1--- 2layout: docs 3page_title: Helm Chart Configuration 4description: Configuration for the Consul Helm chart. 5--- 6 7# Helm Chart Configuration 8 9## Configuration (Values) 10 11The chart is highly customizable using 12[Helm configuration values](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). 13Each value has a sane default tuned for an optimal getting started experience 14with Consul. Before going into production, please review the parameters below 15and consider if they're appropriate for your deployment. 16 17<!-- DO NOT EDIT. The docs below are generated automatically. To change, edit 18 the consul-helm repo's values.yaml file --> 19<!-- codegen: start --> 20 21### global 22 23- `global` ((#v-global)) - Holds values that affect multiple components of the chart. 24 25 - `enabled` ((#v-global-enabled)) (`boolean: true`) - The main enabled/disabled setting. If true, servers, 26 clients, Consul DNS and the Consul UI will be enabled. Each component can override 27 this default via its component-specific "enabled" config. If false, no components 28 will be installed by default and per-component opt-in is required, such as by 29 setting `server.enabled` to true. 30 31 - `name` ((#v-global-name)) (`string: null`) - Set the prefix used for all resources in the Helm chart. If not set, 32 the prefix will be `<helm release name>-consul`. 33 34 - `domain` ((#v-global-domain)) (`string: consul`) - The domain Consul will answer DNS queries for 35 (see `-domain` (https://consul.io/docs/agent/options#_domain)) and the domain services synced from 36 Consul into Kubernetes will have, e.g. `service-name.service.consul`. 37 38 - `image` ((#v-global-image)) (`string: hashicorp/consul:<latest version>`) - The name (and tag) of the Consul Docker image for clients and servers. 39 This can be overridden per component. This should be pinned to a specific 40 version tag, otherwise you may inadvertently upgrade your Consul version. 41 42 Examples: 43 44 ```yaml 45 # Consul 1.10.0 46 image: "consul:1.10.0" 47 # Consul Enterprise 1.10.0 48 image: "hashicorp/consul-enterprise:1.10.0-ent" 49 ``` 50 51 - `imagePullSecrets` ((#v-global-imagepullsecrets)) (`array<map>`) - Array of objects containing image pull secret names that will be applied to each service account. 52 This can be used to reference image pull secrets if using a custom consul or consul-k8s Docker image. 53 See https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry for reference. 54 55 Example: 56 57 ```yaml 58 imagePullSecrets: 59 - name: pull-secret-name 60 - name: pull-secret-name-2 61 ``` 62 63 - `imageK8S` ((#v-global-imagek8s)) (`string: hashicorp/consul-k8s:<latest version>`) - The name (and tag) of the consul-k8s (https://github.com/hashicorp/consul-k8s) 64 Docker image that is used for functionality such the catalog sync. 65 This can be overridden per component. 66 67 - `datacenter` ((#v-global-datacenter)) (`string: dc1`) - The name of the datacenter that the agents should 68 register as. This can't be changed once the Consul cluster is up and running 69 since Consul doesn't support an automatic way to change this value currently: 70 https://github.com/hashicorp/consul/issues/1858. 71 72 - `enablePodSecurityPolicies` ((#v-global-enablepodsecuritypolicies)) (`boolean: false`) - Controls whether pod security policies are created for the Consul components 73 created by this chart. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/. 74 75 - `gossipEncryption` ((#v-global-gossipencryption)) - Configures which Kubernetes secret to retrieve Consul's 76 gossip encryption key from (see `-encrypt` (https://consul.io/docs/agent/options#_encrypt)). If secretName or 77 secretKey are not set, gossip encryption will not be enabled. The secret must 78 be in the same namespace that Consul is installed into. 79 80 The secret can be created by running: 81 82 ```shell 83 $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) 84 ``` 85 86 To reference, use: 87 88 ```yaml 89 global: 90 gossipEncryption: 91 secretName: consul-gossip-encryption-key 92 secretKey: key 93 ``` 94 95 - `secretName` ((#v-global-gossipencryption-secretname)) (`string: ""`) - secretName is the name of the Kubernetes secret that holds the gossip 96 encryption key. The secret must be in the same namespace that Consul is installed into. 97 98 - `secretKey` ((#v-global-gossipencryption-secretkey)) (`string: ""`) - secretKey is the key within the Kubernetes secret that holds the gossip 99 encryption key. 100 101 - `recursors` ((#v-global-recursors)) (`array<string>: []`) - A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. 102 These values are given as `-recursor` flags to Consul servers and clients. 103 See https://www.consul.io/docs/agent/options#_recursor for more details. 104 If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). 105 106 - `tls` ((#v-global-tls)) - Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure) 107 across the cluster to verify authenticity of the Consul servers and clients. 108 Requires Consul v1.4.1+ and consul-k8s v0.16.2+ 109 110 - `enabled` ((#v-global-tls-enabled)) (`boolean: false`) - If true, the Helm chart will enable TLS for Consul 111 servers and clients and all consul-k8s components, as well as generate certificate 112 authority (optional) and server and client certificates. 113 114 - `enableAutoEncrypt` ((#v-global-tls-enableautoencrypt)) (`boolean: false`) - If true, turns on the auto-encrypt feature on clients and servers. 115 It also switches consul-k8s components to retrieve the CA from the servers 116 via the API. Requires Consul 1.7.1+ and consul-k8s 0.13.0 117 118 - `serverAdditionalDNSSANs` ((#v-global-tls-serveradditionaldnssans)) (`array<string>: []`) - A list of additional DNS names to set as Subject Alternative Names (SANs) 119 in the server certificate. This is useful when you need to access the 120 Consul server(s) externally, for example, if you're using the UI. 121 122 - `serverAdditionalIPSANs` ((#v-global-tls-serveradditionalipsans)) (`array<string>: []`) - A list of additional IP addresses to set as Subject Alternative Names (SANs) 123 in the server certificate. This is useful when you need to access the 124 Consul server(s) externally, for example, if you're using the UI. 125 126 - `verify` ((#v-global-tls-verify)) (`boolean: true`) - If true, `verify_outgoing`, `verify_server_hostname`, 127 and `verify_incoming_rpc` will be set to `true` for Consul servers and clients. 128 Set this to false to incrementally roll out TLS on an existing Consul cluster. 129 Please see https://consul.io/docs/k8s/operations/tls-on-existing-cluster 130 for more details. 131 132 - `httpsOnly` ((#v-global-tls-httpsonly)) (`boolean: true`) - If true, the Helm chart will configure Consul to disable the HTTP port on 133 both clients and servers and to only accept HTTPS connections. 134 135 - `caCert` ((#v-global-tls-cacert)) - A Kubernetes secret containing the certificate of the CA to use for 136 TLS communication within the Consul cluster. If you have generated the CA yourself 137 with the consul CLI, you could use the following command to create the secret 138 in Kubernetes: 139 140 ```bash 141 kubectl create secret generic consul-ca-cert \ 142 --from-file='tls.crt=./consul-agent-ca.pem' 143 ``` 144 145 - `secretName` ((#v-global-tls-cacert-secretname)) (`string: null`) - The name of the Kubernetes secret. 146 147 - `secretKey` ((#v-global-tls-cacert-secretkey)) (`string: null`) - The key of the Kubernetes secret. 148 149 - `caKey` ((#v-global-tls-cakey)) - A Kubernetes secret containing the private key of the CA to use for 150 TLS communication within the Consul cluster. If you have generated the CA yourself 151 with the consul CLI, you could use the following command to create the secret 152 in Kubernetes: 153 154 ```bash 155 kubectl create secret generic consul-ca-key \ 156 --from-file='tls.key=./consul-agent-ca-key.pem' 157 ``` 158 159 Note that we need the CA key so that we can generate server and client certificates. 160 It is particularly important for the client certificates since they need to have host IPs 161 as Subject Alternative Names. In the future, we may support bringing your own server 162 certificates. 163 164 - `secretName` ((#v-global-tls-cakey-secretname)) (`string: null`) - The name of the Kubernetes secret. 165 166 - `secretKey` ((#v-global-tls-cakey-secretkey)) (`string: null`) - The key of the Kubernetes secret. 167 168 - `enableConsulNamespaces` ((#v-global-enableconsulnamespaces)) (`boolean: false`) - <EnterpriseAlert inline /> `enableConsulNamespaces` indicates that you are running 169 Consul Enterprise v1.7+ with a valid Consul Enterprise license and would 170 like to make use of configuration beyond registering everything into 171 the `default` Consul namespace. Requires consul-k8s v0.12+. Additional configuration 172 options are found in the `consulNamespaces` section of both the catalog sync 173 and connect injector. 174 175 - `acls` ((#v-global-acls)) - Configure ACLs. 176 177 - `manageSystemACLs` ((#v-global-acls-managesystemacls)) (`boolean: false`) - If true, the Helm chart will automatically manage ACL tokens and policies 178 for all Consul and consul-k8s components. 179 This requires Consul >= 1.4 and consul-k8s >= 0.14.0. 180 181 - `bootstrapToken` ((#v-global-acls-bootstraptoken)) - A Kubernetes secret containing the bootstrap token to use for 182 creating policies and tokens for all Consul and consul-k8s components. 183 If set, we will skip ACL bootstrapping of the servers and will only 184 initialize ACLs for the Consul clients and consul-k8s system components. 185 Requires consul-k8s >= 0.14.0. 186 187 - `secretName` ((#v-global-acls-bootstraptoken-secretname)) (`string: null`) - The name of the Kubernetes secret. 188 189 - `secretKey` ((#v-global-acls-bootstraptoken-secretkey)) (`string: null`) - The key of the Kubernetes secret. 190 191 - `createReplicationToken` ((#v-global-acls-createreplicationtoken)) (`boolean: false`) - If true, an ACL token will be created that can be used in secondary 192 datacenters for replication. This should only be set to true in the 193 primary datacenter since the replication token must be created from that 194 datacenter. 195 In secondary datacenters, the secret needs to be imported from the primary 196 datacenter and referenced via `global.acls.replicationToken`. 197 Requires consul-k8s >= 0.13.0. 198 199 - `replicationToken` ((#v-global-acls-replicationtoken)) - replicationToken references a secret containing the replication ACL token. 200 This token will be used by secondary datacenters to perform ACL replication 201 and create ACL tokens and policies. 202 This value is ignored if `bootstrapToken` is also set. 203 Requires consul-k8s >= 0.13.0. 204 205 - `secretName` ((#v-global-acls-replicationtoken-secretname)) (`string: null`) - The name of the Kubernetes secret. 206 207 - `secretKey` ((#v-global-acls-replicationtoken-secretkey)) (`string: null`) - The key of the Kubernetes secret. 208 209 - `federation` ((#v-global-federation)) - Configure federation. 210 211 - `enabled` ((#v-global-federation-enabled)) (`boolean: false`) - If enabled, this datacenter will be federation-capable. Only federation 212 via mesh gateways is supported. 213 Mesh gateways and servers will be configured to allow federation. 214 Requires `global.tls.enabled`, `meshGateway.enabled` and `connectInject.enabled` 215 to be true. Requires Consul 1.8+. 216 217 - `createFederationSecret` ((#v-global-federation-createfederationsecret)) (`boolean: false`) - If true, the chart will create a Kubernetes secret that can be imported 218 into secondary datacenters so they can federate with this datacenter. The 219 secret contains all the information secondary datacenters need to contact 220 and authenticate with this datacenter. This should only be set to true 221 in your primary datacenter. The secret name is 222 `<global.name>-federation` (if setting `global.name`), otherwise 223 `<helm-release-name>-consul-federation`. Requires consul-k8s 0.15.0+. 224 225 - `metrics` ((#v-global-metrics)) - Configures metrics for Consul service mesh 226 227 - `enabled` ((#v-global-metrics-enabled)) (`boolean: false`) - Configures the Helm chart’s components 228 to expose Prometheus metrics for the Consul service mesh. By default 229 this includes gateway metrics and sidecar metrics. 230 231 - `enableAgentMetrics` ((#v-global-metrics-enableagentmetrics)) (`boolean: false`) - Configures consul agent metrics. Only applicable if 232 `global.metrics.enabled` is true. 233 234 - `agentMetricsRetentionTime` ((#v-global-metrics-agentmetricsretentiontime)) (`string: 1m`) - Configures the retention time for metrics in Consul clients and 235 servers. This must be greater than 0 for Consul clients and servers 236 to expose any metrics at all. 237 Only applicable if `global.metrics.enabled` is true. 238 239 - `enableGatewayMetrics` ((#v-global-metrics-enablegatewaymetrics)) (`boolean: true`) - If true, mesh, terminating, and ingress gateways will expose their 240 Envoy metrics on port `20200` at the `/metrics` path and all gateway pods 241 will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true. 242 243 - `consulSidecarContainer` ((#v-global-consulsidecarcontainer)) (`map`) - The consul sidecar ensures the Consul services 244 are always registered with their local Consul clients and is used by the 245 ingress/terminating/mesh gateways as well as with every Connect-injected service. 246 247 - `imageEnvoy` ((#v-global-imageenvoy)) (`string: envoyproxy/envoy-alpine:<latest supported version>`) - The name (and tag) of the Envoy Docker image used for the 248 connect-injected sidecar proxies and mesh, terminating, and ingress gateways. 249 See https://www.consul.io/docs/connect/proxies/envoy for full compatibility matrix between Consul and Envoy. 250 251 - `openshift` ((#v-global-openshift)) - Configuration for running this Helm chart on the Red Hat OpenShift platform. 252 This Helm chart currently supports OpenShift v4.x+. 253 254 - `enabled` ((#v-global-openshift-enabled)) (`boolean: false`) - If true, the Helm chart will create necessary configuration for running 255 its components on OpenShift. 256 257### server 258 259- `server` ((#v-server)) - Server, when enabled, configures a server cluster to run. This should 260 be disabled if you plan on connecting to a Consul cluster external to 261 the Kube cluster. 262 263 - `enabled` ((#v-server-enabled)) (`boolean: global.enabled`) - If true, the chart will install all the resources necessary for a 264 Consul server cluster. If you're running Consul externally and want agents 265 within Kubernetes to join that cluster, this should probably be false. 266 267 - `image` ((#v-server-image)) (`string: null`) - The name of the Docker image (including any tag) for the containers running 268 Consul server agents. 269 270 - `replicas` ((#v-server-replicas)) (`integer: 3`) - The number of server agents to run. This determines the fault tolerance of 271 the cluster. Please see the deployment table (https://consul.io/docs/internals/consensus#deployment-table) 272 for more information. 273 274 - `bootstrapExpect` ((#v-server-bootstrapexpect)) (`int: null`) - The number of servers that are expected to be running. 275 It defaults to server.replicas. 276 In most cases the default should be used, however if there are more 277 servers in this datacenter than server.replicas it might make sense 278 to override the default. This would be the case if two kube clusters 279 were joined into the same datacenter and each cluster ran a certain number 280 of servers. 281 282 - `enterpriseLicense` ((#v-server-enterpriselicense)) - <EnterpriseAlert inline /> This value refers to a Kubernetes secret that you have created 283 that contains your enterprise license. It is required if you are using an 284 enterprise binary. Defining it here applies it to your cluster once a leader 285 has been elected. If you are not using an enterprise image or if you plan to 286 introduce the license key via another route, then set these fields to null. 287 Note: the job to apply license runs on both Helm installs and upgrades. 288 289 - `secretName` ((#v-server-enterpriselicense-secretname)) (`string: null`) - The name of the Kubernetes secret that holds the enterprise license. 290 The secret must be in the same namespace that Consul is installed into. 291 292 - `secretKey` ((#v-server-enterpriselicense-secretkey)) (`string: null`) - The key within the Kubernetes secret that holds the enterprise license. 293 294 - `enableLicenseAutoload` ((#v-server-enterpriselicense-enablelicenseautoload)) (`boolean: true`) - Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. 295 296 - `exposeGossipAndRPCPorts` ((#v-server-exposegossipandrpcports)) (`boolean: false`) - Exposes the servers' gossip and RPC ports as hostPorts. To enable a client 297 agent outside of the k8s cluster to join the datacenter, you would need to 298 enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and 299 set `server.ports.serflan.port` to a port not being used on the host. Since 300 `client.exposeGossipPorts` uses the hostPort 8301, 301 `server.ports.serflan.port` must be set to something other than 8301. 302 303 - `ports` ((#v-server-ports)) - Configures ports for the consul servers. 304 305 - `serflan` ((#v-server-ports-serflan)) - Configures the LAN gossip port for the consul servers. If you choose to 306 enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, 307 that will configure the LAN gossip ports on the servers and clients to be 308 hostPorts, so if you are running clients and servers on the same node the 309 ports will conflict if they are both 8301. When you enable 310 `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must 311 change this from the default to an unused port on the host, e.g. 9301. By 312 default the LAN gossip port is 8301 and configured as a containerPort on 313 the consul server Pods. 314 315 - `port` ((#v-server-ports-serflan-port)) (`integer: 8301`) 316 317 - `storage` ((#v-server-storage)) (`string: 10Gi`) - This defines the disk size for configuring the 318 servers' StatefulSet storage. For dynamically provisioned storage classes, this is the 319 desired size. For manually defined persistent volumes, this should be set to 320 the disk size of the attached volume. 321 322 - `storageClass` ((#v-server-storageclass)) (`string: null`) - The StorageClass to use for the servers' StatefulSet storage. It must be 323 able to be dynamically provisioned if you want the storage 324 to be automatically created. For example, to use local 325 (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) 326 storage classes, the PersistentVolumeClaims would need to be manually created. 327 A `null` value will use the Kubernetes cluster's default StorageClass. If a default 328 StorageClass does not exist, you will need to create one. 329 330 - `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable Connect (https://consul.io/docs/connect). Setting this to true 331 _will not_ automatically secure pod communication, this 332 setting will only enable usage of the feature. Consul will automatically initialize 333 a new CA and set of certificates. Additional Connect settings can be configured 334 by setting the `server.extraConfig` value. 335 336 - `serviceAccount` ((#v-server-serviceaccount)) 337 338 - `annotations` ((#v-server-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the server service account. This should be formatted as a multi-line 339 string. 340 341 ```yaml 342 annotations: | 343 "sample/annotation1": "foo" 344 "sample/annotation2": "bar" 345 ``` 346 347 - `resources` ((#v-server-resources)) (`map`) - The resource requests (CPU, memory, etc.) 348 for each of the server agents. This should be a YAML map corresponding to a Kubernetes 349 ResourceRequirements (https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) 350 object. NOTE: The use of a YAML string is deprecated. 351 352 Example: 353 354 ```yaml 355 resources: 356 requests: 357 memory: '100Mi' 358 cpu: '100m' 359 limits: 360 memory: '100Mi' 361 cpu: '100m' 362 ``` 363 364 - `securityContext` ((#v-server-securitycontext)) (`map`) - The security context for the server pods. This should be a YAML map corresponding to a 365 Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. 366 By default, servers will run as non-root, with user ID `100` and group ID `1000`, 367 which correspond to the consul user and group created by the Consul docker image. 368 Note: if running on OpenShift, this setting is ignored because the user and group are set automatically 369 by the OpenShift platform. 370 371 - `updatePartition` ((#v-server-updatepartition)) (`integer: 0`) - This value is used to carefully 372 control a rolling update of Consul server agents. This value specifies the 373 partition (https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) 374 for performing a rolling update. Please read the linked Kubernetes documentation 375 and https://www.consul.io/docs/k8s/upgrade#upgrading-consul-servers for more information. 376 377 - `disruptionBudget` ((#v-server-disruptionbudget)) - This configures the PodDisruptionBudget (https://kubernetes.io/docs/tasks/run-application/configure-pdb/) 378 for the server cluster. 379 380 - `enabled` ((#v-server-disruptionbudget-enabled)) (`boolean: true`) - This will enable/disable registering a PodDisruptionBudget for the server 381 cluster. If this is enabled, it will only register the budget so long as 382 the server cluster is enabled. 383 384 - `maxUnavailable` ((#v-server-disruptionbudget-maxunavailable)) (`integer: null`) - The maximum number of unavailable pods. By default, this will be 385 automatically computed based on the `server.replicas` value to be `(n/2)-1`. 386 If you need to set this to `0`, you will need to add a 387 --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation 388 command because of a limitation in the Helm templating language. 389 390 - `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul 391 servers. This will be saved as-is into a ConfigMap that is read by the Consul 392 server agents. This can be used to add additional configuration that 393 isn't directly exposed by the chart. 394 395 Example: 396 397 ```yaml 398 extraConfig: | 399 { 400 "log_level": "DEBUG" 401 } 402 ``` 403 404 This can also be set using Helm's `--set` flag using the following syntax: 405 406 ```shell 407 --set 'server.extraConfig="{"log_level": "DEBUG"}"' 408 ``` 409 410 - `extraVolumes` ((#v-server-extravolumes)) (`array<map>`) - A list of extra volumes to mount for server agents. This 411 is useful for bringing in extra data that can be referenced by other configurations 412 at a well known path, such as TLS certificates or Gossip encryption keys. The 413 value of this should be a list of objects. 414 415 Example: 416 417 ```yaml 418 extraVolumes: 419 - type: secret 420 name: consul-certs 421 load: false 422 ``` 423 424 Each object supports the following keys: 425 426 - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. 427 428 - `name` - Name of the configMap or secret to be mounted. This also controls 429 the path that it is mounted to. The volume will be mounted to `/consul/userconfig/<name>`. 430 431 - `load` - If true, then the agent will be 432 configured to automatically load HCL/JSON configuration files from this volume 433 with `-config-dir`. This defaults to false. 434 435 - `affinity` ((#v-server-affinity)) (`string`) - This value defines the affinity (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) 436 for server pods. It defaults to allowing only a single server pod on each node, which 437 minimizes risk of the cluster becoming unusable if a node is lost. If you need 438 to run more pods per node (for example, testing on Minikube), set this value 439 to `null`. 440 441 Example: 442 443 ```yaml 444 affinity: | 445 podAntiAffinity: 446 requiredDuringSchedulingIgnoredDuringExecution: 447 - labelSelector: 448 matchLabels: 449 app: {{ template "consul.name" . }} 450 release: "{{ .Release.Name }}" 451 component: server 452 topologyKey: kubernetes.io/hostname 453 ``` 454 455 - `tolerations` ((#v-server-tolerations)) (`string: ""`) - Toleration settings for server pods. This 456 should be a multi-line string matching the Tolerations 457 (https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. 458 459 - `topologySpreadConstraints` ((#v-server-topologyspreadconstraints)) (`string: ""`) - Pod topology spread constraints for server pods. 460 This should be a multi-line YAML string matching the `topologySpreadConstraints` array 461 (https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) in a Pod Spec. 462 463 This requires K8S >= 1.18 (beta) or 1.19 (stable). 464 465 Example: 466 467 ```yaml 468 topologySpreadConstraints: | 469 - maxSkew: 1 470 topologyKey: topology.kubernetes.io/zone 471 whenUnsatisfiable: DoNotSchedule 472 labelSelector: 473 matchLabels: 474 app: {{ template "consul.name" . }} 475 release: "{{ .Release.Name }}" 476 component: server 477 ``` 478 479 - `nodeSelector` ((#v-server-nodeselector)) (`string: null`) - This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) 480 labels for server pod assignment, formatted as a multi-line string. 481 482 Example: 483 484 ```yaml 485 nodeSelector: | 486 beta.kubernetes.io/arch: amd64 487 ``` 488 489 - `priorityClassName` ((#v-server-priorityclassname)) (`string: ""`) - This value references an existing 490 Kubernetes `priorityClassName` (https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) 491 that can be assigned to server pods. 492 493 - `extraLabels` ((#v-server-extralabels)) (`map`) - Extra labels to attach to the server pods. This should be a YAML map. 494 495 Example: 496 497 ```yaml 498 extraLabels: 499 labelKey: label-value 500 anotherLabelKey: another-label-value 501 ``` 502 503 - `annotations` ((#v-server-annotations)) (`string: null`) - This value defines additional annotations for 504 server pods. This should be formatted as a multi-line string. 505 506 ```yaml 507 annotations: | 508 "sample/annotation1": "foo" 509 "sample/annotation2": "bar" 510 ``` 511 512 - `service` ((#v-server-service)) - Server service properties. 513 514 - `annotations` ((#v-server-service-annotations)) (`string: null`) - Annotations to apply to the server service. 515 516 ```yaml 517 annotations: | 518 "annotation-key": "annotation-value" 519 ``` 520 521 - `extraEnvironmentVars` ((#v-server-extraenvironmentvars)) (`map`) - A list of extra environment variables to set within the stateful set. 522 These could be used to include proxy settings required for cloud auto-join 523 feature, in case kubernetes cluster is behind egress http proxies. Additionally, 524 it could be used to configure custom consul parameters. 525 526### externalServers 527 528- `externalServers` ((#v-externalservers)) - Configuration for Consul servers when the servers are running outside of Kubernetes. 529 When running external servers, configuring these values is recommended 530 if setting `global.tls.enableAutoEncrypt` to true (requires consul-k8s >= 0.13.0) 531 or `global.acls.manageSystemACLs` to true (requires consul-k8s >= 0.14.0). 532 533 - `enabled` ((#v-externalservers-enabled)) (`boolean: false`) - If true, the Helm chart will be configured to talk to the external servers. 534 If setting this to true, you must also set `server.enabled` to false. 535 536 - `hosts` ((#v-externalservers-hosts)) (`array<string>: []`) - An array of external Consul server hosts that are used to make 537 HTTPS connections from the components in this Helm chart. 538 Valid values include IPs, DNS names, or Cloud auto-join string. 539 The port must be provided separately below. 540 Note: `client.join` must also be set to the hosts that should be 541 used to join the cluster. In most cases, the `client.join` values 542 should be the same, however, they may be different if you 543 wish to use separate hosts for the HTTPS connections. 544 545 - `httpsPort` ((#v-externalservers-httpsport)) (`integer: 8501`) - The HTTPS port of the Consul servers. 546 547 - `tlsServerName` ((#v-externalservers-tlsservername)) (`string: null`) - The server name to use as the SNI host header when connecting with HTTPS. 548 549 - `useSystemRoots` ((#v-externalservers-usesystemroots)) (`boolean: false`) - If true, consul-k8s components will ignore the CA set in 550 `global.tls.caCert` when making HTTPS calls to Consul servers and 551 will instead use the consul-k8s image's system CAs for TLS verification. 552 If false, consul-k8s components will use `global.tls.caCert` when 553 making HTTPS calls to Consul servers. 554 **NOTE:** This does not affect Consul's internal RPC communication which will 555 always use `global.tls.caCert`. 556 557 - `k8sAuthMethodHost` ((#v-externalservers-k8sauthmethodhost)) (`string: null`) - If you are setting `global.acls.manageSystemACLs` and 558 `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. 559 This address must be reachable from the Consul servers. 560 Please see the Kubernetes Auth Method documentation (https://consul.io/docs/acl/auth-methods/kubernetes). 561 Requires consul-k8s >= 0.14.0. 562 563 You could retrieve this value from your `kubeconfig` by running: 564 565 ```shell 566 kubectl config view \ 567 -o jsonpath="{.clusters[?(@.name=='<your cluster name>')].cluster.server}" 568 ``` 569 570### client 571 572- `client` ((#v-client)) - Values that configure running a Consul client on Kubernetes nodes. 573 574 - `enabled` ((#v-client-enabled)) (`boolean: global.enabled`) - If true, the chart will install all 575 the resources necessary for a Consul client on every Kubernetes node. This _does not_ require 576 `server.enabled`, since the agents can be configured to join an external cluster. 577 578 - `image` ((#v-client-image)) (`string: null`) - The name of the Docker image (including any tag) for the containers 579 running Consul client agents. 580 581 - `join` ((#v-client-join)) (`array<string>: null`) - A list of valid `-retry-join` values (https://consul.io/docs/agent/options#retry-join). 582 If this is `null` (default), then the clients will attempt to automatically 583 join the server cluster running within Kubernetes. 584 This means that with `server.enabled` set to true, clients will automatically 585 join that cluster. If `server.enabled` is not true, then a value must be 586 specified so the clients can join a valid cluster. 587 588 - `dataDirectoryHostPath` ((#v-client-datadirectoryhostpath)) (`string: null`) - An absolute path to a directory on the host machine to use as the Consul 589 client data directory. If set to the empty string or null, the Consul agent 590 will store its data in the Pod's local filesystem (which will 591 be lost if the Pod is deleted). Security Warning: If setting this, Pod Security 592 Policies _must_ be enabled on your cluster and in this Helm chart (via the 593 `global.enablePodSecurityPolicies` setting) to prevent other pods from 594 mounting the same host path and gaining access to all of Consul's data. 595 Consul's data is not encrypted at rest. 596 597 - `grpc` ((#v-client-grpc)) (`boolean: true`) - If true, agents will enable their GRPC listener on 598 port 8502 and expose it to the host. This will use slightly more resources, but is 599 required for Connect. 600 601 - `exposeGossipPorts` ((#v-client-exposegossipports)) (`boolean: false`) - If true, the Helm chart will expose the clients' gossip ports as hostPorts. 602 This is only necessary if pod IPs in the k8s cluster are not directly routable 603 and the Consul servers are outside of the k8s cluster. 604 This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. 605 606 - `serviceAccount` ((#v-client-serviceaccount)) 607 608 - `annotations` ((#v-client-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the client service account. This should be formatted as a multi-line 609 string. 610 611 ```yaml 612 annotations: | 613 "sample/annotation1": "foo" 614 "sample/annotation2": "bar" 615 ``` 616 617 - `resources` ((#v-client-resources)) (`map`) - Resource settings for Client agents. 618 NOTE: The use of a YAML string is deprecated. Instead, set directly as a 619 YAML map. 620 621 - `securityContext` ((#v-client-securitycontext)) (`map`) - The security context for the client pods. This should be a YAML map corresponding to a 622 Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. 623 By default, servers will run as non-root, with user ID `100` and group ID `1000`, 624 which correspond to the consul user and group created by the Consul docker image. 625 Note: if running on OpenShift, this setting is ignored because the user and group are set automatically 626 by the OpenShift platform. 627 628 - `extraConfig` ((#v-client-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul 629 clients. This will be saved as-is into a ConfigMap that is read by the Consul 630 client agents. This can be used to add additional configuration that 631 isn't directly exposed by the chart. 632 633 Example: 634 635 ```yaml 636 extraConfig: | 637 { 638 "log_level": "DEBUG" 639 } 640 ``` 641 642 This can also be set using Helm's `--set` flag using the following syntax: 643 644 ```shell 645 --set 'client.extraConfig="{"log_level": "DEBUG"}"' 646 ``` 647 648 - `extraVolumes` ((#v-client-extravolumes)) (`array<map>`) - A list of extra volumes to mount for client agents. This 649 is useful for bringing in extra data that can be referenced by other configurations 650 at a well known path, such as TLS certificates or Gossip encryption keys. The 651 value of this should be a list of objects. 652 653 Example: 654 655 ```yaml 656 extraVolumes: 657 - type: secret 658 name: consul-certs 659 load: false 660 ``` 661 662 Each object supports the following keys: 663 664 - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. 665 666 - `name` - Name of the configMap or secret to be mounted. This also controls 667 the path that it is mounted to. The volume will be mounted to `/consul/userconfig/<name>`. 668 669 - `load` - If true, then the agent will be 670 configured to automatically load HCL/JSON configuration files from this volume 671 with `-config-dir`. This defaults to false. 672 673 - `tolerations` ((#v-client-tolerations)) (`string: ""`) - Toleration Settings for Client pods 674 This should be a multi-line string matching the Toleration array 675 in a PodSpec. 676 The example below will allow Client pods to run on every node 677 regardless of taints 678 679 ```yaml 680 tolerations: | 681 - operator: Exists 682 ``` 683 684 - `nodeSelector` ((#v-client-nodeselector)) (`string: null`) - nodeSelector labels for client pod assignment, formatted as a multi-line string. 685 ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector 686 687 Example: 688 689 ```yaml 690 nodeSelector: | 691 beta.kubernetes.io/arch: amd64 692 ``` 693 694 - `affinity` ((#v-client-affinity)) (`string: null`) - Affinity Settings for Client pods, formatted as a multi-line YAML string. 695 ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity 696 697 Example: 698 699 ```yaml 700 affinity: | 701 nodeAffinity: 702 requiredDuringSchedulingIgnoredDuringExecution: 703 nodeSelectorTerms: 704 - matchExpressions: 705 - key: node-role.kubernetes.io/master 706 operator: DoesNotExist 707 ``` 708 709 - `priorityClassName` ((#v-client-priorityclassname)) (`string: ""`) - This value references an existing 710 Kubernetes `priorityClassName` (https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) 711 that can be assigned to client pods. 712 713 - `annotations` ((#v-client-annotations)) (`string: null`) - This value defines additional annotations for 714 client pods. This should be formatted as a multi-line string. 715 716 ```yaml 717 annotations: | 718 "sample/annotation1": "foo" 719 "sample/annotation2": "bar" 720 ``` 721 722 - `extraLabels` ((#v-client-extralabels)) (`map`) - Extra labels to attach to the client pods. This should be a regular YAML map. 723 724 Example: 725 726 ```yaml 727 extraLabels: 728 labelKey: label-value 729 anotherLabelKey: another-label-value 730 ``` 731 732 - `extraEnvironmentVars` ((#v-client-extraenvironmentvars)) (`map`) - A list of extra environment variables to set within the stateful set. 733 These could be used to include proxy settings required for cloud auto-join 734 feature, in case kubernetes cluster is behind egress http proxies. Additionally, 735 it could be used to configure custom consul parameters. 736 737 - `dnsPolicy` ((#v-client-dnspolicy)) (`string: null`) - This value defines the Pod DNS policy (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) 738 for client pods to use. 739 740 - `hostNetwork` ((#v-client-hostnetwork)) (`boolean: false`) - hostNetwork defines whether or not we use host networking instead of hostPort in the event 741 that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended 742 as doing so gives the consul client unnecessary access to all network traffic on the host. 743 In most cases, pod network and host network are on different networks so this should be 744 combined with `dnsPolicy: ClusterFirstWithHostNet` 745 746 - `updateStrategy` ((#v-client-updatestrategy)) (`string: null`) - updateStrategy for the DaemonSet. 747 See https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy. 748 This should be a multi-line string mapping directly to the updateStrategy 749 750 Example: 751 752 ```yaml 753 updateStrategy: | 754 rollingUpdate: 755 maxUnavailable: 5 756 type: RollingUpdate 757 ``` 758 759 - `snapshotAgent` ((#v-client-snapshotagent)) - <EnterpriseAlert inline /> Values for setting up and running snapshot agents 760 (https://consul.io/commands/snapshot/agent) 761 within the Consul clusters. They are required to be co-located with Consul clients, 762 so will inherit the clients' nodeSelector, tolerations and affinity. 763 764 - `enabled` ((#v-client-snapshotagent-enabled)) (`boolean: false`) - If true, the chart will install resources necessary to run the snapshot agent. 765 766 - `replicas` ((#v-client-snapshotagent-replicas)) (`integer: 2`) - The number of snapshot agents to run. 767 768 - `configSecret` ((#v-client-snapshotagent-configsecret)) - A Kubernetes secret that should be manually created to contain the entire 769 config to be used on the snapshot agent. 770 This is the preferred method of configuration since there are usually storage 771 credentials present. Please see Snapshot agent config (https://consul.io/commands/snapshot/agent#config-file-options) 772 for details. 773 774 - `secretName` ((#v-client-snapshotagent-configsecret-secretname)) (`string: null`) - The name of the Kubernetes secret. 775 776 - `secretKey` ((#v-client-snapshotagent-configsecret-secretkey)) (`string: null`) - The key of the Kubernetes secret. 777 778 - `serviceAccount` ((#v-client-snapshotagent-serviceaccount)) 779 780 - `annotations` ((#v-client-snapshotagent-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the snapshot agent service account. This should be formatted as a 781 multi-line string. 782 783 ```yaml 784 annotations: | 785 "sample/annotation1": "foo" 786 "sample/annotation2": "bar" 787 ``` 788 789 - `resources` ((#v-client-snapshotagent-resources)) (`map`) - Resource settings for snapshot agent pods. 790 791 - `caCert` ((#v-client-snapshotagent-cacert)) (`string: null`) - Optional PEM-encoded CA certificate that will be added to the trusted system CAs. 792 Useful if using an S3-compatible storage exposing a self-signed certificate. 793 794 Example: 795 796 ```yaml 797 caCert: | 798 -----BEGIN CERTIFICATE----- 799 MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx 800 ... 801 ``` 802 803### dns 804 805- `dns` ((#v-dns)) - Configuration for DNS configuration within the Kubernetes cluster. 806 This creates a service that routes to all agents (client or server) 807 for serving DNS requests. This DOES NOT automatically configure kube-dns 808 today, so you must still manually configure a `stubDomain` with kube-dns 809 for this to have any effect: 810 https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers 811 812 - `enabled` ((#v-dns-enabled)) (`boolean: -`) 813 814 - `type` ((#v-dns-type)) (`string: ClusterIP`) - Used to control the type of service created. For 815 example, setting this to "LoadBalancer" will create an external load 816 balancer (for supported K8S installations) 817 818 - `clusterIP` ((#v-dns-clusterip)) (`string: null`) - Set a predefined cluster IP for the DNS service. 819 Useful if you need to reference the DNS service's IP 820 address in CoreDNS config. 821 822 - `annotations` ((#v-dns-annotations)) (`string: null`) - Extra annotations to attach to the dns service 823 This should be a multi-line string of 824 annotations to apply to the dns Service 825 826 - `additionalSpec` ((#v-dns-additionalspec)) (`string: null`) - Additional ServiceSpec values 827 This should be a multi-line string mapping directly to a Kubernetes 828 ServiceSpec object. 829 830### ui 831 832- `ui` ((#v-ui)) - Values that configure the Consul UI. 833 834 - `enabled` ((#v-ui-enabled)) (`boolean: global.enabled`) - If true, the UI will be enabled. This will 835 only _enable_ the UI, it doesn't automatically register any service for external 836 access. The UI will only be enabled on server agents. If `server.enabled` is 837 false, then this setting has no effect. To expose the UI in some way, you must 838 configure `ui.service`. 839 840 - `service` ((#v-ui-service)) - Configure the service for the Consul UI. 841 842 - `enabled` ((#v-ui-service-enabled)) (`boolean: true`) - This will enable/disable registering a 843 Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is 844 true and taking effect. 845 846 - `type` ((#v-ui-service-type)) (`string: null`) - The service type to register. 847 848 - `nodePort` ((#v-ui-service-nodeport)) - Optionally set the nodePort value of the ui service if using a NodePort service. 849 If not set and using a NodePort service, Kubernetes will automatically assign 850 a port. 851 852 - `http` ((#v-ui-service-nodeport-http)) (`integer: null`) - HTTP node port 853 854 - `https` ((#v-ui-service-nodeport-https)) (`integer: null`) - HTTPS node port 855 856 - `annotations` ((#v-ui-service-annotations)) (`string: null`) - Annotations to apply to the UI service. 857 858 Example: 859 860 ```yaml 861 annotations: | 862 'annotation-key': annotation-value 863 ``` 864 865 - `additionalSpec` ((#v-ui-service-additionalspec)) (`string: null`) - Additional ServiceSpec values 866 This should be a multi-line string mapping directly to a Kubernetes 867 ServiceSpec object. 868 869 - `ingress` ((#v-ui-ingress)) - Configure Ingress for the Consul UI. 870 If `global.tls.enabled` is set to `true`, the Ingress will expose 871 the port 443 on the UI service. Please ensure the Ingress Controller 872 supports SSL pass-through and it is enabled to ensure traffic forwarded 873 to port 443 has not been TLS terminated. 874 875 - `enabled` ((#v-ui-ingress-enabled)) (`boolean: false`) - This will create an Ingress resource for the Consul UI. 876 877 - `hosts` ((#v-ui-ingress-hosts)) (`array<map>`) - hosts is a list of host name to create Ingress rules. 878 879 ```yaml 880 hosts: 881 - host: foo.bar 882 paths: 883 - /example 884 - /test 885 ``` 886 887 - `tls` ((#v-ui-ingress-tls)) (`array<map>`) - tls is a list of hosts and secret name in an Ingress 888 which tells the Ingress controller to secure the channel. 889 890 ```yaml 891 tls: 892 - hosts: 893 - chart-example.local 894 secretName: testsecret-tls 895 ``` 896 897 - `annotations` ((#v-ui-ingress-annotations)) (`string: null`) - Annotations to apply to the UI ingress. 898 899 Example: 900 901 ```yaml 902 annotations: | 903 'annotation-key': annotation-value 904 ``` 905 906 - `metrics` ((#v-ui-metrics)) - Configurations for displaying metrics in the UI. 907 908 - `enabled` ((#v-ui-metrics-enabled)) (`boolean: global.metrics.enabled`) - Enable displaying metrics in the UI. The default value of "-" 909 will inherit from `global.metrics.enabled` value. 910 911 - `provider` ((#v-ui-metrics-provider)) (`string: prometheus`) - Provider for metrics. See 912 https://www.consul.io/docs/agent/options#ui_config_metrics_provider 913 This value is only used if `ui.enabled` is set to true. 914 915 - `baseURL` ((#v-ui-metrics-baseurl)) (`string: http://prometheus-server`) - baseURL is the URL of the prometheus server, usually the service URL. 916 This value is only used if `ui.enabled` is set to true. 917 918### syncCatalog 919 920- `syncCatalog` ((#v-synccatalog)) - Configure the catalog sync process to sync K8S with Consul 921 services. This can run bidirectional (default) or unidirectionally (Consul 922 to K8S or K8S to Consul only). 923 924 This process assumes that a Consul agent is available on the host IP. 925 This is done automatically if clients are enabled. If clients are not 926 enabled then set the node selection so that it chooses a node with a 927 Consul agent. 928 929 - `enabled` ((#v-synccatalog-enabled)) (`boolean: false`) - True if you want to enable the catalog sync. Set to "-" to inherit from 930 global.enabled. 931 932 - `image` ((#v-synccatalog-image)) (`string: null`) - The name of the Docker image (including any tag) for consul-k8s 933 to run the sync program. 934 935 - `default` ((#v-synccatalog-default)) (`boolean: true`) - If true, all valid services in K8S are 936 synced by default. If false, the service must be annotated 937 (https://consul.io/docs/k8s/service-sync#sync-enable-disable) properly to sync. 938 In either case an annotation can override the default. 939 940 - `priorityClassName` ((#v-synccatalog-priorityclassname)) (`string: ""`) - Optional priorityClassName. 941 942 - `toConsul` ((#v-synccatalog-toconsul)) (`boolean: true`) - If true, will sync Kubernetes services to Consul. This can be disabled to 943 have a one-way sync. 944 945 - `toK8S` ((#v-synccatalog-tok8s)) (`boolean: true`) - If true, will sync Consul services to Kubernetes. This can be disabled to 946 have a one-way sync. 947 948 - `k8sPrefix` ((#v-synccatalog-k8sprefix)) (`string: null`) - Service prefix to prepend to services before registering 949 with Kubernetes. For example "consul-" will register all services 950 prepended with "consul-". (Consul -> Kubernetes sync) 951 952 - `k8sAllowNamespaces` ((#v-synccatalog-k8sallownamespaces)) (`array<string>: ["*"]`) - List of k8s namespaces to sync the k8s services from. 953 If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, 954 services in that k8s namespace will not be synced even if they are explicitly 955 annotated. Use `["*"]` to automatically allow all k8s namespaces. 956 957 For example, `["namespace1", "namespace2"]` will only allow services in the k8s 958 namespaces `namespace1` and `namespace2` to be synced and registered 959 with Consul. All other k8s namespaces will be ignored. 960 961 To deny all namespaces, set this to `[]`. 962 963 Note: `k8sDenyNamespaces` takes precedence over values defined here. 964 Requires consul-k8s v0.12+ 965 966 - `k8sDenyNamespaces` ((#v-synccatalog-k8sdenynamespaces)) (`array<string>: ["kube-system", "kube-public"]`) - List of k8s namespaces that should not have their 967 services synced. This list takes precedence over `k8sAllowNamespaces`. 968 `*` is not supported because then nothing would be allowed to sync. 969 Requires consul-k8s v0.12+. 970 971 For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is 972 `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` 973 and `namespace2` will be synced. 974 975 - `k8sSourceNamespace` ((#v-synccatalog-k8ssourcenamespace)) (`string: null`) - [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For 976 backwards compatibility, if both this and the allow/deny lists are set, 977 the allow/deny lists will be ignored. 978 k8sSourceNamespace is the Kubernetes namespace to watch for service 979 changes and sync to Consul. If this is not set then it will default 980 to all namespaces. 981 982 - `consulNamespaces` ((#v-synccatalog-consulnamespaces)) - <EnterpriseAlert inline /> These settings manage the catalog sync's interaction with 983 Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). 984 Also, `global.enableConsulNamespaces` must be true. 985 986 - `consulDestinationNamespace` ((#v-synccatalog-consulnamespaces-consuldestinationnamespace)) (`string: default`) - Name of the Consul namespace to register all 987 k8s services into. If the Consul namespace does not already exist, 988 it will be created. This will be ignored if `mirroringK8S` is true. 989 990 - `mirroringK8S` ((#v-synccatalog-consulnamespaces-mirroringk8s)) (`boolean: false`) - If true, k8s services will be registered into a Consul namespace 991 of the same name as their k8s namespace, optionally prefixed if 992 `mirroringK8SPrefix` is set below. If the Consul namespace does not 993 already exist, it will be created. Turning this on overrides the 994 `consulDestinationNamespace` setting. 995 `addK8SNamespaceSuffix` may no longer be needed if enabling this option. 996 997 - `mirroringK8SPrefix` ((#v-synccatalog-consulnamespaces-mirroringk8sprefix)) (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace 998 to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a 999 service in the k8s `staging` namespace will be registered into the 1000 `k8s-staging` Consul namespace. 1001 1002 - `addK8SNamespaceSuffix` ((#v-synccatalog-addk8snamespacesuffix)) (`boolean: true`) - Appends Kubernetes namespace suffix to 1003 each service name synced to Consul, separated by a dash. 1004 For example, for a service 'foo' in the default namespace, 1005 the sync process will create a Consul service named 'foo-default'. 1006 Set this flag to true to avoid registering services with the same name 1007 but in different namespaces as instances for the same Consul service. 1008 Namespace suffix is not added if 'annotationServiceName' is provided. 1009 1010 - `consulPrefix` ((#v-synccatalog-consulprefix)) (`string: null`) - Service prefix which prepends itself 1011 to Kubernetes services registered within Consul 1012 For example, "k8s-" will register all services prepended with "k8s-". 1013 (Kubernetes -> Consul sync) 1014 consulPrefix is ignored when 'annotationServiceName' is provided. 1015 NOTE: Updating this property to a non-null value for an existing installation will result in deregistering 1016 of existing services in Consul and registering them with a new name. 1017 1018 - `k8sTag` ((#v-synccatalog-k8stag)) (`string: null`) - Optional tag that is applied to all of the Kubernetes services 1019 that are synced into Consul. If nothing is set, defaults to "k8s". 1020 (Kubernetes -> Consul sync) 1021 1022 - `consulNodeName` ((#v-synccatalog-consulnodename)) (`string: k8s-sync`) - Defines the Consul synthetic node that all services 1023 will be registered to. 1024 NOTE: Changing the node name and upgrading the Helm chart will leave 1025 all of the previously sync'd services registered with Consul and 1026 register them again under the new Consul node name. The out-of-date 1027 registrations will need to be explicitly removed. 1028 1029 - `syncClusterIPServices` ((#v-synccatalog-syncclusteripservices)) (`boolean: true`) - Syncs services of the ClusterIP type, which may 1030 or may not be broadly accessible depending on your Kubernetes cluster. 1031 Set this to false to skip syncing ClusterIP services. 1032 1033 - `nodePortSyncType` ((#v-synccatalog-nodeportsynctype)) (`string: ExternalFirst`) - Configures the type of syncing that happens for NodePort 1034 services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst. 1035 1036 - ExternalOnly will only use a node's ExternalIP address for the sync 1037 - InternalOnly use's the node's InternalIP address 1038 - ExternalFirst will preferentially use the node's ExternalIP address, but 1039 if it doesn't exist, it will use the node's InternalIP address instead. 1040 1041 - `aclSyncToken` ((#v-synccatalog-aclsynctoken)) - Refers to a Kubernetes secret that you have created that contains 1042 an ACL token for your Consul cluster which allows the sync process the correct 1043 permissions. This is only needed if ACLs are enabled on the Consul cluster. 1044 1045 - `secretName` ((#v-synccatalog-aclsynctoken-secretname)) (`string: null`) - The name of the Kubernetes secret. 1046 1047 - `secretKey` ((#v-synccatalog-aclsynctoken-secretkey)) (`string: null`) - The key of the Kubernetes secret. 1048 1049 - `nodeSelector` ((#v-synccatalog-nodeselector)) (`string: null`) - This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) 1050 labels for catalog sync pod assignment, formatted as a multi-line string. 1051 1052 Example: 1053 1054 ```yaml 1055 nodeSelector: | 1056 beta.kubernetes.io/arch: amd64 1057 ``` 1058 1059 - `affinity` ((#v-synccatalog-affinity)) (`string: null`) - Affinity Settings 1060 This should be a multi-line string matching the affinity object 1061 1062 - `tolerations` ((#v-synccatalog-tolerations)) (`string: null`) - Toleration Settings 1063 This should be a multi-line string matching the Toleration array 1064 in a PodSpec. 1065 1066 - `serviceAccount` ((#v-synccatalog-serviceaccount)) 1067 1068 - `annotations` ((#v-synccatalog-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the mesh gateways' service account. This should be formatted as a 1069 multi-line string. 1070 1071 ```yaml 1072 annotations: | 1073 "sample/annotation1": "foo" 1074 "sample/annotation2": "bar" 1075 ``` 1076 1077 - `resources` ((#v-synccatalog-resources)) (`map`) - Resource settings for sync catalog pods. 1078 1079 - `logLevel` ((#v-synccatalog-loglevel)) (`string: info`) - Log verbosity level. One of "trace", "debug", "info", "warn", or "error". 1080 1081 - `consulWriteInterval` ((#v-synccatalog-consulwriteinterval)) (`string: null`) - Override the default interval to perform syncing operations creating Consul services. 1082 1083 - `extraLabels` ((#v-synccatalog-extralabels)) (`map`) - Extra labels to attach to the sync catalog pods. This should be a YAML map. 1084 1085 Example: 1086 1087 ```yaml 1088 extraLabels: 1089 labelKey: label-value 1090 anotherLabelKey: another-label-value 1091 ``` 1092 1093### connectInject 1094 1095- `connectInject` ((#v-connectinject)) - Configures the automatic Connect sidecar injector. 1096 1097 - `enabled` ((#v-connectinject-enabled)) (`boolean: false`) - True if you want to enable connect injection. Set to "-" to inherit from 1098 global.enabled. 1099 1100 - `image` ((#v-connectinject-image)) (`string: null`) - Image for consul-k8s that contains the injector 1101 1102 - `default` ((#v-connectinject-default)) (`boolean: false`) - If true, the injector will inject the 1103 Connect sidecar into all pods by default. Otherwise, pods must specify the 1104 injection annotation (https://consul.io/docs/k8s/connect#consul-hashicorp-com-connect-inject) 1105 to opt-in to Connect injection. If this is true, pods can use the same annotation 1106 to explicitly opt-out of injection. 1107 1108 - `transparentProxy` ((#v-connectinject-transparentproxy)) - Configures Transparent Proxy for Consul Service mesh services. 1109 Using this feature requires Consul 1.10.0-beta1+ and consul-k8s 0.26.0-beta1+. 1110 1111 - `defaultEnabled` ((#v-connectinject-transparentproxy-defaultenabled)) (`boolean: true`) - If true, then all Consul Service mesh will run with transparent proxy enabled by default, 1112 i.e. we enforce that all traffic within the pod will go through the proxy. 1113 This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation. 1114 1115 - `defaultOverwriteProbes` ((#v-connectinject-transparentproxy-defaultoverwriteprobes)) (`boolean: true`) - If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead. 1116 This setting is recommended because with traffic being enforced to go through the Envoy proxy, 1117 the probes on the pod will fail because kube-proxy doesn't have the right certificates 1118 to talk to Envoy. 1119 This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation. 1120 Note: This value has no effect if transparent proxy is disabled on the pod. 1121 1122 - `metrics` ((#v-connectinject-metrics)) - Configures metrics for Consul Connect services. All values are overridable 1123 via annotations on a per-pod basis. 1124 1125 - `defaultEnabled` ((#v-connectinject-metrics-defaultenabled)) (`string: -`) - If true, the connect-injector will automatically 1126 add prometheus annotations to connect-injected pods. It will also 1127 add a listener on the Envoy sidecar to expose metrics. The exposed 1128 metrics will depend on whether metrics merging is enabled: 1129 1130 - If metrics merging is enabled: 1131 the Consul sidecar will run a merged metrics server 1132 combining Envoy sidecar and Connect service metrics, 1133 i.e. if your service exposes its own Prometheus metrics. 1134 - If metrics merging is disabled: 1135 the listener will just expose Envoy sidecar metrics. 1136 This will inherit from `global.metrics.enabled`. 1137 1138 - `defaultEnableMerging` ((#v-connectinject-metrics-defaultenablemerging)) (`boolean: false`) - Configures the Consul sidecar to run a merged metrics server 1139 to combine and serve both Envoy and Connect service metrics. 1140 This feature is available only in Consul v1.10.0 or greater. 1141 1142 - `defaultMergedMetricsPort` ((#v-connectinject-metrics-defaultmergedmetricsport)) (`integer: 20100`) - Configures the port at which the Consul sidecar will listen on to return 1143 combined metrics. This port only needs to be changed if it conflicts with 1144 the application's ports. 1145 1146 - `defaultPrometheusScrapePort` ((#v-connectinject-metrics-defaultprometheusscrapeport)) (`integer: 20200`) - Configures the port Prometheus will scrape metrics from, by configuring 1147 the Pod annotation `prometheus.io/port` and the corresponding listener in 1148 the Envoy sidecar. 1149 NOTE: This is _not_ the port that your application exposes metrics on. 1150 That can be configured with the 1151 `consul.hashicorp.com/service-metrics-port` annotation. 1152 1153 - `defaultPrometheusScrapePath` ((#v-connectinject-metrics-defaultprometheusscrapepath)) (`string: /metrics`) - Configures the path Prometheus will scrape metrics from, by configuring the pod 1154 annotation `prometheus.io/path` and the corresponding handler in the Envoy 1155 sidecar. 1156 NOTE: This is _not_ the path that your application exposes metrics on. 1157 That can be configured with the 1158 `consul.hashicorp.com/service-metrics-path` annotation. 1159 1160 - `envoyExtraArgs` ((#v-connectinject-envoyextraargs)) (`string: null`) - Used to pass arguments to the injected envoy sidecar. 1161 Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli 1162 e.g "--log-level debug --disable-hot-restart" 1163 1164 - `priorityClassName` ((#v-connectinject-priorityclassname)) (`string: ""`) - Optional priorityClassName. 1165 1166 - `imageConsul` ((#v-connectinject-imageconsul)) (`string: null`) - The Docker image for Consul to use when performing Connect injection. 1167 Defaults to global.image. 1168 1169 - `logLevel` ((#v-connectinject-loglevel)) (`string: info`) - Log verbosity level. One of "debug", "info", "warn", or "error". 1170 1171 - `serviceAccount` ((#v-connectinject-serviceaccount)) 1172 1173 - `annotations` ((#v-connectinject-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the injector service account. This should be formatted as a 1174 multi-line string. 1175 1176 ```yaml 1177 annotations: | 1178 "sample/annotation1": "foo" 1179 "sample/annotation2": "bar" 1180 ``` 1181 1182 - `resources` ((#v-connectinject-resources)) (`map`) - Resource settings for connect inject pods. 1183 1184 - `namespaceSelector` ((#v-connectinject-namespaceselector)) (`string: null`) - Selector for restricting the webhook to only 1185 specific namespaces. This should be set to a multiline string. 1186 See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector 1187 for more details. 1188 1189 Example: 1190 1191 ```yaml 1192 namespaceSelector: | 1193 matchLabels: 1194 namespace-label: label-value 1195 ``` 1196 1197 - `k8sAllowNamespaces` ((#v-connectinject-k8sallownamespaces)) (`array<string>: ["*"]`) - List of k8s namespaces to allow Connect sidecar 1198 injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, 1199 pods in that k8s namespace will not be injected even if they are explicitly 1200 annotated. Use `["*"]` to automatically allow all k8s namespaces. 1201 1202 For example, `["namespace1", "namespace2"]` will only allow pods in the k8s 1203 namespaces `namespace1` and `namespace2` to have Connect sidecars injected 1204 and registered with Consul. All other k8s namespaces will be ignored. 1205 1206 To deny all namespaces, set this to `[]`. 1207 1208 Note: `k8sDenyNamespaces` takes precedence over values defined here and 1209 `namespaceSelector` takes precedence over both since it is applied first. 1210 `kube-system` and `kube-public` are never injected, even if included here. 1211 Requires consul-k8s v0.12+ 1212 1213 - `k8sDenyNamespaces` ((#v-connectinject-k8sdenynamespaces)) (`array<string>: []`) - List of k8s namespaces that should not allow Connect 1214 sidecar injection. This list takes precedence over `k8sAllowNamespaces`. 1215 `*` is not supported because then nothing would be allowed to be injected. 1216 1217 For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is 1218 `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" 1219 and "namespace2" will be available for injection. 1220 1221 Note: `namespaceSelector` takes precedence over this since it is applied first. 1222 `kube-system` and `kube-public` are never injected. 1223 Requires consul-k8s v0.12+. 1224 1225 - `consulNamespaces` ((#v-connectinject-consulnamespaces)) - <EnterpriseAlert inline /> These settings manage the connect injector's interaction with 1226 Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). 1227 Also, `global.enableConsulNamespaces` must be true. 1228 1229 - `consulDestinationNamespace` ((#v-connectinject-consulnamespaces-consuldestinationnamespace)) (`string: default`) - Name of the Consul namespace to register all 1230 k8s pods into. If the Consul namespace does not already exist, 1231 it will be created. This will be ignored if `mirroringK8S` is true. 1232 1233 - `mirroringK8S` ((#v-connectinject-consulnamespaces-mirroringk8s)) (`boolean: false`) - Causes k8s pods to be registered into a Consul namespace 1234 of the same name as their k8s namespace, optionally prefixed if 1235 `mirroringK8SPrefix` is set below. If the Consul namespace does not 1236 already exist, it will be created. Turning this on overrides the 1237 `consulDestinationNamespace` setting. 1238 1239 - `mirroringK8SPrefix` ((#v-connectinject-consulnamespaces-mirroringk8sprefix)) (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace 1240 to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a 1241 pod in the k8s `staging` namespace will be registered into the 1242 `k8s-staging` Consul namespace. 1243 1244 - `nodeSelector` ((#v-connectinject-nodeselector)) (`string: null`) - Selector labels for connectInject pod assignment, formatted as a multi-line string. 1245 ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector 1246 1247 Example: 1248 1249 ```yaml 1250 nodeSelector: | 1251 beta.kubernetes.io/arch: amd64 1252 ``` 1253 1254 - `affinity` ((#v-connectinject-affinity)) (`string: null`) - Affinity Settings 1255 This should be a multi-line string matching the affinity object 1256 1257 - `tolerations` ((#v-connectinject-tolerations)) (`string: null`) - Toleration Settings 1258 This should be a multi-line string matching the Toleration array 1259 in a PodSpec. 1260 1261 - `aclBindingRuleSelector` ((#v-connectinject-aclbindingruleselector)) (`string: serviceaccount.name!=default`) - Query that defines which Service Accounts 1262 can authenticate to Consul and receive an ACL token during Connect injection. 1263 The default setting, i.e. serviceaccount.name!=default, prevents the 1264 'default' Service Account from logging in. 1265 If set to an empty string all service accounts can log in. 1266 This only has effect if ACLs are enabled. 1267 1268 See https://www.consul.io/docs/acl/acl-auth-methods.html#binding-rules 1269 and https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes 1270 for more details. 1271 Requires Consul >= v1.5 and consul-k8s >= v0.8.0. 1272 1273 - `overrideAuthMethodName` ((#v-connectinject-overrideauthmethodname)) (`string: ""`) - If you are not using global.acls.manageSystemACLs and instead manually setting up an 1274 auth method for Connect inject, set this to the name of your auth method. 1275 1276 - `aclInjectToken` ((#v-connectinject-aclinjecttoken)) - Refers to a Kubernetes secret that you have created that contains 1277 an ACL token for your Consul cluster which allows the Connect injector the correct 1278 permissions. This is only needed if Consul namespaces <EnterpriseAlert inline /> and ACLs 1279 are enabled on the Consul cluster and you are not setting 1280 `global.acls.manageSystemACLs` to `true`. 1281 This token needs to have `operator = "write"` privileges to be able to 1282 create Consul namespaces. 1283 1284 - `secretName` ((#v-connectinject-aclinjecttoken-secretname)) (`string: null`) - The name of the Kubernetes secret. 1285 1286 - `secretKey` ((#v-connectinject-aclinjecttoken-secretkey)) (`string: null`) - The key of the Kubernetes secret. 1287 1288 - `sidecarProxy` ((#v-connectinject-sidecarproxy)) 1289 1290 - `resources` ((#v-connectinject-sidecarproxy-resources)) (`map`) - Set default resources for sidecar proxy. If null, that resource won't 1291 be set. 1292 These settings can be overridden on a per-pod basis via these annotations: 1293 1294 - `consul.hashicorp.com/sidecar-proxy-cpu-limit` 1295 - `consul.hashicorp.com/sidecar-proxy-cpu-request` 1296 - `consul.hashicorp.com/sidecar-proxy-memory-limit` 1297 - `consul.hashicorp.com/sidecar-proxy-memory-request` 1298 1299 - `requests` ((#v-connectinject-sidecarproxy-resources-requests)) 1300 1301 - `memory` ((#v-connectinject-sidecarproxy-resources-requests-memory)) (`string: null`) - Recommended default: 100Mi 1302 1303 - `cpu` ((#v-connectinject-sidecarproxy-resources-requests-cpu)) (`string: null`) - Recommended default: 100m 1304 1305 - `limits` ((#v-connectinject-sidecarproxy-resources-limits)) 1306 1307 - `memory` ((#v-connectinject-sidecarproxy-resources-limits-memory)) (`string: null`) - Recommended default: 100Mi 1308 1309 - `cpu` ((#v-connectinject-sidecarproxy-resources-limits-cpu)) (`string: null`) - Recommended default: 100m 1310 1311 - `initContainer` ((#v-connectinject-initcontainer)) (`map`) - Resource settings for the Connect injected init container. 1312 1313### controller 1314 1315- `controller` ((#v-controller)) - Controller handles config entry custom resources. 1316 Requires consul >= 1.8.4. 1317 ServiceIntentions require consul 1.9+. 1318 1319 - `enabled` ((#v-controller-enabled)) (`boolean: false`) - Enables the controller for managing custom resources. 1320 1321 - `replicas` ((#v-controller-replicas)) (`integer: 1`) - The number of deployment replicas. 1322 1323 - `logLevel` ((#v-controller-loglevel)) (`string: info`) - Log verbosity level. One of "debug", "info", "warn", or "error". 1324 1325 - `serviceAccount` ((#v-controller-serviceaccount)) 1326 1327 - `annotations` ((#v-controller-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the controller service account. This should be formatted as a 1328 multi-line string. 1329 1330 ```yaml 1331 annotations: | 1332 "sample/annotation1": "foo" 1333 "sample/annotation2": "bar" 1334 ``` 1335 1336 - `resources` ((#v-controller-resources)) (`map`) - Resource settings for controller pods. 1337 1338 - `nodeSelector` ((#v-controller-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config. 1339 1340 - `tolerations` ((#v-controller-tolerations)) (`string: null`) - Optional YAML string to specify tolerations. 1341 1342 - `affinity` ((#v-controller-affinity)) (`string: null`) - Affinity Settings 1343 This should be a multi-line string matching the affinity object 1344 1345 - `priorityClassName` ((#v-controller-priorityclassname)) (`string: ""`) - Optional priorityClassName. 1346 1347 - `aclToken` ((#v-controller-acltoken)) - Refers to a Kubernetes secret that you have created that contains 1348 an ACL token for your Consul cluster which grants the controller process the correct 1349 permissions. This is only needed if you are managing ACLs yourself (i.e. not using 1350 `global.acls.manageSystemACLs`). 1351 1352 If running Consul OSS, requires permissions: 1353 1354 ```hcl 1355 operator = "write" 1356 service_prefix "" { 1357 policy = "write" 1358 intentions = "write" 1359 } 1360 ``` 1361 1362 If running Consul Enterprise, talk to your account manager for assistance. 1363 1364 - `secretName` ((#v-controller-acltoken-secretname)) (`string: null`) - The name of the Kubernetes secret. 1365 1366 - `secretKey` ((#v-controller-acltoken-secretkey)) (`string: null`) - The key of the Kubernetes secret. 1367 1368### meshGateway 1369 1370- `meshGateway` ((#v-meshgateway)) - Mesh Gateways enable Consul Connect to work across Consul datacenters. 1371 1372 - `enabled` ((#v-meshgateway-enabled)) (`boolean: false`) - If mesh gateways are enabled, a Deployment will be created that runs 1373 gateways and Consul Connect will be configured to use gateways. 1374 See https://www.consul.io/docs/connect/mesh_gateway.html 1375 Requirements: consul 1.6.0+ and consul-k8s 0.15.0+ if using 1376 global.acls.manageSystemACLs. 1377 1378 - `replicas` ((#v-meshgateway-replicas)) (`integer: 2`) - Number of replicas for the Deployment. 1379 1380 - `wanAddress` ((#v-meshgateway-wanaddress)) - What gets registered as WAN address for the gateway. 1381 1382 - `source` ((#v-meshgateway-wanaddress-source)) (`string: Service`) - source configures where to retrieve the WAN address (and possibly port) 1383 for the mesh gateway from. 1384 Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. 1385 1386 - `Service` - Determine the address based on the service type. 1387 1388 - If `service.type=LoadBalancer` use the external IP or hostname of 1389 the service. Use the port set by `service.port`. 1390 1391 - If `service.type=NodePort` use the Node IP. The port will be set to 1392 `service.nodePort` so `service.nodePort` cannot be null. 1393 1394 - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to 1395 `service.port`. 1396 1397 - `service.type=ExternalName` is not supported. 1398 1399 - `NodeIP` - The node IP as provided by the Kubernetes downward API. 1400 1401 - `NodeName` - The name of the node as provided by the Kubernetes downward 1402 API. This is useful if the node names are DNS entries that 1403 are routable from other datacenters. 1404 1405 - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`. 1406 1407 - `port` ((#v-meshgateway-wanaddress-port)) (`integer: 443`) - Port that gets registered for WAN traffic. 1408 If source is set to "Service" then this setting will have no effect. 1409 See the documentation for source as to which port will be used in that 1410 case. 1411 1412 - `static` ((#v-meshgateway-wanaddress-static)) (`string: ""`) - If source is set to "Static" then this value will be used as the WAN 1413 address of the mesh gateways. This is useful if you've configured a 1414 DNS entry to point to your mesh gateways. 1415 1416 - `service` ((#v-meshgateway-service)) - The service option configures the Service that fronts the Gateway Deployment. 1417 1418 - `enabled` ((#v-meshgateway-service-enabled)) (`boolean: true`) - Whether to create a Service or not. 1419 1420 - `type` ((#v-meshgateway-service-type)) (`string: LoadBalancer`) - Type of service, ex. LoadBalancer, ClusterIP. 1421 1422 - `port` ((#v-meshgateway-service-port)) (`integer: 443`) - Port that the service will be exposed on. 1423 The targetPort will be set to meshGateway.containerPort. 1424 1425 - `nodePort` ((#v-meshgateway-service-nodeport)) (`integer: null`) - Optionally set the nodePort value of the service if using a NodePort service. 1426 If not set and using a NodePort service, Kubernetes will automatically assign 1427 a port. 1428 1429 - `annotations` ((#v-meshgateway-service-annotations)) (`string: null`) - Annotations to apply to the mesh gateway service. 1430 1431 Example: 1432 1433 ```yaml 1434 annotations: | 1435 'annotation-key': annotation-value 1436 ``` 1437 1438 - `additionalSpec` ((#v-meshgateway-service-additionalspec)) (`string: null`) - Optional YAML string that will be appended to the Service spec. 1439 1440 - `hostNetwork` ((#v-meshgateway-hostnetwork)) (`boolean: false`) - If set to true, gateway Pods will run on the host network. 1441 1442 - `dnsPolicy` ((#v-meshgateway-dnspolicy)) (`string: null`) - dnsPolicy to use. 1443 1444 - `consulServiceName` ((#v-meshgateway-consulservicename)) (`string: mesh-gateway`) - Consul service name for the mesh gateways. 1445 Cannot be set to anything other than "mesh-gateway" if 1446 global.acls.manageSystemACLs is true since the ACL token 1447 generated is only for the name 'mesh-gateway'. 1448 1449 - `containerPort` ((#v-meshgateway-containerport)) (`integer: 8443`) - Port that the gateway will run on inside the container. 1450 1451 - `hostPort` ((#v-meshgateway-hostport)) (`integer: null`) - Optional hostPort for the gateway to be exposed on. 1452 This can be used with wanAddress.port and wanAddress.useNodeIP 1453 to expose the gateways directly from the node. 1454 If hostNetwork is true, this must be null or set to the same port as 1455 containerPort. 1456 NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul 1457 agent. 1458 1459 - `serviceAccount` ((#v-meshgateway-serviceaccount)) 1460 1461 - `annotations` ((#v-meshgateway-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the mesh gateways' service account. This should be formatted as a 1462 multi-line string. 1463 1464 ```yaml 1465 annotations: | 1466 "sample/annotation1": "foo" 1467 "sample/annotation2": "bar" 1468 ``` 1469 1470 - `resources` ((#v-meshgateway-resources)) (`map`) - Resource settings for mesh gateway pods. 1471 NOTE: The use of a YAML string is deprecated. Instead, set directly as a 1472 YAML map. 1473 1474 - `initCopyConsulContainer` ((#v-meshgateway-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container. 1475 1476 - `affinity` ((#v-meshgateway-affinity)) (`string`) - By default, we set an anti-affinity so that two gateway pods won't be 1477 on the same node. NOTE: Gateways require that Consul client agents are 1478 also running on the nodes alongside each gateway pod. 1479 1480 - `tolerations` ((#v-meshgateway-tolerations)) (`string: null`) - Optional YAML string to specify tolerations. 1481 1482 - `nodeSelector` ((#v-meshgateway-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config. 1483 1484 - `priorityClassName` ((#v-meshgateway-priorityclassname)) (`string: ""`) - Optional priorityClassName. 1485 1486 - `annotations` ((#v-meshgateway-annotations)) (`string: null`) - Annotations to apply to the mesh gateway deployment. 1487 1488 Example: 1489 1490 ```yaml 1491 annotations: | 1492 'annotation-key': annotation-value 1493 ``` 1494 1495### ingressGateways 1496 1497- `ingressGateways` ((#v-ingressgateways)) - Configuration options for ingress gateways. Default values for all 1498 ingress gateways are defined in `ingressGateways.defaults`. Any of 1499 these values may be overridden in `ingressGateways.gateways` for a 1500 specific gateway with the exception of annotations. Annotations will 1501 include both the default annotations and any additional ones defined 1502 for a specific gateway. 1503 Requirements: consul >= 1.8.0 and consul-k8s >= 0.16.0 if using 1504 global.acls.manageSystemACLs and consul-k8s >= 0.10.0 if not. 1505 1506 - `enabled` ((#v-ingressgateways-enabled)) (`boolean: false`) - Enable ingress gateway deployment. Requires `connectInject.enabled=true` 1507 and `client.enabled=true`. 1508 1509 - `defaults` ((#v-ingressgateways-defaults)) - Defaults sets default values for all gateway fields. With the exception 1510 of annotations, defining any of these values in the `gateways` list 1511 will override the default values provided here. Annotations will 1512 include both the default annotations and any additional ones defined 1513 for a specific gateway. 1514 1515 - `replicas` ((#v-ingressgateways-defaults-replicas)) (`integer: 2`) - Number of replicas for each ingress gateway defined. 1516 1517 - `service` ((#v-ingressgateways-defaults-service)) - The service options configure the Service that fronts the gateway Deployment. 1518 1519 - `type` ((#v-ingressgateways-defaults-service-type)) (`string: ClusterIP`) - Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service 1520 type, you must set the desired nodePorts in the `ports` setting below. 1521 1522 - `ports` ((#v-ingressgateways-defaults-service-ports)) (`array<map>: [{port: 8080, port: 8443}]`) - Ports that will be exposed on the service and gateway container. Any 1523 ports defined as ingress listeners on the gateway's Consul configuration 1524 entry should be included here. The first port will be used as part of 1525 the Consul service registration for the gateway and be listed in its 1526 SRV record. If using a NodePort service type, you must specify the 1527 desired nodePort for each exposed port. 1528 1529 - `annotations` ((#v-ingressgateways-defaults-service-annotations)) (`string: null`) - Annotations to apply to the ingress gateway service. Annotations defined 1530 here will be applied to all ingress gateway services in addition to any 1531 service annotations defined for a specific gateway in `ingressGateways.gateways`. 1532 1533 Example: 1534 1535 ```yaml 1536 annotations: | 1537 'annotation-key': annotation-value 1538 ``` 1539 1540 - `additionalSpec` ((#v-ingressgateways-defaults-service-additionalspec)) (`string: null`) - Optional YAML string that will be appended to the Service spec. 1541 1542 - `serviceAccount` ((#v-ingressgateways-defaults-serviceaccount)) 1543 1544 - `annotations` ((#v-ingressgateways-defaults-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the ingress gateways' service account. This should be formatted 1545 as a multi-line string. 1546 1547 ```yaml 1548 annotations: | 1549 "sample/annotation1": "foo" 1550 "sample/annotation2": "bar" 1551 ``` 1552 1553 - `resources` ((#v-ingressgateways-defaults-resources)) (`map`) - Resource limits for all ingress gateway pods 1554 1555 - `initCopyConsulContainer` ((#v-ingressgateways-defaults-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container. 1556 1557 - `affinity` ((#v-ingressgateways-defaults-affinity)) (`string`) - By default, we set an anti-affinity so that two of the same gateway pods 1558 won't be on the same node. NOTE: Gateways require that Consul client agents are 1559 also running on the nodes alongside each gateway pod. 1560 1561 - `tolerations` ((#v-ingressgateways-defaults-tolerations)) (`string: null`) - Optional YAML string to specify tolerations. 1562 1563 - `nodeSelector` ((#v-ingressgateways-defaults-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config. 1564 1565 - `priorityClassName` ((#v-ingressgateways-defaults-priorityclassname)) (`string: ""`) - Optional priorityClassName. 1566 1567 - `annotations` ((#v-ingressgateways-defaults-annotations)) (`string: null`) - Annotations to apply to the ingress gateway deployment. Annotations defined 1568 here will be applied to all ingress gateway deployments in addition to any 1569 annotations defined for a specific gateway in `ingressGateways.gateways`. 1570 1571 Example: 1572 1573 ```yaml 1574 annotations: | 1575 "annotation-key": 'annotation-value' 1576 ``` 1577 1578 - `consulNamespace` ((#v-ingressgateways-defaults-consulnamespace)) (`string: default`) - <EnterpriseAlert inline /> `consulNamespace` defines the Consul namespace to register 1579 the gateway into. Requires `global.enableConsulNamespaces` to be true and 1580 Consul Enterprise v1.7+ with a valid Consul Enterprise license. 1581 Note: The Consul namespace MUST exist before the gateway is deployed. 1582 1583 - `gateways` ((#v-ingressgateways-gateways)) (`array<map>`) - Gateways is a list of gateway objects. The only required field for 1584 each is `name`, though they can also contain any of the fields in 1585 `defaults`. Values defined here override the defaults except in the 1586 case of annotations where both will be applied. 1587 1588 - `name` ((#v-ingressgateways-gateways-name)) (`string: ingress-gateway`) 1589 1590### terminatingGateways 1591 1592- `terminatingGateways` ((#v-terminatinggateways)) - Configuration options for terminating gateways. Default values for all 1593 terminating gateways are defined in `terminatingGateways.defaults`. Any of 1594 these values may be overridden in `terminatingGateways.gateways` for a 1595 specific gateway with the exception of annotations. Annotations will 1596 include both the default annotations and any additional ones defined 1597 for a specific gateway. 1598 Requirements: consul >= 1.8.0 and consul-k8s >= 0.16.0 if using 1599 global.acls.manageSystemACLs and consul-k8s >= 0.10.0 if not. 1600 1601 - `enabled` ((#v-terminatinggateways-enabled)) (`boolean: false`) - Enable terminating gateway deployment. Requires `connectInject.enabled=true` 1602 and `client.enabled=true`. 1603 1604 - `defaults` ((#v-terminatinggateways-defaults)) - Defaults sets default values for all gateway fields. With the exception 1605 of annotations, defining any of these values in the `gateways` list 1606 will override the default values provided here. Annotations will 1607 include both the default annotations and any additional ones defined 1608 for a specific gateway. 1609 1610 - `replicas` ((#v-terminatinggateways-defaults-replicas)) (`integer: 2`) - Number of replicas for each terminating gateway defined. 1611 1612 - `extraVolumes` ((#v-terminatinggateways-defaults-extravolumes)) (`array<map>`) - A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig/<name>/`. 1613 1614 Example: 1615 1616 ```yaml 1617 extraVolumes: 1618 - type: secret 1619 name: my-secret 1620 items: # optional items array 1621 - key: key 1622 path: path # secret will now mount to /consul/userconfig/my-secret/path 1623 ``` 1624 1625 - `resources` ((#v-terminatinggateways-defaults-resources)) (`map`) - Resource limits for all terminating gateway pods 1626 1627 - `initCopyConsulContainer` ((#v-terminatinggateways-defaults-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container. 1628 1629 - `affinity` ((#v-terminatinggateways-defaults-affinity)) (`string`) - By default, we set an anti-affinity so that two of the same gateway pods 1630 won't be on the same node. NOTE: Gateways require that Consul client agents are 1631 also running on the nodes alongside each gateway pod. 1632 1633 - `tolerations` ((#v-terminatinggateways-defaults-tolerations)) (`string: null`) - Optional YAML string to specify tolerations. 1634 1635 - `nodeSelector` ((#v-terminatinggateways-defaults-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config. 1636 1637 - `priorityClassName` ((#v-terminatinggateways-defaults-priorityclassname)) (`string: ""`) - Optional priorityClassName. 1638 1639 - `annotations` ((#v-terminatinggateways-defaults-annotations)) (`string: null`) - Annotations to apply to the terminating gateway deployment. Annotations defined 1640 here will be applied to all terminating gateway deployments in addition to any 1641 annotations defined for a specific gateway in `terminatingGateways.gateways`. 1642 1643 Example: 1644 1645 ```yaml 1646 annotations: | 1647 'annotation-key': annotation-value 1648 ``` 1649 1650 - `serviceAccount` ((#v-terminatinggateways-defaults-serviceaccount)) 1651 1652 - `annotations` ((#v-terminatinggateways-defaults-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the terminating gateways' service account. This should be 1653 formatted as a multi-line string. 1654 1655 ```yaml 1656 annotations: | 1657 "sample/annotation1": "foo" 1658 "sample/annotation2": "bar" 1659 ``` 1660 1661 - `consulNamespace` ((#v-terminatinggateways-defaults-consulnamespace)) (`string: default`) - <EnterpriseAlert inline /> `consulNamespace` defines the Consul namespace to register 1662 the gateway into. Requires `global.enableConsulNamespaces` to be true and 1663 Consul Enterprise v1.7+ with a valid Consul Enterprise license. 1664 Note: The Consul namespace MUST exist before the gateway is deployed. 1665 1666 - `gateways` ((#v-terminatinggateways-gateways)) (`array<map>`) - Gateways is a list of gateway objects. The only required field for 1667 each is `name`, though they can also contain any of the fields in 1668 `defaults`. Values defined here override the defaults except in the 1669 case of annotations where both will be applied. 1670 1671 - `name` ((#v-terminatinggateways-gateways-name)) (`string: terminating-gateway`) 1672 1673### prometheus 1674 1675- `prometheus` ((#v-prometheus)) - Configures a demo Prometheus installation. 1676 1677 - `enabled` ((#v-prometheus-enabled)) (`boolean: false`) - When true, the Helm chart will install a demo Prometheus server instance 1678 alongside Consul. 1679 1680### tests 1681 1682- `tests` ((#v-tests)) - Control whether a test Pod manifest is generated when running helm template. 1683 When using helm install, the test Pod is not submitted to the cluster so this 1684 is only useful when running helm template. 1685 1686 - `enabled` ((#v-tests-enabled)) (`boolean: true`) 1687 <!-- codegen: end --> 1688 1689## Helm Chart Examples 1690 1691The below `config.yaml` results in a single server Consul cluster with a `LoadBalancer` to allow external access to the UI and API. 1692 1693```yaml 1694# config.yaml 1695server: 1696 replicas: 1 1697 bootstrapExpect: 1 1698 1699ui: 1700 service: 1701 type: LoadBalancer 1702``` 1703 1704The below `config.yaml` results in a three server Consul Enterprise cluster with 100GB of storage and automatic Connect injection. 1705 1706Note, this would require a secret that contains the enterprise license key. 1707 1708```yaml 1709# config.yaml 1710global: 1711 image: 'hashicorp/consul-enterprise:1.4.2-ent' 1712 1713server: 1714 replicas: 3 1715 bootstrapExpect: 3 1716 enterpriseLicense: 1717 secretName: 'consul-license' 1718 secretKey: 'key' 1719 storage: 100Gi 1720 connect: true 1721 1722client: 1723 grpc: true 1724 1725connectInject: 1726 enabled: true 1727 default: false 1728``` 1729 1730## Customizing the Helm Chart 1731 1732Consul within Kubernetes is highly configurable and the Helm chart contains dozens 1733of the most commonly used configuration options. 1734If you need to extend the Helm chart with additional options, we recommend using a third-party tool, 1735such as [kustomize](https://github.com/kubernetes-sigs/kustomize) or [ship](https://github.com/replicatedhq/ship). 1736Note that the Helm chart heavily relies on Helm lifecycle hooks, and so features like bootstrapping ACLs or TLS 1737will not work as expected. Additionally, we can make changes to the internal implementation (e.g., renaming template files) that 1738may be backward incompatible with such customizations. 1739