: secret
812 # name: consul-certs
813 # load: false
814 # ```
815 #
816 # Each object supports the following keys:
817 #
818 # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive.
819 #
820 # - `name` - Name of the configMap or secret to be mounted. This also controls
821 # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/<name>`.
822 #
823 # - `load` - If true, then the agent will be
824 # configured to automatically load HCL/JSON configuration files from this volume
825 # with `-config-dir`. This defaults to false.
826 #
827 # @type: array<map>
828 extraVolumes: []
829
830 # Toleration Settings for Client pods
831 # This should be a multi-line string matching the Toleration array
832 # in a PodSpec.
833 # The example below will allow Client pods to run on every node
834 # regardless of taints
835 #
836 # ```yaml
837 # tolerations: |
838 # - operator: Exists
839 # ```
840 tolerations: ""
841
842 # nodeSelector labels for client pod assignment, formatted as a multi-line string.
843 # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
844 #
845 # Example:
846 #
847 # ```yaml
848 # nodeSelector: |
849 # beta.kubernetes.io/arch: amd64
850 # ```
851 # @type: string
852 nodeSelector: null
853
854 # Affinity Settings for Client pods, formatted as a multi-line YAML string.
855 # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
856 #
857 # Example:
858 #
859 # ```yaml
860 # affinity: |
861 # nodeAffinity:
862 # requiredDuringSchedulingIgnoredDuringExecution:
863 # nodeSelectorTerms:
864 # - matchExpressions:
865 # - key: node-role.kubernetes.io/master
866 # operator: DoesNotExist
867 # ```
868 # @type: string
869 affinity: null
870
871 # This value references an existing
872 # Kubernetes `priorityClassName` (https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority)
873 # that can be assigned to client pods.
874 priorityClassName: ""
875
876 # This value defines additional annotations for
877 # client pods. This should be formatted as a multi-line string.
878 #
879 # ```yaml
880 # annotations: |
881 # "sample/annotation1": "foo"
882 # "sample/annotation2": "bar"
883 # ```
884 #
885 # @type: string
886 annotations: null
887
888 # Extra labels to attach to the client pods. This should be a regular YAML map.
889 #
890 # Example:
891 #
892 # ```yaml
893 # extraLabels:
894 # labelKey: label-value
895 # anotherLabelKey: another-label-value
896 # ```
897 #
898 # @type: map
899 extraLabels: null
900
901 # A list of extra environment variables to set within the stateful set.
902 # These could be used to include proxy settings required for cloud auto-join
903 # feature, in case kubernetes cluster is behind egress http proxies. Additionally,
904 # it could be used to configure custom consul parameters.
905 # @type: map
906 extraEnvironmentVars: {}
907
908 # This value defines the Pod DNS policy (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy)
909 # for client pods to use.
910 # @type: string
911 dnsPolicy: null
912
913 # hostNetwork defines whether or not we use host networking instead of hostPort in the event
914 # that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended
915 # as doing so gives the consul client unnecessary access to all network traffic on the host.
916 # In most cases, pod network and host network are on different networks so this should be
917 # combined with `dnsPolicy: ClusterFirstWithHostNet`
918 hostNetwork: false
919
920 # updateStrategy for the DaemonSet.
921 # See https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy.
922 # This should be a multi-line string mapping directly to the updateStrategy
923 #
924 # Example:
925 #
926 # ```yaml
927 # updateStrategy: |
928 # rollingUpdate:
929 # maxUnavailable: 5
930 # type: RollingUpdate
931 # ```
932 #
933 # @type: string
934 updateStrategy: null
935
936 # [Enterprise Only] Values for setting up and running snapshot agents
937 # (https://consul.io/commands/snapshot/agent)
938 # within the Consul clusters. They are required to be co-located with Consul clients,
939 # so will inherit the clients' nodeSelector, tolerations and affinity.
940 snapshotAgent:
941 # If true, the chart will install resources necessary to run the snapshot agent.
942 enabled: false
943
944 # The number of snapshot agents to run.
945 replicas: 2
946
947 # A Kubernetes secret that should be manually created to contain the entire
948 # config to be used on the snapshot agent.
949 # This is the preferred method of configuration since there are usually storage
950 # credentials present. Please see Snapshot agent config (https://consul.io/commands/snapshot/agent#config-file-options)
951 # for details.
952 configSecret:
953 # The name of the Kubernetes secret.
954 secretName: null
955 # The key of the Kubernetes secret.
956 secretKey: null
957
958 serviceAccount:
959 # This value defines additional annotations for the snapshot agent service account. This should be formatted as a
960 # multi-line string.
961 #
962 # ```yaml
963 # annotations: |
964 # "sample/annotation1": "foo"
965 # "sample/annotation2": "bar"
966 # ```
967 #
968 # @type: string
969 annotations: null
970
971 # Resource settings for snapshot agent pods.
972 # @recurse: false
973 # @type: map
974 resources:
975 requests:
976 memory: "50Mi"
977 cpu: "50m"
978 limits:
979 memory: "50Mi"
980 cpu: "50m"
981
982 # Optional PEM-encoded CA certificate that will be added to the trusted system CAs.
983 # Useful if using an S3-compatible storage exposing a self-signed certificate.
984 #
985 # Example:
986 #
987 # ```yaml
988 # caCert: |
989 # -----BEGIN CERTIFICATE-----
990 # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx
991 # ...
992 # ```
993 # @type: string
994 caCert: null
995
996# Configuration for DNS configuration within the Kubernetes cluster.
997# This creates a service that routes to all agents (client or server)
998# for serving DNS requests. This DOES NOT automatically configure kube-dns
999# today, so you must still manually configure a `stubDomain` with kube-dns
1000# for this to have any effect:
1001# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers
1002dns:
1003 # @type: boolean
1004 enabled: "-"
1005
1006 # Used to control the type of service created. For
1007 # example, setting this to "LoadBalancer" will create an external load
1008 # balancer (for supported K8S installations)
1009 type: ClusterIP
1010
1011 # Set a predefined cluster IP for the DNS service.
1012 # Useful if you need to reference the DNS service's IP
1013 # address in CoreDNS config.
1014 # @type: string
1015 clusterIP: null
1016
1017 # Extra annotations to attach to the dns service
1018 # This should be a multi-line string of
1019 # annotations to apply to the dns Service
1020 # @type: string
1021 annotations: null
1022
1023 # Additional ServiceSpec values
1024 # This should be a multi-line string mapping directly to a Kubernetes
1025 # ServiceSpec object.
1026 # @type: string
1027 additionalSpec: null
1028
1029# Values that configure the Consul UI.
1030ui:
1031 # If true, the UI will be enabled. This will
1032 # only _enable_ the UI, it doesn't automatically register any service for external
1033 # access. The UI will only be enabled on server agents. If `server.enabled` is
1034 # false, then this setting has no effect. To expose the UI in some way, you must
1035 # configure `ui.service`.
1036 # @default: global.enabled
1037 # @type: boolean
1038 enabled: "-"
1039
1040 # Configure the service for the Consul UI.
1041 service:
1042 # This will enable/disable registering a
1043 # Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is
1044 # true and taking effect.
1045 enabled: true
1046
1047 # The service type to register.
1048 # @type: string
1049 type: null
1050
1051 # Optionally set the nodePort value of the ui service if using a NodePort service.
1052 # If not set and using a NodePort service, Kubernetes will automatically assign
1053 # a port.
1054 nodePort:
1055
1056 # HTTP node port
1057 # @type: integer
1058 http: null
1059
1060 # HTTPS node port
1061 # @type: integer
1062 https: null
1063
1064 # Annotations to apply to the UI service.
1065 #
1066 # Example:
1067 #
1068 # ```yaml
1069 # annotations: |
1070 # 'annotation-key': annotation-value
1071 # ```
1072 # @type: string
1073 annotations: null
1074
1075 # Additional ServiceSpec values
1076 # This should be a multi-line string mapping directly to a Kubernetes
1077 # ServiceSpec object.
1078 # @type: string
1079 additionalSpec: null
1080
1081 # Configure Ingress for the Consul UI.
1082 # If `global.tls.enabled` is set to `true`, the Ingress will expose
1083 # the port 443 on the UI service. Please ensure the Ingress Controller
1084 # supports SSL pass-through and it is enabled to ensure traffic forwarded
1085 # to port 443 has not been TLS terminated.
1086 ingress:
1087 # This will create an Ingress resource for the Consul UI.
1088 # @type: boolean
1089 enabled: true
1090
1091 # pathType override - see: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types
1092 pathType: Prefix
1093
1094 # hosts is a list of host name to create Ingress rules.
1095 #
1096 # ```yaml
1097 # hosts:
1098 # - host: foo.bar
1099 # paths:
1100 # - /example
1101 # - /test
1102 # ```
1103 #
1104 # @type: array<map>
1105 hosts:
1106 - host: consul.k8s.bg10.bgfe.local
1107
1108 # tls is a list of hosts and secret name in an Ingress
1109 # which tells the Ingress controller to secure the channel.
1110 #
1111 # ```yaml
1112 # tls:
1113 # - hosts:
1114 # - chart-example.local
1115 # secretName: testsecret-tls
1116 # ```
1117 # @type: array<map>
1118 tls: []
1119
1120 # Annotations to apply to the UI ingress.
1121 #
1122 # Example:
1123 #
1124 # ```yaml
1125 # annotations: |
1126 # 'annotation-key': annotation-value
1127 # ```
1128 # @type: string
1129 annotations: null
1130
1131 # Configurations for displaying metrics in the UI.
1132 metrics:
1133 # Enable displaying metrics in the UI. The default value of "-"
1134 # will inherit from `global.metrics.enabled` value.
1135 # @type: boolean
1136 # @default: global.metrics.enabled
1137 enabled: "-"
1138 # Provider for metrics. See
1139 # https://www.consul.io/docs/agent/options#ui_config_metrics_provider
1140 # This value is only used if `ui.enabled` is set to true.
1141 # @type: string
1142 provider: "prometheus"
1143
1144 # baseURL is the URL of the prometheus server, usually the service URL.
1145 # This value is only used if `ui.enabled` is set to true.
1146 # @type: string
1147 baseURL: http://prometheus-server
1148
1149# Configure the catalog sync process to sync K8S with Consul
1150# services. This can run bidirectional (default) or unidirectionally (Consul
1151# to K8S or K8S to Consul only).
1152#
1153# This process assumes that a Consul agent is available on the host IP.
1154# This is done automatically if clients are enabled. If clients are not
1155# enabled then set the node selection so that it chooses a node with a
1156# Consul agent.
1157syncCatalog:
1158 # True if you want to enable the catalog sync. Set to "-" to inherit from
1159 # global.enabled.
1160 enabled: true
1161
1162 # The name of the Docker image (including any tag) for consul-k8s
1163 # to run the sync program.
1164 # @type: string
1165 image: null
1166
1167 # If true, all valid services in K8S are
1168 # synced by default. If false, the service must be annotated
1169 # (https://consul.io/docs/k8s/service-sync#sync-enable-disable) properly to sync.
1170 # In either case an annotation can override the default.
1171 default: true
1172
1173 # Optional priorityClassName.
1174 priorityClassName: ""
1175
1176 # If true, will sync Kubernetes services to Consul. This can be disabled to
1177 # have a one-way sync.
1178 toConsul: true
1179
1180 # If true, will sync Consul services to Kubernetes. This can be disabled to
1181 # have a one-way sync.
1182 toK8S: false
1183
1184 # Service prefix to prepend to services before registering
1185 # with Kubernetes. For example "consul-" will register all services
1186 # prepended with "consul-". (Consul -> Kubernetes sync)
1187 # @type: string
1188 k8sPrefix: K8s
1189
1190 # List of k8s namespaces to sync the k8s services from.
1191 # If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`,
1192 # services in that k8s namespace will not be synced even if they are explicitly
1193 # annotated. Use `["*"]` to automatically allow all k8s namespaces.
1194 #
1195 # For example, `["namespace1", "namespace2"]` will only allow services in the k8s
1196 # namespaces `namespace1` and `namespace2` to be synced and registered
1197 # with Consul. All other k8s namespaces will be ignored.
1198 #
1199 # To deny all namespaces, set this to `[]`.
1200 #
1201 # Note: `k8sDenyNamespaces` takes precedence over values defined here.
1202 # Requires consul-k8s v0.12+
1203 # @type: array<string>
1204 k8sAllowNamespaces: ["*"]
1205
1206 # List of k8s namespaces that should not have their
1207 # services synced. This list takes precedence over `k8sAllowNamespaces`.
1208 # `*` is not supported because then nothing would be allowed to sync.
1209 # Requires consul-k8s v0.12+.
1210 #
1211 # For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is
1212 # `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1`
1213 # and `namespace2` will be synced.
1214 # @type: array<string>
1215 k8sDenyNamespaces: ["kube-system", "kube-public", "gitlab", "customadmin", "traefik", "octant", "portainer", "consul"]
1216
1217 # [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For
1218 # backwards compatibility, if both this and the allow/deny lists are set,
1219 # the allow/deny lists will be ignored.
1220 # k8sSourceNamespace is the Kubernetes namespace to watch for service
1221 # changes and sync to Consul. If this is not set then it will default
1222 # to all namespaces.
1223 # @type: string
1224 k8sSourceNamespace: null
1225
1226 # [Enterprise Only] These settings manage the catalog sync's interaction with
1227 # Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+).
1228 # Also, `global.enableConsulNamespaces` must be true.
1229 consulNamespaces:
1230 # Name of the Consul namespace to register all
1231 # k8s services into. If the Consul namespace does not already exist,
1232 # it will be created. This will be ignored if `mirroringK8S` is true.
1233 consulDestinationNamespace: "default"
1234
1235 # If true, k8s services will be registered into a Consul namespace
1236 # of the same name as their k8s namespace, optionally prefixed if
1237 # `mirroringK8SPrefix` is set below. If the Consul namespace does not
1238 # already exist, it will be created. Turning this on overrides the
1239 # `consulDestinationNamespace` setting.
1240 # `addK8SNamespaceSuffix` may no longer be needed if enabling this option.
1241 mirroringK8S: true
1242
1243 # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace
1244 # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a
1245 # service in the k8s `staging` namespace will be registered into the
1246 # `k8s-staging` Consul namespace.
1247 mirroringK8SPrefix: ""
1248
1249 # Appends Kubernetes namespace suffix to
1250 # each service name synced to Consul, separated by a dash.
1251 # For example, for a service 'foo' in the default namespace,
1252 # the sync process will create a Consul service named 'foo-default'.
1253 # Set this flag to true to avoid registering services with the same name
1254 # but in different namespaces as instances for the same Consul service.
1255 # Namespace suffix is not added if 'annotationServiceName' is provided.
1256 addK8SNamespaceSuffix: true
1257
1258 # Service prefix which prepends itself
1259 # to Kubernetes services registered within Consul
1260 # For example, "k8s-" will register all services prepended with "k8s-".
1261 # (Kubernetes -> Consul sync)
1262 # consulPrefix is ignored when 'annotationServiceName' is provided.
1263 # NOTE: Updating this property to a non-null value for an existing installation will result in deregistering
1264 # of existing services in Consul and registering them with a new name.
1265 # @type: string
1266 consulPrefix: k8s-
1267
1268 # Optional tag that is applied to all of the Kubernetes services
1269 # that are synced into Consul. If nothing is set, defaults to "k8s".
1270 # (Kubernetes -> Consul sync)
1271 # @type: string
1272 k8sTag: null
1273
1274 # Defines the Consul synthetic node that all services
1275 # will be registered to.
1276 # NOTE: Changing the node name and upgrading the Helm chart will leave
1277 # all of the previously sync'd services registered with Consul and
1278 # register them again under the new Consul node name. The out-of-date
1279 # registrations will need to be explicitly removed.
1280 consulNodeName: "k8s-sync"
1281
1282 # Syncs services of the ClusterIP type, which may
1283 # or may not be broadly accessible depending on your Kubernetes cluster.
1284 # Set this to false to skip syncing ClusterIP services.
1285 syncClusterIPServices: true
1286
1287 # Configures the type of syncing that happens for NodePort
1288 # services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst.
1289 #
1290 # - ExternalOnly will only use a node's ExternalIP address for the sync
1291 # - InternalOnly use's the node's InternalIP address
1292 # - ExternalFirst will preferentially use the node's ExternalIP address, but
1293 # if it doesn't exist, it will use the node's InternalIP address instead.
1294 nodePortSyncType: ExternalFirst
1295
1296 # Refers to a Kubernetes secret that you have created that contains
1297 # an ACL token for your Consul cluster which allows the sync process the correct
1298 # permissions. This is only needed if ACLs are enabled on the Consul cluster.
1299 aclSyncToken:
1300 # The name of the Kubernetes secret.
1301 secretName: null
1302 # The key of the Kubernetes secret.
1303 secretKey: null
1304
1305 # This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
1306 # labels for catalog sync pod assignment, formatted as a multi-line string.
1307 #
1308 # Example:
1309 #
1310 # ```yaml
1311 # nodeSelector: |
1312 # beta.kubernetes.io/arch: amd64
1313 # ```
1314 #
1315 # @type: string
1316 nodeSelector: null
1317
1318 # Affinity Settings
1319 # This should be a multi-line string matching the affinity object
1320 # @type: string
1321 affinity: null
1322
1323 # Toleration Settings
1324 # This should be a multi-line string matching the Toleration array
1325 # in a PodSpec.
1326 # @type: string
1327 tolerations: null
1328
1329 serviceAccount:
1330 # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a
1331 # multi-line string.
1332 #
1333 # ```yaml
1334 # annotations: |
1335 # "sample/annotation1": "foo"
1336 # "sample/annotation2": "bar"
1337 # ```
1338 #
1339 # @type: string
1340 annotations: null
1341
1342 # Resource settings for sync catalog pods.
1343 # @recurse: false
1344 # @type: map
1345 resources:
1346 requests:
1347 memory: "50Mi"
1348 cpu: "50m"
1349 limits:
1350 memory: "50Mi"
1351 cpu: "50m"
1352
1353 # Override global log verbosity level. One of "debug", "info", "warn", or "error".
1354 # @type: string
1355 logLevel: ""
1356
1357 # Override the default interval to perform syncing operations creating Consul services.
1358 # @type: string
1359 consulWriteInterval: null
1360
1361 # Extra labels to attach to the sync catalog pods. This should be a YAML map.
1362 #
1363 # Example:
1364 #
1365 # ```yaml
1366 # extraLabels:
1367 # labelKey: label-value
1368 # anotherLabelKey: another-label-value
1369 # ```
1370 #
1371 # @type: map
1372 extraLabels: null
1373
1374# Configures the automatic Connect sidecar injector.
1375connectInject:
1376 # True if you want to enable connect injection. Set to "-" to inherit from
1377 # global.enabled.
1378 enabled: false
1379
1380 # Image for consul-k8s that contains the injector
1381 # @type: string
1382 image: null
1383
1384 # If true, the injector will inject the
1385 # Connect sidecar into all pods by default. Otherwise, pods must specify the
1386 # injection annotation (https://consul.io/docs/k8s/connect#consul-hashicorp-com-connect-inject)
1387 # to opt-in to Connect injection. If this is true, pods can use the same annotation
1388 # to explicitly opt-out of injection.
1389 default: false
1390
1391 # Configures Transparent Proxy for Consul Service mesh services.
1392 # Using this feature requires Consul 1.10.0-beta1+ and consul-k8s 0.26.0-beta1+.
1393 transparentProxy:
1394 # If true, then all Consul Service mesh will run with transparent proxy enabled by default,
1395 # i.e. we enforce that all traffic within the pod will go through the proxy.
1396 # This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation.
1397 defaultEnabled: true
1398
1399 # If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead.
1400 # This setting is recommended because with traffic being enforced to go through the Envoy proxy,
1401 # the probes on the pod will fail because kube-proxy doesn't have the right certificates
1402 # to talk to Envoy.
1403 # This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation.
1404 # Note: This value has no effect if transparent proxy is disabled on the pod.
1405 defaultOverwriteProbes: true
1406
1407 # Configures metrics for Consul Connect services. All values are overridable
1408 # via annotations on a per-pod basis.
1409 metrics:
1410 # If true, the connect-injector will automatically
1411 # add prometheus annotations to connect-injected pods. It will also
1412 # add a listener on the Envoy sidecar to expose metrics. The exposed
1413 # metrics will depend on whether metrics merging is enabled:
1414 # - If metrics merging is enabled:
1415 # the Consul sidecar will run a merged metrics server
1416 # combining Envoy sidecar and Connect service metrics,
1417 # i.e. if your service exposes its own Prometheus metrics.
1418 # - If metrics merging is disabled:
1419 # the listener will just expose Envoy sidecar metrics.
1420 # This will inherit from `global.metrics.enabled`.
1421 defaultEnabled: "-"
1422 # Configures the Consul sidecar to run a merged metrics server
1423 # to combine and serve both Envoy and Connect service metrics.
1424 # This feature is available only in Consul v1.10.0 or greater.
1425 defaultEnableMerging: false
1426 # Configures the port at which the Consul sidecar will listen on to return
1427 # combined metrics. This port only needs to be changed if it conflicts with
1428 # the application's ports.
1429 defaultMergedMetricsPort: 20100
1430 # Configures the port Prometheus will scrape metrics from, by configuring
1431 # the Pod annotation `prometheus.io/port` and the corresponding listener in
1432 # the Envoy sidecar.
1433 # NOTE: This is *not* the port that your application exposes metrics on.
1434 # That can be configured with the
1435 # `consul.hashicorp.com/service-metrics-port` annotation.
1436 defaultPrometheusScrapePort: 20200
1437 # Configures the path Prometheus will scrape metrics from, by configuring the pod
1438 # annotation `prometheus.io/path` and the corresponding handler in the Envoy
1439 # sidecar.
1440 # NOTE: This is *not* the path that your application exposes metrics on.
1441 # That can be configured with the
1442 # `consul.hashicorp.com/service-metrics-path` annotation.
1443 defaultPrometheusScrapePath: "/metrics"
1444
1445 # Used to pass arguments to the injected envoy sidecar.
1446 # Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli
1447 # e.g "--log-level debug --disable-hot-restart"
1448 # @type: string
1449 envoyExtraArgs: null
1450
1451 # Optional priorityClassName.
1452 priorityClassName: ""
1453
1454 # The Docker image for Consul to use when performing Connect injection.
1455 # Defaults to global.image.
1456 # @type: string
1457 imageConsul: null
1458
1459 # Override global log verbosity level. One of "debug", "info", "warn", or "error".
1460 # @type: string
1461 logLevel: ""
1462
1463 serviceAccount:
1464 # This value defines additional annotations for the injector service account. This should be formatted as a
1465 # multi-line string.
1466 #
1467 # ```yaml
1468 # annotations: |
1469 # "sample/annotation1": "foo"
1470 # "sample/annotation2": "bar"
1471 # ```
1472 #
1473 # @type: string
1474 annotations: null
1475
1476 # Resource settings for connect inject pods.
1477 # @recurse: false
1478 # @type: map
1479 resources:
1480 requests:
1481 memory: "50Mi"
1482 cpu: "50m"
1483 limits:
1484 memory: "50Mi"
1485 cpu: "50m"
1486
1487 # Selector for restricting the webhook to only
1488 # specific namespaces. This should be set to a multiline string.
1489 # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
1490 # for more details.
1491 #
1492 # Example:
1493 #
1494 # ```yaml
1495 # namespaceSelector: |
1496 # matchLabels:
1497 # namespace-label: label-value
1498 # ```
1499 # @type: string
1500 namespaceSelector: null
1501
1502 # List of k8s namespaces to allow Connect sidecar
1503 # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`,
1504 # pods in that k8s namespace will not be injected even if they are explicitly
1505 # annotated. Use `["*"]` to automatically allow all k8s namespaces.
1506 #
1507 # For example, `["namespace1", "namespace2"]` will only allow pods in the k8s
1508 # namespaces `namespace1` and `namespace2` to have Connect sidecars injected
1509 # and registered with Consul. All other k8s namespaces will be ignored.
1510 #
1511 # To deny all namespaces, set this to `[]`.
1512 #
1513 # Note: `k8sDenyNamespaces` takes precedence over values defined here and
1514 # `namespaceSelector` takes precedence over both since it is applied first.
1515 # `kube-system` and `kube-public` are never injected, even if included here.
1516 # Requires consul-k8s v0.12+
1517 # @type: array<string>
1518 k8sAllowNamespaces: ["*"]
1519
1520 # List of k8s namespaces that should not allow Connect
1521 # sidecar injection. This list takes precedence over `k8sAllowNamespaces`.
1522 # `*` is not supported because then nothing would be allowed to be injected.
1523 #
1524 # For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is
1525 # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1"
1526 # and "namespace2" will be available for injection.
1527 #
1528 # Note: `namespaceSelector` takes precedence over this since it is applied first.
1529 # `kube-system` and `kube-public` are never injected.
1530 # Requires consul-k8s v0.12+.
1531 # @type: array<string>
1532 k8sDenyNamespaces: []
1533
1534 # [Enterprise Only] These settings manage the connect injector's interaction with
1535 # Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+).
1536 # Also, `global.enableConsulNamespaces` must be true.
1537 consulNamespaces:
1538 # Name of the Consul namespace to register all
1539 # k8s pods into. If the Consul namespace does not already exist,
1540 # it will be created. This will be ignored if `mirroringK8S` is true.
1541 consulDestinationNamespace: "default"
1542
1543 # Causes k8s pods to be registered into a Consul namespace
1544 # of the same name as their k8s namespace, optionally prefixed if
1545 # `mirroringK8SPrefix` is set below. If the Consul namespace does not
1546 # already exist, it will be created. Turning this on overrides the
1547 # `consulDestinationNamespace` setting.
1548 mirroringK8S: false
1549
1550 # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace
1551 # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a
1552 # pod in the k8s `staging` namespace will be registered into the
1553 # `k8s-staging` Consul namespace.
1554 mirroringK8SPrefix: ""
1555
1556 # Selector labels for connectInject pod assignment, formatted as a multi-line string.
1557 # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
1558 #
1559 # Example:
1560 #
1561 # ```yaml
1562 # nodeSelector: |
1563 # beta.kubernetes.io/arch: amd64
1564 # ```
1565 # @type: string
1566 nodeSelector: null
1567
1568 # Affinity Settings
1569 # This should be a multi-line string matching the affinity object
1570 # @type: string
1571 affinity: null
1572
1573 # Toleration Settings
1574 # This should be a multi-line string matching the Toleration array
1575 # in a PodSpec.
1576 # @type: string
1577 tolerations: null
1578
1579 # Query that defines which Service Accounts
1580 # can authenticate to Consul and receive an ACL token during Connect injection.
1581 # The default setting, i.e. serviceaccount.name!=default, prevents the
1582 # 'default' Service Account from logging in.
1583 # If set to an empty string all service accounts can log in.
1584 # This only has effect if ACLs are enabled.
1585 #
1586 # See https://www.consul.io/docs/acl/acl-auth-methods.html#binding-rules
1587 # and https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes
1588 # for more details.
1589 # Requires Consul >= v1.5 and consul-k8s >= v0.8.0.
1590 aclBindingRuleSelector: "serviceaccount.name!=default"
1591
1592 # If you are not using global.acls.manageSystemACLs and instead manually setting up an
1593 # auth method for Connect inject, set this to the name of your auth method.
1594 overrideAuthMethodName: ""
1595
1596 # Refers to a Kubernetes secret that you have created that contains
1597 # an ACL token for your Consul cluster which allows the Connect injector the correct
1598 # permissions. This is only needed if Consul namespaces [Enterprise Only] and ACLs
1599 # are enabled on the Consul cluster and you are not setting
1600 # `global.acls.manageSystemACLs` to `true`.
1601 # This token needs to have `operator = "write"` privileges to be able to
1602 # create Consul namespaces.
1603 aclInjectToken:
1604 # The name of the Kubernetes secret.
1605 # @type: string
1606 secretName: null
1607 # The key of the Kubernetes secret.
1608 # @type: string
1609 secretKey: null
1610
1611 sidecarProxy:
1612 # Set default resources for sidecar proxy. If null, that resource won't
1613 # be set.
1614 # These settings can be overridden on a per-pod basis via these annotations:
1615 #
1616 # - `consul.hashicorp.com/sidecar-proxy-cpu-limit`
1617 # - `consul.hashicorp.com/sidecar-proxy-cpu-request`
1618 # - `consul.hashicorp.com/sidecar-proxy-memory-limit`
1619 # - `consul.hashicorp.com/sidecar-proxy-memory-request`
1620 # @type: map
1621 resources:
1622 requests:
1623 # Recommended default: 100Mi
1624 # @type: string
1625 memory: null
1626 # Recommended default: 100m
1627 # @type: string
1628 cpu: null
1629 limits:
1630 # Recommended default: 100Mi
1631 # @type: string
1632 memory: null
1633 # Recommended default: 100m
1634 # @type: string
1635 cpu: null
1636
1637 # Resource settings for the Connect injected init container.
1638 # @recurse: false
1639 # @type: map
1640 initContainer:
1641 resources:
1642 requests:
1643 memory: "25Mi"
1644 cpu: "50m"
1645 limits:
1646 memory: "150Mi"
1647 cpu: "50m"
1648
1649# Controller handles config entry custom resources.
1650# Requires consul >= 1.8.4.
1651# ServiceIntentions require consul 1.9+.
1652controller:
1653 # Enables the controller for managing custom resources.
1654 enabled: false
1655
1656 # The number of deployment replicas.
1657 replicas: 1
1658
1659 # Log verbosity level. One of "debug", "info", "warn", or "error".
1660 # @type: string
1661 logLevel: ""
1662
1663 serviceAccount:
1664 # This value defines additional annotations for the controller service account. This should be formatted as a
1665 # multi-line string.
1666 #
1667 # ```yaml
1668 # annotations: |
1669 # "sample/annotation1": "foo"
1670 # "sample/annotation2": "bar"
1671 # ```
1672 #
1673 # @type: string
1674 annotations: null
1675
1676 # Resource settings for controller pods.
1677 # @recurse: false
1678 # @type: map
1679 resources:
1680 limits:
1681 cpu: 100m
1682 memory: 50Mi
1683 requests:
1684 cpu: 100m
1685 memory: 50Mi
1686
1687 # Optional YAML string to specify a nodeSelector config.
1688 # @type: string
1689 nodeSelector: null
1690
1691 # Optional YAML string to specify tolerations.
1692 # @type: string
1693 tolerations: null
1694
1695 # Affinity Settings
1696 # This should be a multi-line string matching the affinity object
1697 # @type: string
1698 affinity: null
1699
1700 # Optional priorityClassName.
1701 priorityClassName: ""
1702
1703 # Refers to a Kubernetes secret that you have created that contains
1704 # an ACL token for your Consul cluster which grants the controller process the correct
1705 # permissions. This is only needed if you are managing ACLs yourself (i.e. not using
1706 # `global.acls.manageSystemACLs`).
1707 #
1708 # If running Consul OSS, requires permissions:
1709 # ```hcl
1710 # operator = "write"
1711 # service_prefix "" {
1712 # policy = "write"
1713 # intentions = "write"
1714 # }
1715 # ```
1716 # If running Consul Enterprise, talk to your account manager for assistance.
1717 aclToken:
1718 # The name of the Kubernetes secret.
1719 # @type: string
1720 secretName: null
1721 # The key of the Kubernetes secret.
1722 # @type: string
1723 secretKey: null
1724
1725# Mesh Gateways enable Consul Connect to work across Consul datacenters.
1726meshGateway:
1727 # If mesh gateways are enabled, a Deployment will be created that runs
1728 # gateways and Consul Connect will be configured to use gateways.
1729 # See https://www.consul.io/docs/connect/mesh_gateway.html
1730 # Requirements: consul 1.6.0+ and consul-k8s 0.15.0+ if using
1731 # global.acls.manageSystemACLs.
1732 enabled: false
1733
1734 # Number of replicas for the Deployment.
1735 replicas: 2
1736
1737 # What gets registered as WAN address for the gateway.
1738 wanAddress:
1739 # source configures where to retrieve the WAN address (and possibly port)
1740 # for the mesh gateway from.
1741 # Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`.
1742 #
1743 # - `Service` - Determine the address based on the service type.
1744 #
1745 # - If `service.type=LoadBalancer` use the external IP or hostname of
1746 # the service. Use the port set by `service.port`.
1747 #
1748 # - If `service.type=NodePort` use the Node IP. The port will be set to
1749 # `service.nodePort` so `service.nodePort` cannot be null.
1750 #
1751 # - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to
1752 # `service.port`.
1753 #
1754 # - `service.type=ExternalName` is not supported.
1755 #
1756 # - `NodeIP` - The node IP as provided by the Kubernetes downward API.
1757 #
1758 # - `NodeName` - The name of the node as provided by the Kubernetes downward
1759 # API. This is useful if the node names are DNS entries that
1760 # are routable from other datacenters.
1761 #
1762 # - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`.
1763 source: "Service"
1764
1765 # Port that gets registered for WAN traffic.
1766 # If source is set to "Service" then this setting will have no effect.
1767 # See the documentation for source as to which port will be used in that
1768 # case.
1769 port: 443
1770
1771 # If source is set to "Static" then this value will be used as the WAN
1772 # address of the mesh gateways. This is useful if you've configured a
1773 # DNS entry to point to your mesh gateways.
1774 static: ""
1775
1776 # The service option configures the Service that fronts the Gateway Deployment.
1777 service:
1778 # Whether to create a Service or not.
1779 enabled: true
1780
1781 # Type of service, ex. LoadBalancer, ClusterIP.
1782 type: LoadBalancer
1783
1784 # Port that the service will be exposed on.
1785 # The targetPort will be set to meshGateway.containerPort.
1786 port: 443
1787
1788 # Optionally set the nodePort value of the service if using a NodePort service.
1789 # If not set and using a NodePort service, Kubernetes will automatically assign
1790 # a port.
1791 # @type: integer
1792 nodePort: null
1793
1794 # Annotations to apply to the mesh gateway service.
1795 #
1796 # Example:
1797 #
1798 # ```yaml
1799 # annotations: |
1800 # 'annotation-key': annotation-value
1801 # ```
1802 # @type: string
1803 annotations: null
1804
1805 # Optional YAML string that will be appended to the Service spec.
1806 # @type: string
1807 additionalSpec: null
1808
1809 # If set to true, gateway Pods will run on the host network.
1810 hostNetwork: false
1811
1812 # dnsPolicy to use.
1813 # @type: string
1814 dnsPolicy: null
1815
1816 # Consul service name for the mesh gateways.
1817 # Cannot be set to anything other than "mesh-gateway" if
1818 # global.acls.manageSystemACLs is true since the ACL token
1819 # generated is only for the name 'mesh-gateway'.
1820 consulServiceName: "mesh-gateway"
1821
1822 # Port that the gateway will run on inside the container.
1823 containerPort: 8443
1824
1825 # Optional hostPort for the gateway to be exposed on.
1826 # This can be used with wanAddress.port and wanAddress.useNodeIP
1827 # to expose the gateways directly from the node.
1828 # If hostNetwork is true, this must be null or set to the same port as
1829 # containerPort.
1830 # NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul
1831 # agent.
1832 # @type: integer
1833 hostPort: null
1834
1835 serviceAccount:
1836 # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a
1837 # multi-line string.
1838 #
1839 # ```yaml
1840 # annotations: |
1841 # "sample/annotation1": "foo"
1842 # "sample/annotation2": "bar"
1843 # ```
1844 #
1845 # @type: string
1846 annotations: null
1847
1848 # Resource settings for mesh gateway pods.
1849 # NOTE: The use of a YAML string is deprecated. Instead, set directly as a
1850 # YAML map.
1851 # @recurse: false
1852 # @type: map
1853 resources:
1854 requests:
1855 memory: "100Mi"
1856 cpu: "100m"
1857 limits:
1858 memory: "100Mi"
1859 cpu: "100m"
1860
1861 # Resource settings for the `copy-consul-bin` init container.
1862 # @recurse: false
1863 # @type: map
1864 initCopyConsulContainer:
1865 resources:
1866 requests:
1867 memory: "25Mi"
1868 cpu: "50m"
1869 limits:
1870 memory: "150Mi"
1871 cpu: "50m"
1872
1873 # By default, we set an anti-affinity so that two gateway pods won't be
1874 # on the same node. NOTE: Gateways require that Consul client agents are
1875 # also running on the nodes alongside each gateway pod.
1876 affinity: |
1877 podAntiAffinity:
1878 requiredDuringSchedulingIgnoredDuringExecution:
1879 - labelSelector:
1880 matchLabels:
1881 app: {{ template "consul.name" . }}
1882 release: "{{ .Release.Name }}"
1883 component: mesh-gateway
1884 topologyKey: kubernetes.io/hostname
1885
1886 # Optional YAML string to specify tolerations.
1887 # @type: string
1888 tolerations: null
1889
1890 # Optional YAML string to specify a nodeSelector config.
1891 # @type: string
1892 nodeSelector: null
1893
1894 # Optional priorityClassName.
1895 priorityClassName: ""
1896
1897 # Annotations to apply to the mesh gateway deployment.
1898 #
1899 # Example:
1900 #
1901 # ```yaml
1902 # annotations: |
1903 # 'annotation-key': annotation-value
1904 # ```
1905 # @type: string
1906 annotations: null
1907
1908# Configuration options for ingress gateways. Default values for all
1909# ingress gateways are defined in `ingressGateways.defaults`. Any of
1910# these values may be overridden in `ingressGateways.gateways` for a
1911# specific gateway with the exception of annotations. Annotations will
1912# include both the default annotations and any additional ones defined
1913# for a specific gateway.
1914# Requirements: consul >= 1.8.0 and consul-k8s >= 0.16.0 if using
1915# global.acls.manageSystemACLs and consul-k8s >= 0.10.0 if not.
1916ingressGateways:
1917 # Enable ingress gateway deployment. Requires `connectInject.enabled=true`
1918 # and `client.enabled=true`.
1919 enabled: false
1920
1921 # Defaults sets default values for all gateway fields. With the exception
1922 # of annotations, defining any of these values in the `gateways` list
1923 # will override the default values provided here. Annotations will
1924 # include both the default annotations and any additional ones defined
1925 # for a specific gateway.
1926 defaults:
1927 # Number of replicas for each ingress gateway defined.
1928 replicas: 2
1929
1930 # The service options configure the Service that fronts the gateway Deployment.
1931 service:
1932 # Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service
1933 # type, you must set the desired nodePorts in the `ports` setting below.
1934 type: ClusterIP
1935
1936 # Ports that will be exposed on the service and gateway container. Any
1937 # ports defined as ingress listeners on the gateway's Consul configuration
1938 # entry should be included here. The first port will be used as part of
1939 # the Consul service registration for the gateway and be listed in its
1940 # SRV record. If using a NodePort service type, you must specify the
1941 # desired nodePort for each exposed port.
1942 # @type: array<map>
1943 # @default: [{port: 8080, port: 8443}]
1944 # @recurse: false
1945 ports:
1946 - port: 8080
1947 nodePort: null
1948 - port: 8443
1949 nodePort: null
1950
1951 # Annotations to apply to the ingress gateway service. Annotations defined
1952 # here will be applied to all ingress gateway services in addition to any
1953 # service annotations defined for a specific gateway in `ingressGateways.gateways`.
1954 #
1955 # Example:
1956 #
1957 # ```yaml
1958 # annotations: |
1959 # 'annotation-key': annotation-value
1960 # ```
1961 # @type: string
1962 annotations: null
1963
1964 # Optional YAML string that will be appended to the Service spec.
1965 # @type: string
1966 additionalSpec: null
1967
1968 serviceAccount:
1969 # This value defines additional annotations for the ingress gateways' service account. This should be formatted
1970 # as a multi-line string.
1971 #
1972 # ```yaml
1973 # annotations: |
1974 # "sample/annotation1": "foo"
1975 # "sample/annotation2": "bar"
1976 # ```
1977 #
1978 # @type: string
1979 annotations: null
1980
1981 # Resource limits for all ingress gateway pods
1982 # @recurse: false
1983 # @type: map
1984 resources:
1985 requests:
1986 memory: "100Mi"
1987 cpu: "100m"
1988 limits:
1989 memory: "100Mi"
1990 cpu: "100m"
1991
1992 # Resource settings for the `copy-consul-bin` init container.
1993 # @recurse: false
1994 # @type: map
1995 initCopyConsulContainer:
1996 resources:
1997 requests:
1998 memory: "25Mi"
1999 cpu: "50m"
2000 limits:
2001 memory: "150Mi"
2002 cpu: "50m"
2003
2004 # By default, we set an anti-affinity so that two of the same gateway pods
2005 # won't be on the same node. NOTE: Gateways require that Consul client agents are
2006 # also running on the nodes alongside each gateway pod.
2007 affinity: |
2008 podAntiAffinity:
2009 requiredDuringSchedulingIgnoredDuringExecution:
2010 - labelSelector:
2011 matchLabels:
2012 app: {{ template "consul.name" . }}
2013 release: "{{ .Release.Name }}"
2014 component: ingress-gateway
2015 topologyKey: kubernetes.io/hostname
2016
2017 # Optional YAML string to specify tolerations.
2018 # @type: string
2019 tolerations: null
2020
2021 # Optional YAML string to specify a nodeSelector config.
2022 # @type: string
2023 nodeSelector: null
2024
2025 # Optional priorityClassName.
2026 priorityClassName: ""
2027
2028 # Annotations to apply to the ingress gateway deployment. Annotations defined
2029 # here will be applied to all ingress gateway deployments in addition to any
2030 # annotations defined for a specific gateway in `ingressGateways.gateways`.
2031 #
2032 # Example:
2033 #
2034 # ```yaml
2035 # annotations: |
2036 # "annotation-key": 'annotation-value'
2037 # ```
2038 # @type: string
2039 annotations: null
2040
2041 # [Enterprise Only] `consulNamespace` defines the Consul namespace to register
2042 # the gateway into. Requires `global.enableConsulNamespaces` to be true and
2043 # Consul Enterprise v1.7+ with a valid Consul Enterprise license.
2044 # Note: The Consul namespace MUST exist before the gateway is deployed.
2045 consulNamespace: "default"
2046
2047 # Gateways is a list of gateway objects. The only required field for
2048 # each is `name`, though they can also contain any of the fields in
2049 # `defaults`. Values defined here override the defaults except in the
2050 # case of annotations where both will be applied.
2051 # @type: array<map>
2052 gateways:
2053 - name: ingress-gateway
2054
2055# Configuration options for terminating gateways. Default values for all
2056# terminating gateways are defined in `terminatingGateways.defaults`. Any of
2057# these values may be overridden in `terminatingGateways.gateways` for a
2058# specific gateway with the exception of annotations. Annotations will
2059# include both the default annotations and any additional ones defined
2060# for a specific gateway.
2061# Requirements: consul >= 1.8.0 and consul-k8s >= 0.16.0 if using
2062# global.acls.manageSystemACLs and consul-k8s >= 0.10.0 if not.
2063terminatingGateways:
2064 # Enable terminating gateway deployment. Requires `connectInject.enabled=true`
2065 # and `client.enabled=true`.
2066 enabled: false
2067
2068 # Defaults sets default values for all gateway fields. With the exception
2069 # of annotations, defining any of these values in the `gateways` list
2070 # will override the default values provided here. Annotations will
2071 # include both the default annotations and any additional ones defined
2072 # for a specific gateway.
2073 defaults:
2074 # Number of replicas for each terminating gateway defined.
2075 replicas: 2
2076
2077 # A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig/<name>/`.
2078 #
2079 # Example:
2080 #
2081 # ```yaml
2082 # extraVolumes:
2083 # - type: secret
2084 # name: my-secret
2085 # items: # optional items array
2086 # - key: key
2087 # path: path # secret will now mount to /consul/userconfig/my-secret/path
2088 # ```
2089 # @type: array<map>
2090 extraVolumes: []
2091
2092 # Resource limits for all terminating gateway pods
2093 # @recurse: false
2094 # @type: map
2095 resources:
2096 requests:
2097 memory: "100Mi"
2098 cpu: "100m"
2099 limits:
2100 memory: "100Mi"
2101 cpu: "100m"
2102
2103 # Resource settings for the `copy-consul-bin` init container.
2104 # @recurse: false
2105 # @type: map
2106 initCopyConsulContainer:
2107 resources:
2108 requests:
2109 memory: "25Mi"
2110 cpu: "50m"
2111 limits:
2112 memory: "150Mi"
2113 cpu: "50m"
2114
2115 # By default, we set an anti-affinity so that two of the same gateway pods
2116 # won't be on the same node. NOTE: Gateways require that Consul client agents are
2117 # also running on the nodes alongside each gateway pod.
2118 affinity: |
2119 podAntiAffinity:
2120 requiredDuringSchedulingIgnoredDuringExecution:
2121 - labelSelector:
2122 matchLabels:
2123 app: {{ template "consul.name" . }}
2124 release: "{{ .Release.Name }}"
2125 component: terminating-gateway
2126 topologyKey: kubernetes.io/hostname
2127
2128 # Optional YAML string to specify tolerations.
2129 # @type: string
2130 tolerations: null
2131
2132 # Optional YAML string to specify a nodeSelector config.
2133 # @type: string
2134 nodeSelector: null
2135
2136 # Optional priorityClassName.
2137 # @type: string
2138 priorityClassName: ""
2139
2140 # Annotations to apply to the terminating gateway deployment. Annotations defined
2141 # here will be applied to all terminating gateway deployments in addition to any
2142 # annotations defined for a specific gateway in `terminatingGateways.gateways`.
2143 #
2144 # Example:
2145 #
2146 # ```yaml
2147 # annotations: |
2148 # 'annotation-key': annotation-value
2149 # ```
2150 # @type: string
2151 annotations: null
2152
2153 serviceAccount:
2154 # This value defines additional annotations for the terminating gateways' service account. This should be
2155 # formatted as a multi-line string.
2156 #
2157 # ```yaml
2158 # annotations: |
2159 # "sample/annotation1": "foo"
2160 # "sample/annotation2": "bar"
2161 # ```
2162 #
2163 # @type: string
2164 annotations: null
2165
2166 # [Enterprise Only] `consulNamespace` defines the Consul namespace to register
2167 # the gateway into. Requires `global.enableConsulNamespaces` to be true and
2168 # Consul Enterprise v1.7+ with a valid Consul Enterprise license.
2169 # Note: The Consul namespace MUST exist before the gateway is deployed.
2170 consulNamespace: "default"
2171
2172 # Gateways is a list of gateway objects. The only required field for
2173 # each is `name`, though they can also contain any of the fields in
2174 # `defaults`. Values defined here override the defaults except in the
2175 # case of annotations where both will be applied.
2176 # @type: array<map>
2177 gateways:
2178 - name: terminating-gateway
2179
2180# Configures a demo Prometheus installation.
2181prometheus:
2182 # When true, the Helm chart will install a demo Prometheus server instance
2183 # alongside Consul.
2184 enabled: false
2185
2186# Control whether a test Pod manifest is generated when running helm template.
2187# When using helm install, the test Pod is not submitted to the cluster so this
2188# is only useful when running helm template.
2189tests:
2190 enabled: true