Helm Chart Configuration
The chart is highly customizable using Helm configuration values. Each value has a reasonable default tuned for an optimal getting started experience with Consul.
Top-Level Stanzas
Use these links to navigate to a particular top-level stanza.
- global
- server
- externalServers
- client
- dns
- ui
- syncCatalog
- connectInject
- controller
- meshGateway
- ingressGateways
- terminatingGateways
- apiGateway
- webhookCertManager
- prometheus
- tests
All Values
global
global - Holds values that affect multiple components of the chart.
enabled (
boolean: true
) - The main enabled/disabled setting. If true, servers, clients, Consul DNS and the Consul UI will be enabled. Each component can override this default via its component-specific “enabled” config. If false, no components will be installed by default and per-component opt-in is required, such as by settingserver.enabled
to true.logLevel (
string: info
) - The default log level to apply to all components which do not otherwise override this setting. It is recommended to generally not set this below “info” unless actively debugging due to logging verbosity. One of “debug”, “info”, “warn”, or “error”.logJSON (
boolean: false
) - Enable all component logs to be output in JSON format.name (
string: null
) - Set the prefix used for all resources in the Helm chart. If not set, the prefix will be<helm release name>-consul
.domain (
string: consul
) - The domain Consul will answer DNS queries for (see-domain
(https://www.consul.io/docs/agent/config/cli-flags#_domain)) and the domain services synced from Consul into Kubernetes will have, e.g.service-name.service.consul
.peering - [Experimental] Configures the Cluster Peering feature. Requires Consul v1.13+ and Consul-K8s v0.45+.
- enabled (
boolean: false
) - If true, the Helm chart enables Cluster Peering for the cluster. This option enables peering controllers and allows use of the PeeringAcceptor and PeeringDialer CRDs for establishing service mesh peerings.
- enabled (
-
Enterprise
Enabling
adminPartitions
allows creation of Admin Partitions in Kubernetes clusters. It additionally indicates that you are running Consul Enterprise v1.11+ with a valid Consul Enterprise license. Admin partitions enables deploying services across partitions, while sharing a set of Consul servers.enabled (
boolean: false
) - If true, the Helm chart will enable Admin Partitions for the cluster. The clients in the server cluster must be installed in the default partition. Creation of Admin Partitions is only supported during installation. Admin Partitions cannot be installed via a Helm upgrade operation. Only Helm installs are supported.name (
string: default
) - The name of the Admin Partition. The partition name cannot be modified once the partition has been installed. Changing the partition name would require an un-install and a re-install with the updated name. Must be “default” in the server cluster ie the Kubernetes cluster that the Consul server pods are deployed onto.service - Partition service properties.
type (
string: LoadBalancer
)nodePort - Optionally set the nodePort value of the partition service if using a NodePort service. If not set and using a NodePort service, Kubernetes will automatically assign a port.
annotations (
string: null
) - Annotations to apply to the partition service.annotations: |
"annotation-key": "annotation-value"
annotations: |
"annotation-key": "annotation-value"
image (
string: hashicorp/consul:<latest version>
) - The name (and tag) of the Consul Docker image for clients and servers. This can be overridden per component. This should be pinned to a specific version tag, otherwise you may inadvertently upgrade your Consul version.Examples:
# Consul 1.10.0
image: "consul:1.10.0"
# Consul Enterprise 1.10.0
image: "hashicorp/consul-enterprise:1.10.0-ent"
# Consul 1.10.0
image: "consul:1.10.0"
# Consul Enterprise 1.10.0
image: "hashicorp/consul-enterprise:1.10.0-ent"
imagePullSecrets (
array<map>
) - Array of objects containing image pull secret names that will be applied to each service account. This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. See https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry for reference.Example:
imagePullSecrets:
- name: pull-secret-name
- name: pull-secret-name-2
imagePullSecrets:
- name: pull-secret-name
- name: pull-secret-name-2
imageK8S (
string: hashicorp/consul-k8s-control-plane:<latest version>
) - The name (and tag) of the consul-k8s-control-plane Docker image that is used for functionality such as catalog sync. This can be overridden per component.datacenter (
string: dc1
) - The name of the datacenter that the agents should register as. This can’t be changed once the Consul cluster is up and running since Consul doesn’t support an automatic way to change this value currently: https://github.com/hashicorp/consul/issues/1858.enablePodSecurityPolicies (
boolean: false
) - Controls whether pod security policies are created for the Consul components created by this chart. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/.secretsBackend - secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation. The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled and have necessary secrets, policies and roles created prior to installing Consul. See https://www.consul.io/docs/k8s/installation/vault for full instructions.
The Vault cluster must not have the Consul cluster installed by this Helm chart as its storage backend as that would cause a circular dependency. Vault can have Consul as its storage backend as long as that Consul cluster is not running on this Kubernetes cluster and is being managed separately from this Helm installation.
Note: When using Vault KV2 secrets engines the “data” field is implicitly required for Vault API calls, secretName should be in the form of “vault-kv2-mount-path/data/secret-name”. secretKey should be in the form of “key”.
-
enabled (
boolean: false
) - Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets.consulServerRole (
string: ""
) - The Vault role for the Consul server. The role must be connected to the Consul server’s service account. The role must also have a policy with read capabilities for the following secrets:- gossip encryption key defined by the
global.gossipEncryption.secretName
value - certificate issue path defined by the
server.serverCert.secretName
value - CA certificate defined by the
global.tls.caCert.secretName
value - replication token defined by the
global.acls.replicationToken.secretName
value ifglobal.federation.enabled
istrue
To discover the service account name of the Consul server, run
$ helm template --show-only templates/server-serviceaccount.yaml <release-name> hashicorp/consul
$ helm template --show-only templates/server-serviceaccount.yaml <release-name> hashicorp/consul
and check the name of
metadata.name
.- gossip encryption key defined by the
consulClientRole (
string: ""
) - The Vault role for the Consul client. The role must be connected to the Consul client’s service account. The role must also have a policy with read capabilities for the gossip encryption key defined by theglobal.gossipEncryption.secretName
value. To discover the service account name of the Consul client, run$ helm template --show-only templates/client-serviceaccount.yaml <release-name> hashicorp/consul
$ helm template --show-only templates/client-serviceaccount.yaml <release-name> hashicorp/consul
and check the name of
metadata.name
.consulSnapshotAgentRole (
string: ""
) -Enterprise
The Vault role for the Consul client snapshot agent. The role must be connected to the Consul client snapshot agent’s service account. The role must also have a policy with read capabilities for the snapshot agent config defined by the
client.snapshotAgent.configSecret.secretName
value. To discover the service account name of the Consul client, run$ helm template --show-only templates/client-snapshot-agent-serviceaccount.yaml --set client.snapshotAgent.enabled=true <release-name> hashicorp/consul
$ helm template --show-only templates/client-snapshot-agent-serviceaccount.yaml --set client.snapshotAgent.enabled=true <release-name> hashicorp/consul
and check the name of
metadata.name
.manageSystemACLsRole (
string: ""
) - A Vault role for the Consulserver-acl-init
job, which manages setting ACLs so that clients and components can obtain ACL tokens. The role must be connected to theserver-acl-init
job’s service account. The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens To discover the service account name of theserver-acl-init
job, run$ helm template --show-only templates/server-acl-init-serviceaccount.yaml \
--set global.acls.manageSystemACLs=true <release-name> hashicorp/consul
$ helm template --show-only templates/server-acl-init-serviceaccount.yaml \
--set global.acls.manageSystemACLs=true <release-name> hashicorp/consul
and check the name of
metadata.name
.adminPartitionsRole (
string: ""
) -Enterprise
A Vault role that allows the Consul
partition-init
job to read a Vault secret for the partition ACL token. Thepartition-init
job bootstraps Admin Partitions on Consul servers. . This role must be bound thepartition-init
job’s service account. To discover the service account name of thepartition-init
job, run with Helm values for the client cluster:$ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml <release-name> hashicorp/consul
$ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml <release-name> hashicorp/consul
and check the name of
metadata.name
.controllerRole (
string: ""
) - The Vault role to read Consul controller’s webhook’s CA and issue a certificate and private key. A Vault policy must be created which grants issue capabilities toglobal.secretsBackend.vault.controller.tlsCert.secretName
.connectInjectRole (
string: ""
) - The Vault role to read Consul connect-injector webhook’s CA and issue a certificate and private key. A Vault policy must be created which grants issue capabilities toglobal.secretsBackend.vault.connectInject.tlsCert.secretName
.consulCARole (
string: ""
) - The Vault role for all Consul components to read the Consul’s server’s CA Certificate (unauthenticated). The role should be connected to the service accounts of all Consul components, or alternatively*
since it will be used only against thepki/cert/ca
endpoint which is unauthenticated. A policy must be created which grants read capabilities toglobal.tls.caCert.secretName
, which is usuallypki/cert/ca
.agentAnnotations (
string: null
) - This value defines additional annotations for Vault agent on any pods where it’ll be running. This should be formatted as a multi-line string.annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
ca - Configuration for Vault server CA certificate. This certificate will be mounted to any pod where Vault agent needs to run.
secretName (
string: ""
) - The name of the Kubernetes or Vault secret that holds the Vault CA certificate. A Kubernetes secret must be in the same namespace that Consul is installed into.secretKey (
string: ""
) - The key within the Kubernetes or Vault secret that holds the Vault CA certificate.
connectCA - Configuration for the Vault Connect CA provider. The provider will be configured to use the Vault Kubernetes auth method and therefore requires the role provided by
global.secretsBackend.vault.consulServerRole
to have permissions to the root and intermediate PKI paths. Please see https://www.consul.io/docs/connect/ca/vault#vault-acl-policies for information on how to configure the Vault policies.address (
string: ""
) - The address of the Vault server.authMethodPath (
string: kubernetes
) - The mount path of the Kubernetes auth method in Vault.rootPKIPath (
string: ""
) - The path to a PKI secrets engine for the root certificate. Please see https://www.consul.io/docs/connect/ca/vault#rootpkipath.intermediatePKIPath (
string: ""
) - The path to a PKI secrets engine for the generated intermediate certificate. Please see https://www.consul.io/docs/connect/ca/vault#intermediatepkipath.additionalConfig (
string: {}
) - Additional Connect CA configuration in JSON format. Please see https://www.consul.io/docs/connect/ca/vault#common-ca-config-options for additional configuration options.Example:
additionalConfig: |
{
"connect": [{
"ca_config": [{
"leaf_cert_ttl": "36h"
}]
}]
}
additionalConfig: |
{
"connect": [{
"ca_config": [{
"leaf_cert_ttl": "36h"
}]
}]
}
-
tlsCert - Configuration to the Vault Secret that Kubernetes will use on Kubernetes CRD creation, deletion, and update, to get TLS certificates used issued from vault to send webhooks to the controller.
- secretName (
string: null
) - The Vault secret path that issues TLS certificates for controller webhooks.
- secretName (
caCert - Configuration to the Vault Secret that Kubernetes will use on Kubernetes CRD creation, deletion, and update, to get CA certificates used issued from vault to send webhooks to the controller.
- secretName (
string: null
) - The Vault secret path that contains the CA certificate for controller webhooks.
- secretName (
-
caCert - Configuration to the Vault Secret that Kubernetes will use on Kubernetes pod creation, deletion, and update, to get CA certificates used issued from vault to send webhooks to the ConnectInject.
- secretName (
string: null
) - The Vault secret path that contains the CA certificate for Connect Inject webhooks.
- secretName (
tlsCert - Configuration to the Vault Secret that Kubernetes will use on Kubernetes pod creation, deletion, and update, to get TLS certificates used issued from vault to send webhooks to the ConnectInject.
- secretName (
string: null
) - The Vault secret path that issues TLS certificates for connect inject webhooks.
- secretName (
-
gossipEncryption - Configures Consul’s gossip encryption key. (see
-encrypt
(https://www.consul.io/docs/agent/config/cli-flags#_encrypt)). By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. The recommended method is to automatically generate the key. To automatically generate and set a gossip encryption key, set autoGenerate to true. Values for secretName and secretKey should not be set if autoGenerate is true. To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate a key, saving this as a Kubernetes secret or Vault secret path and key. Ifglobal.secretsBackend.vault.enabled=true
, be sure to add the “data” component of the secretName path as required by the Vault KV-2 secrets engine [see example].$ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen)
$ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen)
Vault CLI Example:
$ vault kv put consul/secrets/gossip key=$(consul keygen)
$ vault kv put consul/secrets/gossip key=$(consul keygen)
gossipEncryption.secretName="consul/data/secrets/gossip"
gossipEncryption.secretKey="key"
autoGenerate (
boolean: false
) - Automatically generate a gossip encryption key and save it to a Kubernetes or Vault secret.secretName (
string: ""
) - The name of the Kubernetes secret or Vault secret path that holds the gossip encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into.secretKey (
string: ""
) - The key within the Kubernetes secret or Vault secret key that holds the gossip encryption key.
recursors (
array<string>: []
) - A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. These values are given as-recursor
flags to Consul servers and clients. See https://www.consul.io/docs/agent/config/cli-flags#_recursor for more details. If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default.consul
).tls - Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure) across the cluster to verify authenticity of the Consul servers and clients. Requires Consul v1.4.1+.
enabled (
boolean: false
) - If true, the Helm chart will enable TLS for Consul servers and clients and all consul-k8s-control-plane components, as well as generate certificate authority (optional) and server and client certificates.enableAutoEncrypt (
boolean: false
) - If true, turns on the auto-encrypt feature on clients and servers. It also switches consul-k8s-control-plane components to retrieve the CA from the servers via the API. Requires Consul 1.7.1+.serverAdditionalDNSSANs (
array<string>: []
) - A list of additional DNS names to set as Subject Alternative Names (SANs) in the server certificate. This is useful when you need to access the Consul server(s) externally, for example, if you’re using the UI.serverAdditionalIPSANs (
array<string>: []
) - A list of additional IP addresses to set as Subject Alternative Names (SANs) in the server certificate. This is useful when you need to access the Consul server(s) externally, for example, if you’re using the UI.verify (
boolean: true
) - If true,verify_outgoing
,verify_server_hostname
, andverify_incoming
for internal RPC communication will be set totrue
for Consul servers and clients. Set this to false to incrementally roll out TLS on an existing Consul cluster. Please see https://consul.io/docs/k8s/operations/tls-on-existing-cluster for more details.httpsOnly (
boolean: true
) - If true, the Helm chart will configure Consul to disable the HTTP port on both clients and servers and to only accept HTTPS connections.caCert - A secret containing the certificate of the CA to use for TLS communication within the Consul cluster. If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret in Kubernetes:
$ kubectl create secret generic consul-ca-cert \
--from-file='tls.crt=./consul-agent-ca.pem'
$ kubectl create secret generic consul-ca-cert \
--from-file='tls.crt=./consul-agent-ca.pem'
If you are using Vault as a secrets backend with TLS,
caCert.secretName
must be provided and should reference the CA path for your PKI secrets engine. This should be of the formpki/cert/ca
wherepki
is the mount point of your PKI secrets engine. A read policy must be created and associated with the CA cert path forglobal.tls.caCert.secretName
. This will be consumed by theglobal.secretsBackend.vault.consulCARole
role by all Consul components. When using Vault the secretKey is not used.secretName (
string: null
) - The name of the Kubernetes or Vault secret that holds the CA certificate.secretKey (
string: null
) - The key within the Kubernetes or Vault secret that holds the CA certificate.
caKey - A Kubernetes or Vault secret containing the private key of the CA to use for TLS communication within the Consul cluster. If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret in Kubernetes:
$ kubectl create secret generic consul-ca-key \
--from-file='tls.key=./consul-agent-ca-key.pem'
$ kubectl create secret generic consul-ca-key \
--from-file='tls.key=./consul-agent-ca-key.pem'
Note that we need the CA key so that we can generate server and client certificates. It is particularly important for the client certificates since they need to have host IPs as Subject Alternative Names. In the future, we may support bringing your own server certificates.
secretName (
string: null
) - The name of the Kubernetes or Vault secret that holds the CA key.secretKey (
string: null
) - The key within the Kubernetes or Vault secret that holds the CA key.
enableConsulNamespaces (
boolean: false
) -Enterprise
enableConsulNamespaces
indicates that you are running Consul Enterprise v1.7+ with a valid Consul Enterprise license and would like to make use of configuration beyond registering everything into thedefault
Consul namespace. Additional configuration options are found in theconsulNamespaces
section of both the catalog sync and connect injector.acls - Configure ACLs.
manageSystemACLs (
boolean: false
) - If true, the Helm chart will automatically manage ACL tokens and policies for all Consul and consul-k8s-control-plane components. This requires Consul >= 1.4.bootstrapToken - A Kubernetes or Vault secret containing the bootstrap token to use for creating policies and tokens for all Consul and consul-k8s-control-plane components. If set, we will skip ACL bootstrapping of the servers and will only initialize ACLs for the Consul clients and consul-k8s-control-plane system components.
secretName (
string: null
) - The name of the Kubernetes or Vault secret that holds the bootstrap token.secretKey (
string: null
) - The key within the Kubernetes or Vault secret that holds the bootstrap token.
createReplicationToken (
boolean: false
) - If true, an ACL token will be created that can be used in secondary datacenters for replication. This should only be set to true in the primary datacenter since the replication token must be created from that datacenter. In secondary datacenters, the secret needs to be imported from the primary datacenter and referenced viaglobal.acls.replicationToken
.replicationToken - replicationToken references a secret containing the replication ACL token. This token will be used by secondary datacenters to perform ACL replication and create ACL tokens and policies. This value is ignored if
bootstrapToken
is also set.secretName (
string: null
) - The name of the Kubernetes or Vault secret that holds the replication token.secretKey (
string: null
) - The key within the Kubernetes or Vault secret that holds the replication token.
partitionToken - partitionToken references a Vault secret containing the ACL token to be used in non-default partitions. This value should only be provided in the default partition and only when setting the
global.secretsBackend.vault.enabled
value to true. Consul will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the secret as the secretID for the token. In non-default, partitions set this secret as thebootstrapToken
.secretName (
string: null
) - The name of the Vault secret that holds the partition token.secretKey (
string: null
) - The key within the Vault secret that holds the parition token.
-
Enterprise
This value refers to a Kubernetes or Vault secret that you have created that contains your enterprise license. It is required if you are using an enterprise binary. Defining it here applies it to your cluster once a leader has been elected. If you are not using an enterprise image or if you plan to introduce the license key via another route, then set these fields to null. Note: the job to apply license runs on both Helm installs and upgrades.
secretName (
string: null
) - The name of the Kubernetes or Vault secret that holds the enterprise license. A Kubernetes secret must be in the same namespace that Consul is installed into.secretKey (
string: null
) - The key within the Kubernetes or Vault secret that holds the enterprise license.enableLicenseAutoload (
boolean: true
) - Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+.
federation - Configure federation.
enabled (
boolean: false
) - If enabled, this datacenter will be federation-capable. Only federation via mesh gateways is supported. Mesh gateways and servers will be configured to allow federation. Requiresglobal.tls.enabled
,meshGateway.enabled
andconnectInject.enabled
to be true. Requires Consul 1.8+.createFederationSecret (
boolean: false
) - If true, the chart will create a Kubernetes secret that can be imported into secondary datacenters so they can federate with this datacenter. The secret contains all the information secondary datacenters need to contact and authenticate with this datacenter. This should only be set to true in your primary datacenter. The secret name is<global.name>-federation
(if settingglobal.name
), otherwise<helm-release-name>-consul-federation
.primaryDatacenter (
string: null
) - The name of the primary datacenter.primaryGateways (
array<string>: []
) - A list of addresses of the primary mesh gateways in the form<ip>:<port>
. (e.g. [“1.1.1.1:443”, “2.3.4.5:443”]k8sAuthMethodHost (
string: null
) - If you are settingglobal.federation.enabled
to true and are in a secondary datacenter, setk8sAuthMethodHost
to the address of the Kubernetes API server of the secondary datacenter. This address must be reachable from the Consul servers in the primary datacenter. This auth method will be used to provision ACL tokens for Consul components and is different from the one used by the Consul Service Mesh. Please see the Kubernetes Auth Method documentation.You can retrieve this value from your
kubeconfig
by running:$ kubectl config view \
-o jsonpath="{.clusters[?(@.name=='<your cluster name>')].cluster.server}"
$ kubectl config view \
-o jsonpath="{.clusters[?(@.name=='<your cluster name>')].cluster.server}"
metrics - Configures metrics for Consul service mesh
enabled (
boolean: false
) - Configures the Helm chart’s components to expose Prometheus metrics for the Consul service mesh. By default this includes gateway metrics and sidecar metrics.enableAgentMetrics (
boolean: false
) - Configures consul agent metrics. Only applicable ifglobal.metrics.enabled
is true.agentMetricsRetentionTime (
string: 1m
) - Configures the retention time for metrics in Consul clients and servers. This must be greater than 0 for Consul clients and servers to expose any metrics at all. Only applicable ifglobal.metrics.enabled
is true.enableGatewayMetrics (
boolean: true
) - If true, mesh, terminating, and ingress gateways will expose their Envoy metrics on port20200
at the/metrics
path and all gateway pods will have Prometheus scrape annotations. Only applicable ifglobal.metrics.enabled
is true.
consulSidecarContainer (
map
) - For connect-injected pods, the consul sidecar is responsible for metrics merging. For ingress/mesh/terminating gateways, it additionally ensures the Consul services are always registered with their local Consul client.resources (
map
) - Set default resources for consul sidecar. If null, that resource won’t be set. These settings can be overridden on a per-pod basis via these annotations:
imageEnvoy (
string: envoyproxy/envoy-alpine:<latest supported version>
) - The name (and tag) of the Envoy Docker image used for the connect-injected sidecar proxies and mesh, terminating, and ingress gateways. See https://www.consul.io/docs/connect/proxies/envoy for full compatibility matrix between Consul and Envoy.openshift - Configuration for running this Helm chart on the Red Hat OpenShift platform. This Helm chart currently supports OpenShift v4.x+.
- enabled (
boolean: false
) - If true, the Helm chart will create necessary configuration for running its components on OpenShift.
- enabled (
- consulAPITimeout (
string: 5s
) - The time in seconds that the consul API client will wait for a response from the API before cancelling the request.
server
server - Server, when enabled, configures a server cluster to run. This should be disabled if you plan on connecting to a Consul cluster external to the Kube cluster.
enabled (
boolean: global.enabled
) - If true, the chart will install all the resources necessary for a Consul server cluster. If you’re running Consul externally and want agents within Kubernetes to join that cluster, this should probably be false.image (
string: null
) - The name of the Docker image (including any tag) for the containers running Consul server agents.replicas (
integer: 3
) - The number of server agents to run. This determines the fault tolerance of the cluster. Please see the deployment table (https://consul.io/docs/internals/consensus#deployment-table) for more information.bootstrapExpect (
int: null
) - The number of servers that are expected to be running. It defaults to server.replicas. In most cases the default should be used, however if there are more servers in this datacenter than server.replicas it might make sense to override the default. This would be the case if two kube clusters were joined into the same datacenter and each cluster ran a certain number of servers.serverCert - A secret containing a certificate & key for the server agents to use for TLS communication within the Consul cluster. Cert needs to be provided with additional DNS name SANs so that it will work within the Kubernetes cluster:
Kubernetes Secrets backend:
consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \
-key=consul-agent-ca-key.pem -dc={{datacenter}} \
-additional-dnsname="{{fullname}}-server" \
-additional-dnsname="*.{{fullname}}-server" \
-additional-dnsname="*.{{fullname}}-server.{{namespace}}" \
-additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \
-additional-dnsname="*.server.{{datacenter}}.{{domain}}" \
-additional-dnsname="server.{{datacenter}}.{{domain}}"
consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \
-key=consul-agent-ca-key.pem -dc={{datacenter}} \
-additional-dnsname="{{fullname}}-server" \
-additional-dnsname="*.{{fullname}}-server" \
-additional-dnsname="*.{{fullname}}-server.{{namespace}}" \
-additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \
-additional-dnsname="*.server.{{datacenter}}.{{domain}}" \
-additional-dnsname="server.{{datacenter}}.{{domain}}"
If you have generated the server-cert yourself with the consul CLI, you could use the following command to create the secret in Kubernetes:
kubectl create secret generic consul-server-cert \
--from-file='tls.crt=./dc1-server-consul-0.pem'
--from-file='tls.key=./dc1-server-consul-0-key.pem'
kubectl create secret generic consul-server-cert \
--from-file='tls.crt=./dc1-server-consul-0.pem'
--from-file='tls.key=./dc1-server-consul-0-key.pem'
Vault Secrets backend: If you are using Vault as a secrets backend, a Vault Policy must be created which allows
["create", "update"]
capabilities on the PKI issuing endpoint, which is usually of the formpki/issue/consul-server
. Please see the following guide for steps to generate a compatible certificate: https://learn.hashicorp.com/tutorials/consul/vault-pki-consul-secure-tls Note: when using TLS, both theserver.serverCert
andglobal.tls.caCert
which points to the CA endpoint of this PKI engine must be provided.- secretName (
string: null
) - The name of the Vault secret that holds the PEM encoded server certificate.
exposeGossipAndRPCPorts (
boolean: false
) - Exposes the servers’ gossip and RPC ports as hostPorts. To enable a client agent outside of the k8s cluster to join the datacenter, you would need to enableserver.exposeGossipAndRPCPorts
,client.exposeGossipPorts
, and setserver.ports.serflan.port
to a port not being used on the host. Sinceclient.exposeGossipPorts
uses the hostPort 8301,server.ports.serflan.port
must be set to something other than 8301.ports - Configures ports for the consul servers.
serflan - Configures the LAN gossip port for the consul servers. If you choose to enable
server.exposeGossipAndRPCPorts
andclient.exposeGossipPorts
, that will configure the LAN gossip ports on the servers and clients to be hostPorts, so if you are running clients and servers on the same node the ports will conflict if they are both 8301. When you enableserver.exposeGossipAndRPCPorts
andclient.exposeGossipPorts
, you must change this from the default to an unused port on the host, e.g. 9301. By default the LAN gossip port is 8301 and configured as a containerPort on the consul server Pods.- port (
integer: 8301
)
- port (
storage (
string: 10Gi
) - This defines the disk size for configuring the servers’ StatefulSet storage. For dynamically provisioned storage classes, this is the desired size. For manually defined persistent volumes, this should be set to the disk size of the attached volume.storageClass (
string: null
) - The StorageClass to use for the servers’ StatefulSet storage. It must be able to be dynamically provisioned if you want the storage to be automatically created. For example, to use local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) storage classes, the PersistentVolumeClaims would need to be manually created. Anull
value will use the Kubernetes cluster’s default StorageClass. If a default StorageClass does not exist, you will need to create one. See https://www.consul.io/docs/install/performance#read-write-tuning for considerations around choosing a performant storage class.connect (
boolean: true
) - This will enable/disable Connect (https://consul.io/docs/connect). Setting this to true will not automatically secure pod communication, this setting will only enable usage of the feature. Consul will automatically initialize a new CA and set of certificates. Additional Connect settings can be configured by setting theserver.extraConfig
value.-
annotations (
string: null
) - This value defines additional annotations for the server service account. This should be formatted as a multi-line string.annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
resources (
map
) - The resource requests (CPU, memory, etc.) for each of the server agents. This should be a YAML map corresponding to a Kubernetes ResourceRequirements (https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) object. NOTE: The use of a YAML string is deprecated.Example:
resources:
requests:
memory: '100Mi'
cpu: '100m'
limits:
memory: '100Mi'
cpu: '100m'
resources:
requests:
memory: '100Mi'
cpu: '100m'
limits:
memory: '100Mi'
cpu: '100m'
securityContext (
map
) - The security context for the server pods. This should be a YAML map corresponding to a Kubernetes SecurityContext object. By default, servers will run as non-root, with user ID100
and group ID1000
, which correspond to the consul user and group created by the Consul docker image. Note: if running on OpenShift, this setting is ignored because the user and group are set automatically by the OpenShift platform.containerSecurityContext (
map
) - The container securityContext for each container in the server pods. In addition to the Pod’s SecurityContext this can set the capabilities of processes running in the container and ensure the root file systems in the container is read-only.- server (
map
) - The consul server agent container
- server (
updatePartition (
integer: 0
) - This value is used to carefully control a rolling update of Consul server agents. This value specifies the partition (https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) for performing a rolling update. Please read the linked Kubernetes documentation and https://www.consul.io/docs/k8s/upgrade#upgrading-consul-servers for more information.disruptionBudget - This configures the PodDisruptionBudget (https://kubernetes.io/docs/tasks/run-application/configure-pdb/) for the server cluster.
enabled (
boolean: true
) - This will enable/disable registering a PodDisruptionBudget for the server cluster. If this is enabled, it will only register the budget so long as the server cluster is enabled.maxUnavailable (
integer: null
) - The maximum number of unavailable pods. By default, this will be automatically computed based on theserver.replicas
value to be(n/2)-1
. If you need to set this to0
, you will need to add a --set ‘server.disruptionBudget.maxUnavailable=0’` flag to the helm chart installation command because of a limitation in the Helm templating language.
extraConfig (
string: {}
) - A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul servers. This will be saved as-is into a ConfigMap that is read by the Consul server agents. This can be used to add additional configuration that isn’t directly exposed by the chart.Example:
extraConfig: |
{
"log_level": "DEBUG"
}
extraConfig: |
{
"log_level": "DEBUG"
}
This can also be set using Helm’s
--set
flag using the following syntax:--set 'server.extraConfig="{"log_level": "DEBUG"}"'
--set 'server.extraConfig="{"log_level": "DEBUG"}"'
extraVolumes (
array<map>
) - A list of extra volumes to mount for server agents. This is useful for bringing in extra data that can be referenced by other configurations at a well known path, such as TLS certificates or Gossip encryption keys. The value of this should be a list of objects.Example:
extraVolumes:
- type: secret
name: consul-certs
load: false
extraVolumes:
- type: secret
name: consul-certs
load: false
Each object supports the following keys:
type - Type of the volume, must be one of “configMap” or “secret”. Case sensitive.
name - Name of the configMap or secret to be mounted. This also controls the path that it is mounted to. The volume will be mounted to
/consul/userconfig/<name>
.load - If true, then the agent will be configured to automatically load HCL/JSON configuration files from this volume with
-config-dir
. This defaults to false.
extraContainers (
array<map>
) - A list of sidecar containers. Example:extraContainers:
- name: extra-container
image: example-image:latest
command:
- ...
extraContainers:
- name: extra-container
image: example-image:latest
command:
- ...
affinity (
string
) - This value defines the affinity (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for server pods. It defaults to allowing only a single server pod on each node, which minimizes risk of the cluster becoming unusable if a node is lost. If you need to run more pods per node (for example, testing on Minikube), set this value tonull
.Example:
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: server
topologyKey: kubernetes.io/hostname
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: server
topologyKey: kubernetes.io/hostname
tolerations (
string: ""
) - Toleration settings for server pods. This should be a multi-line string matching the Tolerations (https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec.topologySpreadConstraints (
string: ""
) - Pod topology spread constraints for server pods. This should be a multi-line YAML string matching thetopologySpreadConstraints
array (https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) in a Pod Spec.This requires K8S >= 1.18 (beta) or 1.19 (stable).
Example:
topologySpreadConstraints: |
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: server
topologySpreadConstraints: |
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: server
nodeSelector (
string: null
) - This value definesnodeSelector
(https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) labels for server pod assignment, formatted as a multi-line string.Example:
nodeSelector: |
beta.kubernetes.io/arch: amd64
nodeSelector: |
beta.kubernetes.io/arch: amd64
priorityClassName (
string: ""
) - This value references an existing KubernetespriorityClassName
(https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) that can be assigned to server pods.extraLabels (
map
) - Extra labels to attach to the server pods. This should be a YAML map.Example:
extraLabels:
labelKey: label-value
anotherLabelKey: another-label-value
extraLabels:
labelKey: label-value
anotherLabelKey: another-label-value
annotations (
string: null
) - This value defines additional annotations for server pods. This should be formatted as a multi-line string.annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
service - Server service properties.
annotations (
string: null
) - Annotations to apply to the server service.annotations: |
"annotation-key": "annotation-value"
annotations: |
"annotation-key": "annotation-value"
extraEnvironmentVars (
map
) - A list of extra environment variables to set within the stateful set. These could be used to include proxy settings required for cloud auto-join feature, in case kubernetes cluster is behind egress http proxies. Additionally, it could be used to configure custom consul parameters.
externalServers
externalServers - Configuration for Consul servers when the servers are running outside of Kubernetes. When running external servers, configuring these values is recommended if setting
global.tls.enableAutoEncrypt
to true orglobal.acls.manageSystemACLs
to true.enabled (
boolean: false
) - If true, the Helm chart will be configured to talk to the external servers. If setting this to true, you must also setserver.enabled
to false.hosts (
array<string>: []
) - An array of external Consul server hosts that are used to make HTTPS connections from the components in this Helm chart. Valid values include IPs, DNS names, or Cloud auto-join string. The port must be provided separately below. Note:client.join
must also be set to the hosts that should be used to join the cluster. In most cases, theclient.join
values should be the same, however, they may be different if you wish to use separate hosts for the HTTPS connections.httpsPort (
integer: 8501
) - The HTTPS port of the Consul servers.tlsServerName (
string: null
) - The server name to use as the SNI host header when connecting with HTTPS.useSystemRoots (
boolean: false
) - If true, consul-k8s-control-plane components will ignore the CA set inglobal.tls.caCert
when making HTTPS calls to Consul servers and will instead use the consul-k8s-control-plane image’s system CAs for TLS verification. If false, consul-k8s-control-plane components will useglobal.tls.caCert
when making HTTPS calls to Consul servers. NOTE: This does not affect Consul’s internal RPC communication which will always useglobal.tls.caCert
.k8sAuthMethodHost (
string: null
) - If you are settingglobal.acls.manageSystemACLs
andconnectInject.enabled
to true, setk8sAuthMethodHost
to the address of the Kubernetes API server. This address must be reachable from the Consul servers. Please see the Kubernetes Auth Method documentation (https://consul.io/docs/acl/auth-methods/kubernetes).You could retrieve this value from your
kubeconfig
by running:$ kubectl config view \
-o jsonpath="{.clusters[?(@.name=='<your cluster name>')].cluster.server}"
$ kubectl config view \
-o jsonpath="{.clusters[?(@.name=='<your cluster name>')].cluster.server}"
client
client - Values that configure running a Consul client on Kubernetes nodes.
enabled (
boolean: global.enabled
) - If true, the chart will install all the resources necessary for a Consul client on every Kubernetes node. This does not requireserver.enabled
, since the agents can be configured to join an external cluster.image (
string: null
) - The name of the Docker image (including any tag) for the containers running Consul client agents.join (
array<string>: null
) - A list of valid-retry-join
values (https://www.consul.io/docs/agent/config/cli-flags#_retry_join). If this isnull
(default), then the clients will attempt to automatically join the server cluster running within Kubernetes. This means that withserver.enabled
set to true, clients will automatically join that cluster. Ifserver.enabled
is not true, then a value must be specified so the clients can join a valid cluster.dataDirectoryHostPath (
string: null
) - An absolute path to a directory on the host machine to use as the Consul client data directory. If set to the empty string or null, the Consul agent will store its data in the Pod’s local filesystem (which will be lost if the Pod is deleted). Security Warning: If setting this, Pod Security Policies must be enabled on your cluster and in this Helm chart (via theglobal.enablePodSecurityPolicies
setting) to prevent other pods from mounting the same host path and gaining access to all of Consul’s data. Consul’s data is not encrypted at rest.grpc (
boolean: true
) - If true, agents will enable their GRPC listener on port 8502 and expose it to the host. This will use slightly more resources, but is required for Connect.nodeMeta - nodeMeta specifies an arbitrary metadata key/value pair to associate with the node (see https://www.consul.io/docs/agent/config/cli-flags#_node_meta)
exposeGossipPorts (
boolean: false
) - If true, the Helm chart will expose the clients’ gossip ports as hostPorts. This is only necessary if pod IPs in the k8s cluster are not directly routable and the Consul servers are outside of the k8s cluster. This also changes the clients’ advertised IP to thehostIP
rather thanpodIP
.-
annotations (
string: null
) - This value defines additional annotations for the client service account. This should be formatted as a multi-line string.annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
resources (
map
) - The resource settings for Client agents. NOTE: The use of a YAML string is deprecated. Instead, set directly as a YAML map.securityContext (
map
) - The security context for the client pods. This should be a YAML map corresponding to a Kubernetes SecurityContext object. By default, servers will run as non-root, with user ID100
and group ID1000
, which correspond to the consul user and group created by the Consul docker image. Note: if running on OpenShift, this setting is ignored because the user and group are set automatically by the OpenShift platform.containerSecurityContext (
map
) - The container securityContext for each container in the client pods. In addition to the Pod’s SecurityContext this can set the capabilities of processes running in the container and ensure the root file systems in the container is read-only.extraConfig (
string: {}
) - A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul clients. This will be saved as-is into a ConfigMap that is read by the Consul client agents. This can be used to add additional configuration that isn’t directly exposed by the chart.Example:
extraConfig: |
{
"log_level": "DEBUG"
}
extraConfig: |
{
"log_level": "DEBUG"
}
This can also be set using Helm’s
--set
flag using the following syntax:--set 'client.extraConfig="{"log_level": "DEBUG"}"'
--set 'client.extraConfig="{"log_level": "DEBUG"}"'
extraVolumes (
array<map>
) - A list of extra volumes to mount for client agents. This is useful for bringing in extra data that can be referenced by other configurations at a well known path, such as TLS certificates or Gossip encryption keys. The value of this should be a list of objects.Example:
extraVolumes:
- type: secret
name: consul-certs
load: false
extraVolumes:
- type: secret
name: consul-certs
load: false
Each object supports the following keys:
type - Type of the volume, must be one of “configMap” or “secret”. Case sensitive.
name - Name of the configMap or secret to be mounted. This also controls the path that it is mounted to. The volume will be mounted to
/consul/userconfig/<name>
.load - If true, then the agent will be configured to automatically load HCL/JSON configuration files from this volume with
-config-dir
. This defaults to false.
extraContainers (
array<map>
) - A list of sidecar containers. Example:extraContainers:
- name: extra-container
image: example-image:latest
command:
- ...
extraContainers:
- name: extra-container
image: example-image:latest
command:
- ...
tolerations (
string: ""
) - Toleration Settings for Client pods This should be a multi-line string matching the Toleration array in a PodSpec. The example below will allow Client pods to run on every node regardless of taintstolerations: |
- operator: Exists
tolerations: |
- operator: Exists
nodeSelector (
string: null
) - nodeSelector labels for client pod assignment, formatted as a multi-line string. ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselectorExample:
nodeSelector: |
beta.kubernetes.io/arch: amd64
nodeSelector: |
beta.kubernetes.io/arch: amd64
affinity (
string: null
) - Affinity Settings for Client pods, formatted as a multi-line YAML string. ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinityExample:
affinity: |
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/master
operator: DoesNotExist
affinity: |
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/master
operator: DoesNotExist
priorityClassName (
string: ""
) - This value references an existing KubernetespriorityClassName
(https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) that can be assigned to client pods.annotations (
string: null
) - This value defines additional annotations for client pods. This should be formatted as a multi-line string.annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
extraLabels (
map
) - Extra labels to attach to the client pods. This should be a regular YAML map.Example:
extraLabels:
labelKey: label-value
anotherLabelKey: another-label-value
extraLabels:
labelKey: label-value
anotherLabelKey: another-label-value
extraEnvironmentVars (
map
) - A list of extra environment variables to set within the stateful set. These could be used to include proxy settings required for cloud auto-join feature, in case kubernetes cluster is behind egress http proxies. Additionally, it could be used to configure custom consul parameters.dnsPolicy (
string: null
) - This value defines the Pod DNS policy (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) for client pods to use.hostNetwork (
boolean: false
) - hostNetwork defines whether or not we use host networking instead of hostPort in the event that a CNI plugin doesn’t supporthostPort
. This has security implications and is not recommended as doing so gives the consul client unnecessary access to all network traffic on the host. In most cases, pod network and host network are on different networks so this should be combined withdnsPolicy: ClusterFirstWithHostNet
updateStrategy (
string: null
) - updateStrategy for the DaemonSet. See https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy. This should be a multi-line string mapping directly to the updateStrategyExample:
updateStrategy: |
rollingUpdate:
maxUnavailable: 5
type: RollingUpdate
updateStrategy: |
rollingUpdate:
maxUnavailable: 5
type: RollingUpdate
-
Enterprise
Values for setting up and running snapshot agents (https://consul.io/commands/snapshot/agent) within the Consul clusters. They are required to be co-located with Consul clients, so will inherit the clients’ nodeSelector, tolerations and affinity.
enabled (
boolean: false
) - If true, the chart will install resources necessary to run the snapshot agent.replicas (
integer: 2
) - The number of snapshot agents to run.interval (
string: 1h
) - Interval at which to perform snapshots. See https://www.consul.io/commands/snapshot/agent#intervalconfigSecret - A Kubernetes or Vault secret that should be manually created to contain the entire config to be used on the snapshot agent. This is the preferred method of configuration since there are usually storage credentials present. Please see Snapshot agent config (https://consul.io/commands/snapshot/agent#config-file-options) for details.
secretName (
string: null
) - The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config.secretKey (
string: null
) - The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config.
-
annotations (
string: null
) - This value defines additional annotations for the snapshot agent service account. This should be formatted as a multi-line string.annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
resources (
map
) - The resource settings for snapshot agent pods.caCert (
string: null
) - Optional PEM-encoded CA certificate that will be added to the trusted system CAs. Useful if using an S3-compatible storage exposing a self-signed certificate.Example:
caCert: |
-----BEGIN CERTIFICATE-----
MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx
...
caCert: |
-----BEGIN CERTIFICATE-----
MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx
...
dns
dns - Configuration for DNS configuration within the Kubernetes cluster. This creates a service that routes to all agents (client or server) for serving DNS requests. This DOES NOT automatically configure kube-dns today, so you must still manually configure a
stubDomain
with kube-dns for this to have any effect: https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-serversenabled (
boolean: -
)enableRedirection (
boolean: false
) - If true, services using Consul Connect will use Consul DNS for default DNS resolution. The DNS lookups fall back to the nameserver IPs listed in /etc/resolv.conf if not found in Consul.type (
string: ClusterIP
) - Used to control the type of service created. For example, setting this to “LoadBalancer” will create an external load balancer (for supported K8S installations)clusterIP (
string: null
) - Set a predefined cluster IP for the DNS service. Useful if you need to reference the DNS service’s IP address in CoreDNS config.annotations (
string: null
) - Extra annotations to attach to the dns service This should be a multi-line string of annotations to apply to the dns ServiceadditionalSpec (
string: null
) - Additional ServiceSpec values This should be a multi-line string mapping directly to a Kubernetes ServiceSpec object.
ui
ui - Values that configure the Consul UI.
enabled (
boolean: global.enabled
) - If true, the UI will be enabled. This will only enable the UI, it doesn’t automatically register any service for external access. The UI will only be enabled on server agents. Ifserver.enabled
is false, then this setting has no effect. To expose the UI in some way, you must configureui.service
.service - Configure the service for the Consul UI.
enabled (
boolean: true
) - This will enable/disable registering a Kubernetes Service for the Consul UI. This value only takes effect ifui.enabled
is true and taking effect.type (
string: null
) - The service type to register.port - Set the port value of the UI service.
nodePort - Optionally set the nodePort value of the ui service if using a NodePort service. If not set and using a NodePort service, Kubernetes will automatically assign a port.
annotations (
string: null
) - Annotations to apply to the UI service.Example:
annotations: |
'annotation-key': annotation-value
annotations: |
'annotation-key': annotation-value
additionalSpec (
string: null
) - Additional ServiceSpec values This should be a multi-line string mapping directly to a Kubernetes ServiceSpec object.
ingress - Configure Ingress for the Consul UI. If
global.tls.enabled
is set totrue
, the Ingress will expose the port 443 on the UI service. Please ensure the Ingress Controller supports SSL pass-through and it is enabled to ensure traffic forwarded to port 443 has not been TLS terminated.enabled (
boolean: false
) - This will create an Ingress resource for the Consul UI.ingressClassName (
string: ""
) - Optionally set the ingressClassName.pathType (
string: Prefix
) - pathType override - see: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-typeshosts (
array<map>
) - hosts is a list of host name to create Ingress rules.hosts:
- host: foo.bar
paths:
- /example
- /test
hosts:
- host: foo.bar
paths:
- /example
- /test
tls (
array<map>
) - tls is a list of hosts and secret name in an Ingress which tells the Ingress controller to secure the channel.tls:
- hosts:
- chart-example.local
secretName: testsecret-tls
tls:
- hosts:
- chart-example.local
secretName: testsecret-tls
annotations (
string: null
) - Annotations to apply to the UI ingress.Example:
annotations: |
'annotation-key': annotation-value
annotations: |
'annotation-key': annotation-value
metrics - Configurations for displaying metrics in the UI.
enabled (
boolean: global.metrics.enabled
) - Enable displaying metrics in the UI. The default value of “-“ will inherit fromglobal.metrics.enabled
value.provider (
string: prometheus
) - Provider for metrics. See https://www.consul.io/docs/agent/options#ui_config_metrics_provider This value is only used ifui.enabled
is set to true.baseURL (
string: http://prometheus-server
) - baseURL is the URL of the prometheus server, usually the service URL. This value is only used ifui.enabled
is set to true.
dashboardURLTemplates - Corresponds to https://www.consul.io/docs/agent/options#ui_config_dashboard_url_templates configuration.
syncCatalog
syncCatalog - Configure the catalog sync process to sync K8S with Consul services. This can run bidirectional (default) or unidirectionally (Consul to K8S or K8S to Consul only).
This process assumes that a Consul agent is available on the host IP. This is done automatically if clients are enabled. If clients are not enabled then set the node selection so that it chooses a node with a Consul agent.
enabled (
boolean: false
) - True if you want to enable the catalog sync. Set to “-“ to inherit from global.enabled.image (
string: null
) - The name of the Docker image (including any tag) for consul-k8s-control-plane to run the sync program.default (
boolean: true
) - If true, all valid services in K8S are synced by default. If false, the service must be annotated (https://consul.io/docs/k8s/service-sync#sync-enable-disable) properly to sync. In either case an annotation can override the default.priorityClassName (
string: ""
) - Optional priorityClassName.toConsul (
boolean: true
) - If true, will sync Kubernetes services to Consul. This can be disabled to have a one-way sync.toK8S (
boolean: true
) - If true, will sync Consul services to Kubernetes. This can be disabled to have a one-way sync.k8sPrefix (
string: null
) - Service prefix to prepend to services before registering with Kubernetes. For example “consul-“ will register all services prepended with “consul-“. (Consul -> Kubernetes sync)k8sAllowNamespaces (
array<string>: ["*"]
) - List of k8s namespaces to sync the k8s services from. If a k8s namespace is not included in this list or is listed ink8sDenyNamespaces
, services in that k8s namespace will not be synced even if they are explicitly annotated. Use["*"]
to automatically allow all k8s namespaces.For example,
["namespace1", "namespace2"]
will only allow services in the k8s namespacesnamespace1
andnamespace2
to be synced and registered with Consul. All other k8s namespaces will be ignored.To deny all namespaces, set this to
[]
.Note:
k8sDenyNamespaces
takes precedence over values defined here.k8sDenyNamespaces (
array<string>: ["kube-system", "kube-public"]
) - List of k8s namespaces that should not have their services synced. This list takes precedence overk8sAllowNamespaces
.*
is not supported because then nothing would be allowed to sync.For example, if
k8sAllowNamespaces
is["*"]
andk8sDenyNamespaces
is["namespace1", "namespace2"]
, then all k8s namespaces besidesnamespace1
andnamespace2
will be synced.k8sSourceNamespace (
string: null
) - [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For backwards compatibility, if both this and the allow/deny lists are set, the allow/deny lists will be ignored. k8sSourceNamespace is the Kubernetes namespace to watch for service changes and sync to Consul. If this is not set then it will default to all namespaces.-
Enterprise
These settings manage the catalog sync’s interaction with Consul namespaces (requires consul-ent v1.7+). Also,
global.enableConsulNamespaces
must be true.consulDestinationNamespace (
string: default
) - Name of the Consul namespace to register all k8s services into. If the Consul namespace does not already exist, it will be created. This will be ignored ifmirroringK8S
is true.mirroringK8S (
boolean: false
) - If true, k8s services will be registered into a Consul namespace of the same name as their k8s namespace, optionally prefixed ifmirroringK8SPrefix
is set below. If the Consul namespace does not already exist, it will be created. Turning this on overrides theconsulDestinationNamespace
setting.addK8SNamespaceSuffix
may no longer be needed if enabling this option. If mirroring is enabled, avoid creating any Consul resources in the following Kubernetes namespaces, as Consul currently reserves these namespaces for system use: “system”, “universal”, “operator”, “root”.mirroringK8SPrefix (
string: ""
) - IfmirroringK8S
is set to true,mirroringK8SPrefix
allows each Consul namespace to be given a prefix. For example, ifmirroringK8SPrefix
is set to “k8s-“, a service in the k8sstaging
namespace will be registered into thek8s-staging
Consul namespace.
addK8SNamespaceSuffix (
boolean: true
) - Appends Kubernetes namespace suffix to each service name synced to Consul, separated by a dash. For example, for a service ‘foo’ in the default namespace, the sync process will create a Consul service named ‘foo-default’. Set this flag to true to avoid registering services with the same name but in different namespaces as instances for the same Consul service. Namespace suffix is not added if ‘annotationServiceName’ is provided.consulPrefix (
string: null
) - Service prefix which prepends itself to Kubernetes services registered within Consul For example, “k8s-“ will register all services prepended with “k8s-“. (Kubernetes -> Consul sync) consulPrefix is ignored when ‘annotationServiceName’ is provided. NOTE: Updating this property to a non-null value for an existing installation will result in deregistering of existing services in Consul and registering them with a new name.k8sTag (
string: null
) - Optional tag that is applied to all of the Kubernetes services that are synced into Consul. If nothing is set, defaults to “k8s”. (Kubernetes -> Consul sync)consulNodeName (
string: k8s-sync
) - Defines the Consul synthetic node that all services will be registered to. NOTE: Changing the node name and upgrading the Helm chart will leave all of the previously sync’d services registered with Consul and register them again under the new Consul node name. The out-of-date registrations will need to be explicitly removed.syncClusterIPServices (
boolean: true
) - Syncs services of the ClusterIP type, which may or may not be broadly accessible depending on your Kubernetes cluster. Set this to false to skip syncing ClusterIP services.nodePortSyncType (
string: ExternalFirst
) - Configures the type of syncing that happens for NodePort services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst.- ExternalOnly will only use a node’s ExternalIP address for the sync
- InternalOnly use’s the node’s InternalIP address
- ExternalFirst will preferentially use the node’s ExternalIP address, but if it doesn’t exist, it will use the node’s InternalIP address instead.
aclSyncToken - Refers to a Kubernetes secret that you have created that contains an ACL token for your Consul cluster which allows the sync process the correct permissions. This is only needed if ACLs are enabled on the Consul cluster.
secretName (
string: null
) - The name of the Vault secret that holds the acl sync token.secretKey (
string: null
) - The key within the Vault secret that holds the acl sync.
nodeSelector (
string: null
) - This value definesnodeSelector
(https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) labels for catalog sync pod assignment, formatted as a multi-line string.Example:
nodeSelector: |
beta.kubernetes.io/arch: amd64
nodeSelector: |
beta.kubernetes.io/arch: amd64
affinity (
string: null
) - Affinity Settings This should be a multi-line string matching the affinity objecttolerations (
string: null
) - Toleration Settings This should be a multi-line string matching the Toleration array in a PodSpec.-
annotations (
string: null
) - This value defines additional annotations for the mesh gateways’ service account. This should be formatted as a multi-line string.annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
resources (
map
) - The resource settings for sync catalog pods.logLevel (
string: ""
) - Override global log verbosity level. One of “debug”, “info”, “warn”, or “error”.consulWriteInterval (
string: null
) - Override the default interval to perform syncing operations creating Consul services.extraLabels (
map
) - Extra labels to attach to the sync catalog pods. This should be a YAML map.Example:
extraLabels:
labelKey: label-value
anotherLabelKey: another-label-value
extraLabels:
labelKey: label-value
anotherLabelKey: another-label-value
connectInject
connectInject - Configures the automatic Connect sidecar injector.
enabled (
boolean: false
) - True if you want to enable connect injection. Set to “-“ to inherit from global.enabled.replicas (
integer: 2
) - The number of deployment replicas.image (
string: null
) - Image for consul-k8s-control-plane that contains the injector.default (
boolean: false
) - If true, the injector will inject the Connect sidecar into all pods by default. Otherwise, pods must specify the injection annotation (https://consul.io/docs/k8s/connect#consul-hashicorp-com-connect-inject) to opt-in to Connect injection. If this is true, pods can use the same annotation to explicitly opt-out of injection.transparentProxy - Configures Transparent Proxy for Consul Service mesh services. Using this feature requires Consul 1.10.0-beta1+.
defaultEnabled (
boolean: true
) - If true, then all Consul Service mesh will run with transparent proxy enabled by default, i.e. we enforce that all traffic within the pod will go through the proxy. This value is overridable via the “consul.hashicorp.com/transparent-proxy” pod annotation.defaultOverwriteProbes (
boolean: true
) - If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead. This setting is recommended because with traffic being enforced to go through the Envoy proxy, the probes on the pod will fail because kube-proxy doesn’t have the right certificates to talk to Envoy. This value is also overridable via the “consul.hashicorp.com/transparent-proxy-overwrite-probes” annotation. Note: This value has no effect if transparent proxy is disabled on the pod.
metrics - Configures metrics for Consul Connect services. All values are overridable via annotations on a per-pod basis.
defaultEnabled (
string: -
) - If true, the connect-injector will automatically add prometheus annotations to connect-injected pods. It will also add a listener on the Envoy sidecar to expose metrics. The exposed metrics will depend on whether metrics merging is enabled:- If metrics merging is enabled: the Consul sidecar will run a merged metrics server combining Envoy sidecar and Connect service metrics, i.e. if your service exposes its own Prometheus metrics.
- If metrics merging is disabled: the listener will just expose Envoy sidecar metrics. This will inherit from
global.metrics.enabled
.
defaultEnableMerging (
boolean: false
) - Configures the Consul sidecar to run a merged metrics server to combine and serve both Envoy and Connect service metrics. This feature is available only in Consul v1.10.0 or greater.defaultMergedMetricsPort (
integer: 20100
) - Configures the port at which the Consul sidecar will listen on to return combined metrics. This port only needs to be changed if it conflicts with the application’s ports.defaultPrometheusScrapePort (
integer: 20200
) - Configures the port Prometheus will scrape metrics from, by configuring the Pod annotationprometheus.io/port
and the corresponding listener in the Envoy sidecar. NOTE: This is not the port that your application exposes metrics on. That can be configured with theconsul.hashicorp.com/service-metrics-port
annotation.defaultPrometheusScrapePath (
string: /metrics
) - Configures the path Prometheus will scrape metrics from, by configuring the pod annotationprometheus.io/path
and the corresponding handler in the Envoy sidecar. NOTE: This is not the path that your application exposes metrics on. That can be configured with theconsul.hashicorp.com/service-metrics-path
annotation.
envoyExtraArgs (
string: null
) - Used to pass arguments to the injected envoy sidecar. Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli e.g “—log-level debug —disable-hot-restart”priorityClassName (
string: ""
) - Optional priorityClassName.imageConsul (
string: null
) - The Docker image for Consul to use when performing Connect injection. Defaults to global.image.logLevel (
string: ""
) - Override global log verbosity level. One of “debug”, “info”, “warn”, or “error”.-
annotations (
string: null
) - This value defines additional annotations for the injector service account. This should be formatted as a multi-line string.annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
resources (
map
) - The resource settings for connect inject pods.failurePolicy (
string: Fail
) - Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. Once the webhook is back online the pod will be scheduled. In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running which can lead to hangs. In these environments it is recommend to use “Ignore” instead. This setting can be safely disabled by setting to “Ignore”.namespaceSelector (
string
) - Selector for restricting the webhook to only specific namespaces. Use withconnectInject.default: true
to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string. See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector for more details.By default, we exclude the kube-system namespace since usually users won’t want those pods injected and also the local-path-storage namespace so that Kind (Kubernetes In Docker) can provision Pods used to create PVCs. Note that this exclusion is only supported in Kubernetes v1.21.1+.
Example:
namespaceSelector: |
matchLabels:
namespace-label: label-value
namespaceSelector: |
matchLabels:
namespace-label: label-value
k8sAllowNamespaces (
array<string>: ["*"]
) - List of k8s namespaces to allow Connect sidecar injection in. If a k8s namespace is not included or is listed ink8sDenyNamespaces
, pods in that k8s namespace will not be injected even if they are explicitly annotated. Use["*"]
to automatically allow all k8s namespaces.For example,
["namespace1", "namespace2"]
will only allow pods in the k8s namespacesnamespace1
andnamespace2
to have Connect sidecars injected and registered with Consul. All other k8s namespaces will be ignored.To deny all namespaces, set this to
[]
.Note:
k8sDenyNamespaces
takes precedence over values defined here andnamespaceSelector
takes precedence over both since it is applied first.kube-system
andkube-public
are never injected, even if included here.k8sDenyNamespaces (
array<string>: []
) - List of k8s namespaces that should not allow Connect sidecar injection. This list takes precedence overk8sAllowNamespaces
.*
is not supported because then nothing would be allowed to be injected.For example, if
k8sAllowNamespaces
is["*"]
and k8sDenyNamespaces is["namespace1", "namespace2"]
, then all k8s namespaces besides “namespace1” and “namespace2” will be available for injection.Note:
namespaceSelector
takes precedence over this since it is applied first.kube-system
andkube-public
are never injected.-
Enterprise
These settings manage the connect injector’s interaction with Consul namespaces (requires consul-ent v1.7+). Also,
global.enableConsulNamespaces
must be true.consulDestinationNamespace (
string: default
) - Name of the Consul namespace to register all k8s pods into. If the Consul namespace does not already exist, it will be created. This will be ignored ifmirroringK8S
is true.mirroringK8S (
boolean: false
) - Causes k8s pods to be registered into a Consul namespace of the same name as their k8s namespace, optionally prefixed ifmirroringK8SPrefix
is set below. If the Consul namespace does not already exist, it will be created. Turning this on overrides theconsulDestinationNamespace
setting. If mirroring is enabled, avoid creating any Consul resources in the following Kubernetes namespaces, as Consul currently reserves these namespaces for system use: “system”, “universal”, “operator”, “root”.mirroringK8SPrefix (
string: ""
) - IfmirroringK8S
is set to true,mirroringK8SPrefix
allows each Consul namespace to be given a prefix. For example, ifmirroringK8SPrefix
is set to “k8s-“, a pod in the k8sstaging
namespace will be registered into thek8s-staging
Consul namespace.
nodeSelector (
string: null
) - Selector labels for connectInject pod assignment, formatted as a multi-line string. ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselectorExample:
nodeSelector: |
beta.kubernetes.io/arch: amd64
nodeSelector: |
beta.kubernetes.io/arch: amd64
affinity (
string: null
) - Affinity Settings This should be a multi-line string matching the affinity objecttolerations (
string: null
) - Toleration Settings This should be a multi-line string matching the Toleration array in a PodSpec.aclBindingRuleSelector (
string: serviceaccount.name!=default
) - Query that defines which Service Accounts can authenticate to Consul and receive an ACL token during Connect injection. The default setting, i.e. serviceaccount.name!=default, prevents the ‘default’ Service Account from logging in. If set to an empty string all service accounts can log in. This only has effect if ACLs are enabled.See https://www.consul.io/docs/acl/acl-auth-methods.html#binding-rules and https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes for more details. Requires Consul >= v1.5.
overrideAuthMethodName (
string: ""
) - If you are not using global.acls.manageSystemACLs and instead manually setting up an auth method for Connect inject, set this to the name of your auth method.aclInjectToken - Refers to a Kubernetes secret that you have created that contains an ACL token for your Consul cluster which allows the Connect injector the correct permissions. This is only needed if Consul namespaces
Enterprise
and ACLs are enabled on the Consul cluster and you are not setting
global.acls.manageSystemACLs
totrue
. This token needs to haveoperator = "write"
privileges to be able to create Consul namespaces.secretName (
string: null
) - The name of the Vault secret that holds the ACL inject token.secretKey (
string: null
) - The key within the Vault secret that holds the ACL inject token.
-
concurrency (
string: 2
) - The number of worker threads to be used by the Envoy proxy. By default the threading model of Envoy will use one thread per CPU core per envoy proxy. This leads to unnecessary thread and memory usage and leaves unnecessary idle connections open. It is advised to keep this number low for sidecars and high for edge proxies. This will control the--concurrency
flag to Envoy. For additional information see also: https://blog.envoyproxy.io/envoy-threading-model-a8d44b922310This setting can be overridden on a per-pod basis via this annotation:
resources (
map
) - Set default resources for sidecar proxy. If null, that resource won’t be set. These settings can be overridden on a per-pod basis via these annotations:
initContainer (
map
) - The resource settings for the Connect injected init container.
controller
controller - Controller handles config entry custom resources. Requires consul >= 1.8.4. ServiceIntentions require consul 1.9+.
enabled (
boolean: false
) - Enables the controller for managing custom resources.replicas (
integer: 1
) - The number of deployment replicas.logLevel (
string: ""
) - Log verbosity level. One of “debug”, “info”, “warn”, or “error”.-
annotations (
string: null
) - This value defines additional annotations for the controller service account. This should be formatted as a multi-line string.annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
resources (
map
) - The resource settings for controller pods.nodeSelector (
string: null
) - Optional YAML string to specify a nodeSelector config.tolerations (
string: null
) - Optional YAML string to specify tolerations.affinity (
string: null
) - Affinity Settings This should be a multi-line string matching the affinity objectpriorityClassName (
string: ""
) - Optional priorityClassName.aclToken - Refers to a Kubernetes secret that you have created that contains an ACL token for your Consul cluster which grants the controller process the correct permissions. This is only needed if you are managing ACLs yourself (i.e. not using
global.acls.manageSystemACLs
).If running Consul OSS, requires permissions:
operator = "write"
service_prefix "" {
policy = "write"
intentions = "write"
}
operator = "write"
service_prefix "" {
policy = "write"
intentions = "write"
}
If running Consul Enterprise, talk to your account manager for assistance.
secretName (
string: null
) - The name of the Vault secret that holds the ACL token.secretKey (
string: null
) - The key within the Vault secret that holds the ACL token.
meshGateway
meshGateway - Mesh Gateways enable Consul Connect to work across Consul datacenters.
enabled (
boolean: false
) - If mesh gateways are enabled, a Deployment will be created that runs gateways and Consul Connect will be configured to use gateways. See https://www.consul.io/docs/connect/mesh_gateway.html Requirements: consul 1.6.0+ if using global.acls.manageSystemACLs.replicas (
integer: 2
) - Number of replicas for the Deployment.wanAddress - What gets registered as WAN address for the gateway.
source (
string: Service
) - source configures where to retrieve the WAN address (and possibly port) for the mesh gateway from. Can be set to either:Service
,NodeIP
,NodeName
orStatic
.Service - Determine the address based on the service type.
If
service.type=LoadBalancer
use the external IP or hostname of the service. Use the port set byservice.port
.If
service.type=NodePort
use the Node IP. The port will be set toservice.nodePort
soservice.nodePort
cannot be null.If
service.type=ClusterIP
use theClusterIP
. The port will be set toservice.port
.service.type=ExternalName is not supported.
NodeIP - The node IP as provided by the Kubernetes downward API.
NodeName - The name of the node as provided by the Kubernetes downward API. This is useful if the node names are DNS entries that are routable from other datacenters.
Static - Use the address hardcoded in
meshGateway.wanAddress.static
.
port (
integer: 443
) - Port that gets registered for WAN traffic. If source is set to “Service” then this setting will have no effect. See the documentation for source as to which port will be used in that case.static (
string: ""
) - If source is set to “Static” then this value will be used as the WAN address of the mesh gateways. This is useful if you’ve configured a DNS entry to point to your mesh gateways.
service - The service option configures the Service that fronts the Gateway Deployment.
enabled (
boolean: true
) - Whether to create a Service or not.type (
string: LoadBalancer
) - Type of service, ex. LoadBalancer, ClusterIP.port (
integer: 443
) - Port that the service will be exposed on. The targetPort will be set to meshGateway.containerPort.nodePort (
integer: null
) - Optionally set the nodePort value of the service if using a NodePort service. If not set and using a NodePort service, Kubernetes will automatically assign a port.annotations (
string: null
) - Annotations to apply to the mesh gateway service.Example:
annotations: |
'annotation-key': annotation-value
annotations: |
'annotation-key': annotation-value
additionalSpec (
string: null
) - Optional YAML string that will be appended to the Service spec.
hostNetwork (
boolean: false
) - If set to true, gateway Pods will run on the host network.dnsPolicy (
string: null
) - dnsPolicy to use.consulServiceName (
string: mesh-gateway
) - Consul service name for the mesh gateways. Cannot be set to anything other than “mesh-gateway” if global.acls.manageSystemACLs is true since the ACL token generated is only for the name ‘mesh-gateway’.containerPort (
integer: 8443
) - Port that the gateway will run on inside the container.hostPort (
integer: null
) - Optional hostPort for the gateway to be exposed on. This can be used with wanAddress.port and wanAddress.useNodeIP to expose the gateways directly from the node. If hostNetwork is true, this must be null or set to the same port as containerPort. NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul agent.-
annotations (
string: null
) - This value defines additional annotations for the mesh gateways’ service account. This should be formatted as a multi-line string.annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
resources (
map
) - The resource settings for mesh gateway pods. NOTE: The use of a YAML string is deprecated. Instead, set directly as a YAML map.initCopyConsulContainer (
map
) - The resource settings for thecopy-consul-bin
init container.initServiceInitContainer (
map
) - The resource settings for theservice-init
init container.affinity (
string
) - By default, we set an anti-affinity so that two gateway pods won’t be on the same node. NOTE: Gateways require that Consul client agents are also running on the nodes alongside each gateway pod.tolerations (
string: null
) - Optional YAML string to specify tolerations.topologySpreadConstraints (
string: ""
) - Pod topology spread constraints for mesh gateway pods. This should be a multi-line YAML string matching thetopologySpreadConstraints
array (https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) in a Pod Spec.This requires K8S >= 1.18 (beta) or 1.19 (stable).
Example:
topologySpreadConstraints: |
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: mesh-gateway
topologySpreadConstraints: |
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: mesh-gateway
nodeSelector (
string: null
) - Optional YAML string to specify a nodeSelector config.priorityClassName (
string: ""
) - Optional priorityClassName.annotations (
string: null
) - Annotations to apply to the mesh gateway deployment.Example:
annotations: |
'annotation-key': annotation-value
annotations: |
'annotation-key': annotation-value
ingressGateways
ingressGateways - Configuration options for ingress gateways. Default values for all ingress gateways are defined in
ingressGateways.defaults
. Any of these values may be overridden iningressGateways.gateways
for a specific gateway with the exception of annotations. Annotations will include both the default annotations and any additional ones defined for a specific gateway. Requirements: consul >= 1.8.0enabled (
boolean: false
) - Enable ingress gateway deployment. RequiresconnectInject.enabled=true
andclient.enabled=true
.defaults - Defaults sets default values for all gateway fields. With the exception of annotations, defining any of these values in the
gateways
list will override the default values provided here. Annotations will include both the default annotations and any additional ones defined for a specific gateway.replicas (
integer: 2
) - Number of replicas for each ingress gateway defined.service - The service options configure the Service that fronts the gateway Deployment.
type (
string: ClusterIP
) - Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service type, you must set the desired nodePorts in theports
setting below.ports (
array<map>: [{port: 8080, port: 8443}]
) - Ports that will be exposed on the service and gateway container. Any ports defined as ingress listeners on the gateway’s Consul configuration entry should be included here. The first port will be used as part of the Consul service registration for the gateway and be listed in its SRV record. If using a NodePort service type, you must specify the desired nodePort for each exposed port.annotations (
string: null
) - Annotations to apply to the ingress gateway service. Annotations defined here will be applied to all ingress gateway services in addition to any service annotations defined for a specific gateway iningressGateways.gateways
.Example:
annotations: |
'annotation-key': annotation-value
annotations: |
'annotation-key': annotation-value
additionalSpec (
string: null
) - Optional YAML string that will be appended to the Service spec.
-
annotations (
string: null
) - This value defines additional annotations for the ingress gateways’ service account. This should be formatted as a multi-line string.annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
resources (
map
) - Resource limits for all ingress gateway podsinitCopyConsulContainer (
map
) - The resource settings for thecopy-consul-bin
init container.affinity (
string
) - By default, we set an anti-affinity so that two of the same gateway pods won’t be on the same node. NOTE: Gateways require that Consul client agents are also running on the nodes alongside each gateway pod.tolerations (
string: null
) - Optional YAML string to specify tolerations.topologySpreadConstraints (
string: ""
) - Pod topology spread constraints for ingress gateway pods. This should be a multi-line YAML string matching thetopologySpreadConstraints
array (https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) in a Pod Spec.This requires K8S >= 1.18 (beta) or 1.19 (stable).
Example:
topologySpreadConstraints: |
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: ingress-gateway
topologySpreadConstraints: |
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: ingress-gateway
nodeSelector (
string: null
) - Optional YAML string to specify a nodeSelector config.priorityClassName (
string: ""
) - Optional priorityClassName.terminationGracePeriodSeconds (
integer: 10
) - Amount of seconds to wait for graceful termination before killing the pod.annotations (
string: null
) - Annotations to apply to the ingress gateway deployment. Annotations defined here will be applied to all ingress gateway deployments in addition to any annotations defined for a specific gateway iningressGateways.gateways
.Example:
annotations: |
"annotation-key": 'annotation-value'
annotations: |
"annotation-key": 'annotation-value'
consulNamespace (
string: default
) -Enterprise
consulNamespace
defines the Consul namespace to register the gateway into. Requiresglobal.enableConsulNamespaces
to be true and Consul Enterprise v1.7+ with a valid Consul Enterprise license. Note: The Consul namespace MUST exist before the gateway is deployed.
gateways (
array<map>
) - Gateways is a list of gateway objects. The only required field for each isname
, though they can also contain any of the fields indefaults
. Values defined here override the defaults except in the case of annotations where both will be applied.- name (
string: ingress-gateway
)
- name (
terminatingGateways
terminatingGateways - Configuration options for terminating gateways. Default values for all terminating gateways are defined in
terminatingGateways.defaults
. Any of these values may be overridden interminatingGateways.gateways
for a specific gateway with the exception of annotations. Annotations will include both the default annotations and any additional ones defined for a specific gateway. Requirements: consul >= 1.8.0enabled (
boolean: false
) - Enable terminating gateway deployment. RequiresconnectInject.enabled=true
andclient.enabled=true
.defaults - Defaults sets default values for all gateway fields. With the exception of annotations, defining any of these values in the
gateways
list will override the default values provided here. Annotations will include both the default annotations and any additional ones defined for a specific gateway.replicas (
integer: 2
) - Number of replicas for each terminating gateway defined.extraVolumes (
array<map>
) - A list of extra volumes to mount. These will be exposed to Consul in the path/consul/userconfig/<name>/
.Example:
extraVolumes:
- type: secret
name: my-secret
items: # optional items array
- key: key
path: path # secret will now mount to /consul/userconfig/my-secret/path
extraVolumes:
- type: secret
name: my-secret
items: # optional items array
- key: key
path: path # secret will now mount to /consul/userconfig/my-secret/path
resources (
map
) - Resource limits for all terminating gateway podsinitCopyConsulContainer (
map
) - The resource settings for thecopy-consul-bin
init container.affinity (
string
) - By default, we set an anti-affinity so that two of the same gateway pods won’t be on the same node. NOTE: Gateways require that Consul client agents are also running on the nodes alongside each gateway pod.tolerations (
string: null
) - Optional YAML string to specify tolerations.topologySpreadConstraints (
string: ""
) - Pod topology spread constraints for terminating gateway pods. This should be a multi-line YAML string matching thetopologySpreadConstraints
array (https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) in a Pod Spec.This requires K8S >= 1.18 (beta) or 1.19 (stable).
Example:
topologySpreadConstraints: |
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: terminating-gateway
topologySpreadConstraints: |
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: terminating-gateway
nodeSelector (
string: null
) - Optional YAML string to specify a nodeSelector config.priorityClassName (
string: ""
) - Optional priorityClassName.annotations (
string: null
) - Annotations to apply to the terminating gateway deployment. Annotations defined here will be applied to all terminating gateway deployments in addition to any annotations defined for a specific gateway interminatingGateways.gateways
.Example:
annotations: |
'annotation-key': annotation-value
annotations: |
'annotation-key': annotation-value
-
annotations (
string: null
) - This value defines additional annotations for the terminating gateways’ service account. This should be formatted as a multi-line string.annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
consulNamespace (
string: default
) -Enterprise
consulNamespace
defines the Consul namespace to register the gateway into. Requiresglobal.enableConsulNamespaces
to be true and Consul Enterprise v1.7+ with a valid Consul Enterprise license. Note: The Consul namespace MUST exist before the gateway is deployed.
gateways (
array<map>
) - Gateways is a list of gateway objects. The only required field for each isname
, though they can also contain any of the fields indefaults
. Values defined here override the defaults except in the case of annotations where both will be applied.- name (
string: terminating-gateway
)
- name (
apiGateway
apiGateway - Configuration settings for the Consul API Gateway integration
enabled (
boolean: false
) - When true the helm chart will install the Consul API Gateway controllerimage (
string: null
) - Image to use for the api-gateway-controller pods and gateway instanceslogLevel (
string: info
) - Override global log verbosity level for api-gateway-controller pods. One of “debug”, “info”, “warn”, or “error”.managedGatewayClass - Configuration settings for the optional GatewayClass installed by consul-k8s (enabled by default)
enabled (
boolean: true
) - When true a GatewayClass is configured to automatically work with Consul as installed by helm.nodeSelector (
string: null
) - This value definesnodeSelector
(https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) labels for gateway pod assignment, formatted as a multi-line string.Example:
nodeSelector: |
beta.kubernetes.io/arch: amd64
nodeSelector: |
beta.kubernetes.io/arch: amd64
serviceType (
string: LoadBalancer
) - This value defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP)useHostPorts (
boolean: false
) - This value toggles if the gateway ports should be mapped to host portscopyAnnotations - Configuration settings for annotations to be copied from the Gateway to other child resources.
service (
string: null
) - This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string.Example:
service: |
- external-dns.alpha.kubernetes.io/hostname
service: |
- external-dns.alpha.kubernetes.io/hostname
deployment (
map
) - This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all GatewaysExample:
deployment:
defaultInstances: 3
maxInstances: 8
minInstances: 1
deployment:
defaultInstances: 3
maxInstances: 8
minInstances: 1
serviceAccount - Configuration for the ServiceAccount created for the api-gateway component
annotations (
string: null
) - This value defines additional annotations for the client service account. This should be formatted as a multi-line string.annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
annotations: |
"sample/annotation1": "foo"
"sample/annotation2": "bar"
controller - Configuration for the api-gateway controller component
replicas (
integer: 1
) - This value sets the number of controller replicas to deploy.annotations (
string: null
) - Annotations to apply to the api-gateway-controller pods.annotations: |
"annotation-key": "annotation-value"
annotations: |
"annotation-key": "annotation-value"
priorityClassName (
string: ""
) - This value references an existing KubernetespriorityClassName
(https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) that can be assigned to api-gateway-controller pods.nodeSelector (
string: null
) - This value definesnodeSelector
(https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) labels for api-gateway-controller pod assignment, formatted as a multi-line string.Example:
nodeSelector: |
beta.kubernetes.io/arch: amd64
nodeSelector: |
beta.kubernetes.io/arch: amd64
service - Configuration for the Service created for the api-gateway-controller
annotations (
string: null
) - Annotations to apply to the api-gateway-controller service.annotations: |
"annotation-key": "annotation-value"
annotations: |
"annotation-key": "annotation-value"
resources (
map
) - The resource settings for api gateway pods.initCopyConsulContainer (
map
) - The resource settings for thecopy-consul-bin
init container.
webhookCertManager
webhookCertManager - Configuration settings for the webhook-cert-manager
webhook-cert-manager
ensures that cert bundles are up to date for the mutating webhook.- tolerations (
string: null
) - Toleration Settings This should be a multi-line string matching the Toleration array in a PodSpec.
- tolerations (
prometheus
prometheus - Configures a demo Prometheus installation.
- enabled (
boolean: false
) - When true, the Helm chart will install a demo Prometheus server instance alongside Consul.
- enabled (
tests
tests - Control whether a test Pod manifest is generated when running helm template. When using helm install, the test Pod is not submitted to the cluster so this is only useful when running helm template.
- enabled (
boolean: true
)
- enabled (
Helm Chart Examples
The below config.yaml
results in a single server Consul cluster with a LoadBalancer
to allow external access to the UI and API.
# config.yaml
server:
replicas: 1
bootstrapExpect: 1
ui:
service:
type: LoadBalancer
# config.yaml
server:
replicas: 1
bootstrapExpect: 1
ui:
service:
type: LoadBalancer
The below config.yaml
results in a three server Consul Enterprise cluster with 100GB of storage and automatic Connect injection.
Note, this would require a secret that contains the enterprise license key.
# config.yaml
global:
image: 'hashicorp/consul-enterprise:1.4.2-ent'
server:
replicas: 3
bootstrapExpect: 3
enterpriseLicense:
secretName: 'consul-license'
secretKey: 'key'
storage: 100Gi
connect: true
client:
grpc: true
connectInject:
enabled: true
default: false
# config.yaml
global:
image: 'hashicorp/consul-enterprise:1.4.2-ent'
server:
replicas: 3
bootstrapExpect: 3
enterpriseLicense:
secretName: 'consul-license'
secretKey: 'key'
storage: 100Gi
connect: true
client:
grpc: true
connectInject:
enabled: true
default: false
Customizing the Helm Chart
Consul within Kubernetes is highly configurable and the Helm chart contains dozens of the most commonly used configuration options. If you need to extend the Helm chart with additional options, we recommend using a third-party tool, such as kustomize or ship. Note that the Helm chart heavily relies on Helm lifecycle hooks, and so features like bootstrapping ACLs or TLS will not work as expected. Additionally, we can make changes to the internal implementation (e.g., renaming template files) that may be backward incompatible with such customizations.