1--- 2layout: docs 3page_title: Helm Chart Reference - Kubernetes 4sidebar_title: Helm Chart Reference 5description: Reference for the Consul Helm chart. 6--- 7 8# Helm Chart Reference 9 10## Configuration (Values) 11 12The chart is highly customizable using 13[Helm configuration values](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). 14Each value has a sane default tuned for an optimal getting started experience 15with Consul. Before going into production, please review the parameters below 16and consider if they're appropriate for your deployment. 17 18- `global` ((#v-global)) - Holds values that affect multiple components of the chart. 19 20 - `enabled` ((#v-global-enabled)) (`boolean: true`) - The master enabled/disabled setting. If true, servers, 21 clients, Consul DNS and the Consul UI will be enabled. Each component can override 22 this default via its component-specific "enabled" config. If false, no components 23 will be installed by default and per-component opt-in is required, such as by 24 setting [`server.enabled`](#v-server-enabled) to true. 25 26 - `name` ((#v-global-name)) (`string: null`) - Set the prefix used for all resources in the Helm chart. If not set, the prefix will be `<helm release name>-consul`. 27 28 - `domain` ((#v-global-domain)) (`string: "consul"`) - The domain Consul will answer DNS queries for (see [-domain](/docs/agent/options#_domain)) and the domain services synced from 29 Consul into Kubernetes will have, e.g. `service-name.service.consul`. 30 31 - `image` ((#v-global-image)) (`string: "consul:<latest version>"`) - The name (and tag) of the Consul Docker image for clients and servers. This can be overridden per component. This should be pinned to a specific version tag, otherwise you may inadvertently upgrade your Consul version. 32 33 Examples: 34 35 ```yaml 36 # Consul 1.5.0 37 image: "consul:1.5.0" 38 # Consul Enterprise 1.5.0 39 image: "hashicorp/consul-enterprise:1.5.0-ent" 40 ``` 41 42 - `imageK8S` ((#v-global-imagek8s)) (`string: "hashicorp/consul-k8s:<latest version>"`) - The name (and tag) of the [consul-k8s](https://github.com/hashicorp/consul-k8s) Docker image that is used for functionality such the catalog sync. This can be overridden per component. 43 44 Note: support for the catalog sync's liveness and readiness probes was added to consul-k8s 0.6.0. If using an older consul-k8s version, you may need to remove these checks to make sync work. If using mesh gateways and bootstrapACLs then must be >= 0.9.0. 45 46 - `datacenter` ((#v-global-datacenter)) (`string: "dc1"`) - The name of the datacenter that the agents should 47 register as. This can't be changed once the Consul cluster is up and running since Consul 48 doesn't support an automatic way to change this value currently: [https://github.com/hashicorp/consul/issues/1858](https://github.com/hashicorp/consul/issues/1858). 49 50 - `enablePodSecurityPolicies` ((#v-global-enablepodsecuritypolicies)) (`boolean: false`) - Controls whether pod 51 security policies are created for the Consul components created by this chart. See [https://kubernetes.io/docs/concepts/policy/pod-security-policy/](https://kubernetes.io/docs/concepts/policy/pod-security-policy/). 52 53 - `gossipEncryption` ((#v-global-gossipencryption)) - Configures which Kubernetes secret to retrieve Consul's 54 gossip encryption key from (see [-encrypt](/docs/agent/options#_encrypt)). If secretName or 55 secretKey are not set, gossip encryption will not be enabled. The secret must 56 be in the same namespace that Consul is installed into. 57 58 The secret can be created by running: 59 60 ```shell 61 $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) 62 # To reference, use: 63 # gossipEncryption: 64 # secretName: consul-gossip-encryption-key 65 # secretKey: key 66 ``` 67 68 - `secretName` ((#v-global-gossipencryption-secretname)) (`string: ""`) - The name of the Kubernetes secret 69 that holds the gossip encryption key. The secret must be in the same namespace that Consul is installed 70 into. 71 72 - `secretKey` ((#v-global-gossipencryption-secretkey)) (`string: ""`) - The key within the Kubernetes secret 73 that holds the gossip encryption key. 74 75 - `enableConsulNamespaces` ((#v-global-enableconsulnamespaces)) (`boolean: false`) <EnterpriseAlert inline /> - 76 `enableConsulNamespaces` indicates that you are running Consul Enterprise v1.7+ with a valid Consul 77 Enterprise license and would like to make use of configuration beyond registering everything into 78 the `default` Consul namespace. Requires consul-k8s v0.12+. Additional configuration 79 options are found in the `consulNamespaces` section of both the catalog sync 80 and connect injector. 81 82 - `bootstrapACLs` ((#v-global-bootstrapacls)) (`boolean: false`) - **[DEPRECATED]** Use `global.acls.manageSystemACLs` instead. 83 84 - `acls` ((#v-global-acls)) - Configure ACLs. 85 86 - `manageSystemACLs` ((#v-global-acls-managesystemacls)) (`boolean: false`) - If true, the Helm chart will automatically manage ACL tokens and policies for all Consul and consul-k8s components. 87 This requires servers to be running inside Kubernetes. Additionally requires Consul >= 1.4 and consul-k8s >= 0.14.0. 88 89 - `bootstrapToken` ((#v-global-acls-bootstraptoken)) - A Kubernetes secret containing the bootstrap token to use for 90 creating policies and tokens for all Consul and consul-k8s components. 91 If set, we will skip ACL bootstrapping of the servers and will only initialize ACLs for the Consul clients and consul-k8s system components. 92 Requires consul-k8s >= 0.14.0. 93 94 - `secretName` ((#v-global-acls-bootstraptoken-secretname)) (`string: null`) - The name of the Kubernetes secret. 95 96 - `secretKey` ((#v-global-acls-bootstraptoken-secretkey)) (`string: null`) - The key of the Kubernetes secret. 97 98 - `tls` ((#v-global-tls)) - Enables TLS [encryption](https://learn.hashicorp.com/consul/security-networking/agent-encryption) across the cluster to verify authenticity of the Consul servers and clients. Requires Consul v1.4.1+ and consul-k8s v0.16.2+ 99 100 - `enabled` ((#v-global-tls-enabled)) (`boolean: false`) - If true, the Helm chart will enable TLS for Consul 101 servers and clients and all consul-k8s components, as well as generate certificate 102 authority (optional) and server and client certificates. 103 104 - `enableAutoEncrypt` ((#v-global-tls-enableAutoEncrypt)) (`boolean: false`) - If true, turns on the auto-encrypt feature on clients and servers. 105 It also switches consul-k8s components to retrieve the CA from the servers via the API. Requires Consul 1.7.1+ and consul-k8s 0.13.0 106 107 - `serverAdditionalDNSSANs` ((#v-global-serveradditionaldnsssans)) (`array<string>: []`) - A list of additional DNS names to set as Subject Alternative Names (SANs) in the server certificate. This is useful when you need to access the Consul server(s) externally, for example, if you're using the UI. 108 109 - `serverAdditionalIPSANs` ((#v-global-serveradditionalipsans)) (`array<string>: []`) - A list of additional IP addresses to set as Subject Alternative Names (SANs) in the server certificate. This is useful when you need to access the Consul server(s) externally, for example, if you're using the UI. 110 111 - `verify` ((#v-global-verify)) (`boolean: true`) - If true, `verify_outgoing`, `verify_server_hostname`, 112 and `verify_incoming_rpc` will be set to `true` for Consul servers and clients. 113 Set this to false to incrementally roll out TLS on an existing Consul cluster. 114 Please see [Configuring TLS on an Existing Cluster](/docs/platform/k8s/tls-on-existing-cluster) 115 for more details. 116 117 - `httpsOnly` ((#v-global-httpsonly)) (`boolean: true`) - If true, the Helm chart will configure Consul 118 to disable the HTTP port on both clients and servers and to only accept HTTPS connections. 119 120 - `caCert` ((#v-global-cacert)) - A Kubernetes secret containing the certificate of the CA to use for 121 TLS communication within the Consul cluster. If you have generated the CA yourself 122 with the consul CLI, you could use the following command to create the secret 123 in Kubernetes: 124 125 ```bash 126 kubectl create secret generic consul-ca-cert \ 127 --from-file='tls.crt=./consul-agent-ca.pem' 128 ``` 129 130 - `secretName` ((#v-global-cacert-secretname)) (`string: null`) - The name of the Kubernetes secret. 131 132 - `secretKey` ((#v-global-cacert-secretkey)) (`string: null`) - The key of the Kubernetes secret. 133 134 - `caKey` ((#v-global-cakey)) - A Kubernetes secret containing the private key of the CA to use for 135 TLS communication within the Consul cluster. If you have generated the CA yourself 136 with the consul CLI, you could use the following command to create the secret 137 in Kubernetes: 138 139 ```bash 140 kubectl create secret generic consul-ca-key \ 141 --from-file='tls.key=./consul-agent-ca-key.pem' 142 ``` 143 144 - `secretName` ((#v-global-cakey-secretname)) (`string: null`) - The name of the Kubernetes secret. 145 146 - `secretKey` ((#v-global-cakey-secretkey)) (`string: null`) - The key of the Kubernetes secret. 147 148- `server` ((#v-server)) - Values that configure running a Consul server within Kubernetes. 149 150 - `enabled` ((#v-server-enabled)) (`boolean: global.enabled`) - If true, the chart will install all 151 the resources necessary for a Consul server cluster. If you're running Consul externally and 152 want agents within Kubernetes to join that cluster, this should probably be false. 153 154 - `image` ((#v-server-image)) (`string: global.image`) - The name of the Docker image (including any 155 tag) for the containers running Consul server agents. 156 157 - `replicas` ((#v-server-replicas)) (`integer: 3`) -The number of server agents to run. This 158 determines the fault tolerance of the cluster. Please see the [deployment table](/docs/internals/consensus#deployment-table) 159 for more information. 160 161 - `bootstrapExpect` ((#v-server-bootstrapexpect)) (`integer: 3`) - For new clusters, this is the 162 number of servers to wait for before performing the initial leader election and bootstrap of the cluster. This must be less than or equal to `server.replicas`. This value is only used 163 when bootstrapping new clusters, it has no effect during ongoing cluster maintenance. 164 165 - `enterpriseLicense` ((#v-server-enterpriselicense)) <EnterpriseAlert inline /> - This value refers to a 166 Kubernetes secret that you have created that contains your enterprise license. It is required if you are using an enterprise binary. Defining it here applies it to your cluster once a leader 167 has been elected. If you are not using an enterprise image or if you plan to 168 introduce the license key via another route, then set these fields to null. 169 170 - `secretName` ((#v-global-enterpriselicense-secretname)) (`string: null`) - The name of the 171 Kubernetes secret that holds the enterprise license. The secret must be in the same namespace that Consul is installed into. 172 173 - `secretKey` ((#v-global-enterpriselicense-secretkey)) (`string: null`) - The key within the 174 Kubernetes secret that holds the enterprise license. 175 176 - `storage` ((#v-server-storage)) (`string: 10Gi`) - This defines the disk size for configuring the 177 servers' StatefulSet storage. For dynamically provisioned storage classes, this is the 178 desired size. For manually defined persistent volumes, this should be set to 179 the disk size of the attached volume. 180 181 - `storageClass` ((#v-server-storageclass)) (`string: null`) - The StorageClass to use for the 182 servers' StatefulSet storage. It must be able to be dynamically provisioned if you want the storage 183 to be automatically created. For example, to use [Local](https://kubernetes.io/docs/concepts/storage/storage-classes/#local) 184 storage classes, the PersistentVolumeClaims would need to be manually created. 185 A `null` value will use the Kubernetes cluster's default StorageClass. If a default 186 StorageClass does not exist, you will need to create one. 187 188 - `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable [Connect](/docs/connect). Setting this to true _will not_ automatically secure pod communication, this 189 setting will only enable usage of the feature. Consul will automatically initialize 190 a new CA and set of certificates. Additional Connect settings can be configured 191 by setting the `server.extraConfig` value. 192 193 - `resources` ((#v-server-resources)) (`string: null`) - The resource requests (CPU, memory, etc.) 194 for each of the server agents. This should be a multi-line string mapping directly to a Kubernetes 195 [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) 196 object. If this isn't specified, then the pods won't request any specific amount 197 of resources. **Setting this is highly recommended.** 198 199 ```yaml 200 # Resources are defined as a formatted multi-line string: 201 resources: | 202 requests: 203 memory: "10Gi" 204 limits: 205 memory: "10Gi" 206 ``` 207 208 - `updatePartition` ((#v-server-updatepartition)) (`integer: 0`) - This value is used to carefully 209 control a rolling update of Consul server agents. This value specifies the [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) 210 for performing a rolling update. Please read the linked Kubernetes documentation 211 for more information. 212 213 - `disruptionBudget` ((#v-server-disruptionbudget)) - This configures the [PodDisruptionBudget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) for the server cluster. 214 215 - `enabled` ((#v-server-disruptionbudget-enabled)) (`boolean: true`) - This will enable/disable 216 registering a PodDisruptionBudget for the server cluster. If this is enabled, it will only register the budget so long as the server cluster is enabled. 217 218 - `maxUnavailable` ((#v-server-disruptionbudget-maxunavailable)) (`integer: null`) - The maximum 219 number of unavailable pods. By default, this will be automatically computed based on the `server.replicas` value to be `(n/2)-1`. If you need to set this to `0`, you will need to add a `--set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation 220 command because of a limitation in the Helm templating language. 221 222 - `extraConfig` ((#v-server-extraconfig)) (`string: "{}"`) - A raw string of extra JSON 223 [configuration](/docs/agent/options) for Consul servers. This will be saved as-is into a ConfigMap that is read by the Consul server agents. This can be used to add additional configuration that isn't directly exposed by the chart. 224 225 ```yaml 226 # ExtraConfig values are formatted as a multi-line string: 227 extraConfig: | 228 { 229 "log_level": "DEBUG" 230 } 231 ``` 232 233 This can also be set using Helm's `--set` flag (consul-helm v0.7.0 and later), using the following syntax: 234 235 ```shell 236 --set 'server.extraConfig="{"log_level": "DEBUG"}"' 237 ``` 238 239 - `extraVolumes` ((#v-server-extravolumes)) (`array: []`) - A list of extra volumes to mount for server agents. This 240 is useful for bringing in extra data that can be referenced by other configurations 241 at a well known path, such as TLS certificates or Gossip encryption keys. The 242 value of this should be a list of objects. Each object supports the following 243 keys: 244 245 - `type` ((#v-server-extravolumes-type)) (`string: required`) - Type of the volume, must be one of 246 "configMap" or "secret". Case sensitive. 247 248 - `name` ((#v-server-extravolumes-name)) (`string: required`) - Name of the configMap or secret to 249 be mounted. This also controls the path that it is mounted to. The volume will be mounted to `/consul/userconfig/<name>`. 250 251 - `load` ((#v-server-extravolumes-load)) (`boolean: false`) - If true, then the agent will be 252 configured to automatically load HCL/JSON configuration files from this volume with `-config-dir`. This defaults to false. 253 254 ```yaml 255 extraVolumes: 256 - type: "secret" 257 name: "consul-certs" 258 load: false 259 ``` 260 261 - `affinity` ((#v-server-affinity)) (`string`) - This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) 262 for server pods. It defaults to allowing only a single pod on each node, which 263 minimizes risk of the cluster becoming unusable if a node is lost. If you need 264 to run more pods per node (for example, testing on Minikube), set this value 265 to `null`. 266 267 ```yaml 268 # Recommended default server affinity: 269 affinity: | 270 podAntiAffinity: 271 requiredDuringSchedulingIgnoredDuringExecution: 272 - labelSelector: 273 matchLabels: 274 app: {{ template "consul.name" . }} 275 release: "{{ .Release.Name }}" 276 component: server 277 topologyKey: kubernetes.io/hostname 278 ``` 279 280 - `tolerations` ((#v-server-tolerations)) (`string: ""`) - Toleration settings for server pods. This 281 should be a multi-line string matching the [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. 282 283 - `nodeSelector` ((#v-server-nodeselector)) (`string: null`) - This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) 284 labels for server pod assignment, formatted as a multi-line string. 285 286 ```yaml 287 nodeSelector: | 288 beta.kubernetes.io/arch: amd64 289 ``` 290 291 - `priorityClassName` ((#v-server-priorityclassname)) (`string`) - This value references an existing 292 Kubernetes [priorityClassName](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) that can be assigned to server pods. 293 294 - `annotations` ((#v-server-annotations)) (`string`) - This value defines additional annotations for 295 server pods. This should be a formatted as a multi-line string. 296 297 ```yaml 298 annotations: | 299 "sample/annotation1": "foo" 300 "sample/annotation2": "bar" 301 ``` 302 303 - `service` ((#v-server-service)) - Server service properties 304 305 - `annotations` ((#v-server-service-annotations)) Annotations to apply to the server service. 306 307 ```yaml 308 annotations: | 309 "annotation-key": "annotation-value" 310 ``` 311 312- `externalServers` ((#v-externalservers)) - Configuration for Consul servers when the servers are running outside of Kubernetes. 313 When running external servers, configuring these values is recommended 314 if setting `global.tls.enableAutoEncrypt` to true (requires consul-k8s >= 0.13.0) 315 or `global.acls.manageSystemACLs` to true (requires consul-k8s >= 0.14.0). 316 317 - `enabled` ((#v-externalservers-enabled)) (`boolean: false`) - If true, the Helm chart will be configured to talk to the external servers. 318 If setting this to true, you must also set `server.enabled` to false. 319 320 - `hosts` ((#v-externalservers-hosts)) (`array<string>: null`) - An array of external Consul server hosts that are used to make 321 HTTPS connections from the components in this Helm chart. 322 Valid values include IPs, DNS names, or Cloud auto-join string. 323 The port must be provided separately below. 324 Note: `client.join` must also be set to the hosts that should be 325 used to join the cluster. In most cases, the `client.join` values 326 should be the same, however, they may be different if you 327 wish to use separate hosts for the HTTPS connections. 328 329 - `httpsPort` ((#v-externalservers-httpsport)) (`integer: 8501`) - The HTTPS port of the Consul servers. 330 331 - `tlsServerName` ((#v-externalservers-tlsservername)) (`string: null`) - The server name to use as the SNI host header when connecting with HTTPS. 332 333 - `useSystemRoots` ((#v-externalservers-usesystemroots)) (`boolean: false`) - If true, the Helm chart will ignore the CA set in `global.tls.caCert` 334 and will rely on the container's system CAs for TLS verification when talking to Consul servers. Otherwise, the chart will use `global.tls.caCert`. 335 336 - `k8sAuthMethodHost` ((#v-externalservers-k8sauthmethodhost)) (`string: null`) - If you are setting `global.acls.manageSystemACLs` and 337 `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. 338 This address must be reachable from the Consul servers. 339 Please see the [Kubernetes Auth Method documentation](https://www.consul.io/docs/acl/auth-methods/kubernetes.html). Requires consul-k8s >= 0.14.0. 340 341 You could retrieve this value from your `kubeconfig` by running: 342 343 ```shell 344 kubectl config view \ 345 -o jsonpath="{.clusters[?(@.name=='<your cluster name>')].cluster.server}" 346 ``` 347 348- `client` ((#v-client)) - Values that configure running a Consul client on Kubernetes nodes. 349 350 - `enabled` ((#v-client-enabled)) (`boolean: global.enabled`) - If true, the chart will install all 351 the resources necessary for a Consul client on every Kubernetes node. This _does not_ require 352 `server.enabled`, since the agents can be configured to join an external cluster. 353 354 - `image` ((#v-client-image)) (`string: global.image`) - The name of the Docker image (including any 355 tag) for the containers running Consul client agents. 356 357 - `join` ((#v-client-join)) (`array<string>: null`) - A list of valid [`-retry-join` values](/docs/agent/options#retry-join). If this is `null` (default), then the clients will attempt to automatically join the server cluster running within Kubernetes. This means that with `server.enabled` set to true, clients will automatically join that cluster. If `server.enabled` is not true, then a value must be specified so the clients can join a valid cluster. 358 359 - `dataDirectoryPath` ((#v-client-datadirectorypath)) (`string: null`) - An absolute path to a 360 directory on the host machine to use as the Consul client data directory. If set to the empty string or null, the Consul agent will store its data in the Pod's local filesystem (which will 361 be lost if the Pod is deleted). Security Warning: If setting this, Pod Security 362 Policies _must_ be enabled on your cluster and in this Helm chart (via the global.enablePodSecurityPolicies setting) to prevent other Pods from mounting the same host path and gaining access to all of Consul's data. Consul's data is not encrypted at rest. 363 364 - `grpc` ((#v-client-grpc)) (`boolean: true`) - If true, agents will enable their GRPC listener on 365 port 8502 and expose it to the host. This will use slightly more resources, but is 366 required for [Connect](/docs/platform/k8s/connect). 367 368 - `exposeGossipPorts` ((#v-client-exposegossipports)) (`boolean: false`) - If true, the Helm chart 369 will expose the clients' gossip ports as hostPorts. This is only necessary if pod IPs in the k8s cluster are not directly routable and the Consul servers are outside of the k8s cluster. 370 This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. 371 372 - `resources` ((#v-client-resources)) (`string: null`) - The resource requests (CPU, memory, etc.) 373 for each of the client agents. This should be a multi-line string mapping directly to a Kubernetes 374 [ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) object. If this isn't specified, then the pods won't request any specific amount of resources. 375 376 ```yaml 377 # Resources are defined as a formatted multi-line string: 378 resources: | 379 requests: 380 memory: "10Gi" 381 limits: 382 memory: "10Gi" 383 ``` 384 385 - `extraConfig` ((#v-client-extraconfig)) (`string: "{}"`) - A raw string of extra JSON 386 [configuration](/docs/agent/options) for Consul clients. This will be saved as-is into a ConfigMap that is read by the Consul agents. This can be used to add additional configuration that isn't directly exposed by the chart. 387 388 ```yaml 389 # ExtraConfig values are formatted as a multi-line string: 390 extraConfig: | 391 { 392 "log_level": "DEBUG" 393 } 394 ``` 395 396 This can also be set using Helm's `--set` flag (consul-helm v0.7.0 and later), using the following syntax: 397 398 ```shell 399 --set 'client.extraConfig="{"log_level": "DEBUG"}"' 400 ``` 401 402 - `extraVolumes` ((#v-client-extravolumes)) (`array: []`) - A list of extra volumes to mount for 403 client agents. This is useful for bringing in extra data that can be referenced by other configurations at a well known path, such as TLS certificates or Gossip encryption keys. The 404 value of this should be a list of objects. Each object supports the following 405 keys: 406 407 - `type` ((#v-client-extravolumes-type)) (`string: required`) - Type of the volume, must be one of 408 "configMap" or "secret". Case sensitive. 409 410 - `name` ((#v-client-extravolumes-name)) (`string: required`) - Name of the configMap or secret to 411 be mounted. This also controls the path that it is mounted to. The volume will be mounted to `/consul/userconfig/<name>`. 412 413 - `load` ((#v-client-extravolumes-load)) (`boolean: false`) - If true, then the agent will be 414 configured to automatically load HCL/JSON configuration files from this volume with `-config-dir`. This defaults to false. 415 416 ```yaml 417 extraVolumes: 418 - type: 'secret' 419 name: 'consul-certs' 420 load: false 421 ``` 422 423 - `tolerations` ((#v-client-tolerations)) (`string: ""`) - Toleration Settings for client pods. This 424 should be a multi-line string matching the Toleration array in a Pod spec. The example below will allow client pods to run on every node regardless of taints. 425 426 ```yaml 427 tolerations: | 428 - operator: "Exists" 429 ``` 430 431 - `nodeSelector` ((#v-client-nodeselector)) (`string: null`) - Labels for client pod assignment, 432 formatted as a multi-line string. Please see [Kubernetes docs](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more details. 433 434 ```yaml 435 nodeSelector: | 436 beta.kubernetes.io/arch: amd64 437 ``` 438 439 - `priorityClassName` ((#v-client-priorityclassname)) (`string: ""`) - This value references an 440 existing Kubernetes [priorityClassName](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) that can be assigned to client pods. 441 442 - `annotations` ((#v-client-annotations)) (`string: null`) - This value defines additional 443 annotations for client pods. This should be a formatted as a multi-line string. 444 445 ```yaml 446 annotations: | 447 "sample/annotation1": "foo" 448 "sample/annotation2": "bar" 449 ``` 450 451 - `dnsPolicy` ((#v-client-dnspolicy)) (`string: null`) - This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) 452 for client pods to use. 453 454 - `updateStrategy` ((#v-client-updatestrategy)) (`string: null`) - The [update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) 455 for the client `DaemonSet`. 456 457 ```yaml 458 updateStrategy: | 459 rollingUpdate: 460 maxUnavailable: 5 461 type: RollingUpdate 462 ``` 463 464 - `snapshotAgent` ((#v-client-snapshotagent)) <EnterpriseAlert inline /> - Values for setting up and running [snapshot agents](/docs/commands/snapshot/agent) 465 within the Consul clusters. They are required to be co-located with Consul clients, 466 so will inherit the clients' nodeSelector, tolerations and affinity. 467 468 - `enabled` ((#v-client-snapshotagent-enabled)) (`boolean: false`) - If true, the chart will 469 install resources necessary to run the snapshot agent. 470 471 - `replicas` ((#v-client-snapshotagent-replicas)) (`integer: 2`) - The number of snapshot agents 472 to run. 473 474 - `configSecret` ((#v-client-snapshotagent-configsecret)) - A Kubernetes secret that should be 475 manually created to contain the entire config to be used on the snapshot agent. This is the preferred method of configuration since there are usually storage credentials present. Please see [Snapshot agent config](/docs/commands/snapshot/agent#config-file-options) for details. 476 477 - secretName ((#v-client-snapshotagent-configsecret-secretname)) `(string: null)` - The name of the Kubernetes secret. 478 479 - secretKey ((#v-client-snapshotagent-configsecret-secretkey)) `(string: null)` - The key of the Kubernetes secret. 480 481- `dns` ((#v-dns)) - Values that configure Consul DNS service. 482 483 - `enabled` ((#v-dns-enabled)) (`boolean: global.enabled`) - If true, a `consul-dns` service will be 484 created that exposes port 53 for TCP and UDP to the running Consul agents (servers and 485 clients). This can then be used to [configure kube-dns](/docs/platform/k8s/dns). 486 The Helm chart _does not_ automatically configure kube-dns. 487 488 - `clusterIP` ((#v-dns-clusterip)) (`string: null`) - If defined, this value configures the cluster 489 IP of the DNS service. 490 491 - `annotations` ((#v-dns-annotations)) (`string: null`) - Extra annotations to attach to the DNS 492 service. This should be a multi-line string of annotations to apply to the DNS service. 493 494- `syncCatalog` ((#v-synccatalog)) - Values that configure the [service sync](/docs/platform/k8s/service-sync) process. 495 496 - `enabled` ((#v-synccatalog-enabled)) (`boolean: false`) - If true, the chart will install all the 497 resources necessary for the catalog sync process to run. 498 499 - `image` ((#v-synccatalog-image)) (`string: global.imageK8S`) - The name of the Docker image 500 (including any tag) for [consul-k8s](/docs/platform/k8s#getting-started-with-consul-and-kubernetes) 501 to run the sync program. 502 503 - `default` ((#v-synccatalog-default)) (`boolean: true`) - If true, all valid services in K8S are 504 synced by default. If false, the service must be [annotated](/docs/platform/k8s/service-sync#sync-enable-disable) properly to sync. In either case an annotation can override the default. 505 506 - `toConsul` ((#v-synccatalog-toconsul)) (`boolean: true`) - If true, will sync Kubernetes services 507 to Consul. This can be disabled to have a one-way sync. 508 509 - `toK8S` ((#v-synccatalog-tok8s)) (`boolean: true`) - If true, will sync Consul services to 510 Kubernetes. This can be disabled to have a one-way sync. 511 512 - `k8sPrefix` ((#v-synccatalog-k8sprefix)) (`string: ""`) - A prefix to prepend to all services 513 registered in Kubernetes from Consul. This defaults to `""` where no prefix is prepended; Consul services are synced with the same name to Kubernetes. (Consul -> Kubernetes sync only) 514 515 - `k8sAllowNamespaces` ((#v-synccatalog-k8sallownamespaces)) (`[]string: ["*"]`) - list of k8s 516 namespaces to sync the k8s services from. If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, services in that k8s namespace will not be synced even if they are explicitly annotated. Use `["*"]` to automatically allow all k8s namespaces. For example, 517 `["namespace1", "namespace2"]` will only allow services in the k8s namespaces 518 `namespace1` and `namespace2` to be synced and registered with Consul. All other 519 k8s namespaces will be ignored. Note: `k8sDenyNamespaces` takes precedence over 520 values defined here. Requires consul-k8s v0.12+ 521 - `k8sDenyNamespaces` ((#v-synccatalog-k8sdenynamespaces)) (`[]string: ["kube-system", "kube-public"]` - list of k8s namespaces that should not have their services synced. This list takes precedence over `k8sAllowNamespaces`. `*` is not supported because then nothing would be allowed to sync. Requires consul-k8s v0.12+. 522 523 For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` and `namespace2` will be synced. 524 525 - `k8sSourceNamespace` ((#v-synccatalog-k8ssourcenamespace)) (`string: ""`) - **[DEPRECATED] Use 526 `k8sAllowNamespaces` and `k8sDenyNamespaces` instead.** `k8sSourceNamespace` is the Kubernetes namespace to watch for service changes and sync to Consul. If this is not set then it will default to all namespaces. 527 528 - `consulNamespaces` ((#v-synccatalog-consulnamespaces)) <EnterpriseAlert inline /> - These settings manage 529 the catalog sync's interaction with Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). Also, `global.enableConsulNamespaces` must be true. 530 531 - `consulDestinationNamespace` ((#v-synccatalog-consulnamespaces-consuldestinationnamespace)) (`string: "default"`) - Name of the Consul namespace to register all k8s 532 services into. If the Consul namespace does not already exist, it will be created. 533 This will be ignored if `mirroringK8S` is true. 534 535 - `mirroringK8S` ((#v-synccatalog-consulnamespaces-mirroringk8s)) (`bool: false`) - causes k8s 536 services to be registered into a Consul namespace of the same name as their k8s namespace, optionally prefixed if `mirroringK8SPrefix` is set below. If the Consul namespace does not already exist, it will be created. Turning this on overrides the `consulDestinationNamespace` setting. `addK8SNamespaceSuffix` may no longer be needed if enabling this option. 537 538 - `mirroringK8SPrefix` ((#v-synccatalog-consulnamespaces-mirroringk8sprefix)) (`string: ""`) - If 539 `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace to be given a prefix. For example, if `mirroringK8SPrefix` is set to `"k8s-"`, a service in the k8s `staging` namespace will be registered into the `k8s-staging` Consul namespace. 540 541 - `addK8SNamespaceSuffix` ((#v-synccatalog-addk8snamespacesuffix)) (`boolean: true`) - If true, sync catalog will append Kubernetes namespace suffix to each service name synced to Consul, separated by a dash. For example, for a service `foo` in the `default` namespace, the sync process will create a Consul service named `foo-default`. Set this flag to true to avoid registering services with the same name but in different namespaces as instances for the same Consul service. Namespace suffix is not added if `annotationServiceName` is provided. 542 543 - `consulPrefix` ((#v-synccatalog-consulPrefix)) (`string: ""`) - A prefix to prepend to all services registered in Consul from Kubernetes. This defaults to `""` where no prefix is prepended. Service names within Kubernetes remain unchanged. (Kubernetes -> Consul sync only) The prefix is ignored if `annotationServiceName` is provided. 544 545 - `k8sTag` ((#v-synccatalog-k8stag)) (`string: null`) - An optional tag that is applied to all of the Kubernetes services that are synced into Consul. If nothing is set, this defaults to "k8s". (Kubernetes -> Consul sync only) 546 547 - `syncClusterIPServices` ((#v-synccatalog-syncclusteripservices)) (`boolean: true`) - If true, will 548 sync Kubernetes ClusterIP services to Consul. This can be disabled to have the sync ignore ClusterIP-type services. 549 550 - `nodePortSyncType` ((#v-synccatalog-nodeportsynctype)) (`string: ExternalFirst`) - Configures the 551 type of syncing that happens for NodePort services. The only valid options are: `ExternalOnly`, `InternalOnly`, and `ExternalFirst`. `ExternalOnly` will only use a node's ExternalIP address 552 for the sync, otherwise the service will not be synced. `InternalOnly` uses the 553 node's InternalIP address. `ExternalFirst` will preferentially use the node's 554 ExternalIP address, but if it doesn't exist, it will use the node's InternalIP 555 address instead. 556 557 - `aclSyncToken` ((#v-synccatalog-acl-sync-token)) - references a Kubernetes [secret](https://kubernetes.io/docs/concepts/configuration/secret/#creating-your-own-secrets) 558 that contains an existing Consul ACL token. This will provide the sync process 559 the correct permissions. This is only needed if ACLs are enabled on the Consul 560 cluster. 561 562 - `secretName` ((#v-synccatalog-acl-sync-token-secret-name)) `(string: null)` - The name of the Kubernetes secret. This defaults to null. 563 564 - `secretKey` ((#v-synccatalog-acl-sync-token-secret-key)) `(string: null)` - The key for the Kubernetes secret. This defaults to null. 565 566 - `nodeSelector` ((#v-synccatalog-nodeselector)) (`string: null`) - This value defines 567 [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) labels for `syncCatalog` pod assignment, formatted as a multi-line string. 568 569 ```yaml 570 nodeSelector: | 571 beta.kubernetes.io/arch: amd64 572 ``` 573 574 - `logLevel` ((#v-synccatalog-loglevel)) (`string: info`) - Log verbosity level. One of "trace", 575 "debug", "info", "warn", or "error". 576 577 - `consulWriteInterval` ((#v-synccatalog-consulwriteinterval)) (`string: null`) - Override the default interval to perform syncing operations creating Consul services. 578 579- `ui` ((#v-ui)) - Values that configure the Consul UI. 580 581 - `enabled` ((#v-ui-enabled)) (`boolean: global.enabled`) - If true, the UI will be enabled. This will 582 only _enable_ the UI, it doesn't automatically register any service for external 583 access. The UI will only be enabled on server agents. If `server.enabled` is 584 false, then this setting has no effect. To expose the UI in some way, you must 585 configure `ui.service`. 586 587 - `service` ((#v-ui-service)) - This configures the `Service` resource registered for the Consul UI. 588 589 - `enabled` ((#v-ui-service-enabled)) (`boolean: true`) - This will enable/disable registering a 590 Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is 591 true and taking effect. 592 593 - `type` ((#v-ui-service-type)) (`string: null`) - The service type to register. This defaults to 594 `null` which doesn't set an explicit service type, which typically is defaulted to 595 "ClusterIP" by Kubernetes. The available service types are documented on [the 596 Kubernetes website](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). 597 598 - `annotations` ((#v-ui-service-annotations)) (`string: null`) - Annotations to apply to the UI 599 service. 600 601 ```yaml 602 annotations: | 603 "annotation-key": "annotation-value" 604 ``` 605 606 - `additionalSpec` ((#v-ui-service-additionalspec)) (`string: null`) - Additional Service spec 607 values. This should be a multi-line string mapping directly to a Kubernetes `Service` object. 608 609- `connectInject` ((#v-connectinject)) - Values that configure running the [Connect injector](/docs/platform/k8s/connect). 610 611 - `enabled` ((#v-connectinject-enabled)) (`boolean: false`) - If true, the chart will install all the 612 resources necessary for the Connect injector process to run. This will enable the injector but will 613 require pods to opt-in with an annotation by default. 614 615 - `image` ((#v-connectinject-image)) (`string: global.imageK8S`) - The name of the Docker image 616 (including any tag) for the [consul-k8s](https://github.com/hashicorp/consul-k8s) binary. 617 618 - `default` ((#v-connectinject-default)) (`boolean: false`) - If true, the injector will inject the 619 Connect sidecar into all pods by default. Otherwise, pods must specify the. [injection annotation](/docs/platform/k8s/connect#consul-hashicorp-com-connect-inject) 620 to opt-in to Connect injection. If this is true, pods can use the same annotation 621 to explicitly opt-out of injection. 622 623 - `imageConsul` ((#v-connectinject-imageConsul)) (`string: global.image`) - The name of the Docker 624 image (including any tag) for Consul. This is used for proxy service registration, Envoy configuration, etc. 625 626 - `imageEnvoy` ((#v-connectinject-imageEnvoy)) (`string: ""`) - The name of the Docker image (including any tag) for the Envoy sidecar. `envoy` must be on the executable path within this image. This Envoy version must be compatible with the Consul version used by the injector. If not specified this defaults to letting the injector choose the Envoy image. Check [supported Envoy versions](/docs/connect/proxies/envoy.html#supported-versions) to ensure the version you are using is compatible with Consul. 627 628 - `namespaceSelector` ((#v-connectinject-namespaceselector)) (`string: ""`) - A [selector](https:// 629 kubernetes.io/docs/concepts/overview/working-with-objects/labels/) 630 for restricting injection to only matching namespaces. By default all namespaces 631 except `kube-system` and `kube-public` will have injection enabled. 632 633 ```yaml 634 namespaceSelector: | 635 matchLabels: 636 namespace-label: label-value 637 ``` 638 639 - `k8sAllowNamespaces` ((#v-connectinject-k8sallownamespaces)) - list of k8s namespaces to allow 640 Connect sidecar injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, pods in that k8s namespace will not be injected even if they are explicitly annotated. Use `["*"]` to automatically allow all k8s namespaces. 641 642 For example, `["namespace1", "namespace2"]` will only allow pods in the k8s namespaces `namespace1` and `namespace2` to have Connect sidecars injected and registered with Consul. All other k8s namespaces will be ignored. 643 644 Note: `k8sDenyNamespaces` takes precedence over values defined here and `namespaceSelector` takes precedence over both since it is applied first. `kube-system` and `kube-public` are never injected, even if included here. Requires consul-k8s v0.12+ 645 646 - `k8sDenyNamespaces` ((#v-connectinject-k8sdenynamespaces)) - list of k8s namespaces that should not 647 allow Connect sidecar injection. This list takes precedence over `k8sAllowNamespaces`. `*` is not supported because then nothing would be allowed to be injected. 648 649 For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` and `namespace2` will be injected. 650 651 Note: `namespaceSelector` takes precedence over this since it is applied first. `kube-system` and `kube-public` are never injected. Requires consul-k8s v0.12+. 652 653 - `consulNamespaces` ((#v-connectinject-consulnamespaces)) <EnterpriseAlert inline /> - These settings manage 654 the connect injector's interaction with Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). Also, `global.enableConsulNamespaces` must be true. 655 656 - `consulDestinationNamespace` ((#v-connectinject-consulnamespaces-consuldestinationnamespace)) 657 (`string: "default"`) - Name of the Consul namespace to register all k8s services into. If the Consul namespace does not already exist, it will be created. 658 This will be ignored if `mirroringK8S` is true. 659 660 - `mirroringK8S` ((#v-connectinject-consulnamespaces-mirroringk8s)) (`bool: false`) - causes k8s 661 services to be registered into a Consul namespace of the same name as their k8s namespace, optionally prefixed if `mirroringK8SPrefix` is set below. If the Consul namespace does not already exist, it will be created. Turning this on overrides the `consulDestinationNamespace` setting. 662 663 - `mirroringK8SPrefix` ((#v-connectinject-consulnamespaces-mirroringk8sprefix)) (`string: ""`) - If 664 `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace to be given a prefix. For example, if `mirroringK8SPrefix` is set to `"k8s-"`, a service in the k8s `staging` namespace will be registered into the `k8s-staging` Consul namespace. 665 666 - `certs` ((#v-connectinject-certs)) - The certs section configures how the webhook TLS certs are 667 configured. These are the TLS certs for the Kube apiserver communicating to the webhook. 668 By default, the injector will generate and manage its own certs, but this requires 669 the ability for the injector to update its own `MutatingWebhookConfiguration`. 670 In a production environment, custom certs should probably be used. Configure 671 the values below to enable this. 672 673 - `secretName` ((#v-connectinject-certs-secretname)) (`string: null`) - secretName is the name of 674 the Kubernetes secret that has the TLS certificate and private key to serve the injector webhook. If this is null, then the injector will default to its automatic management mode. 675 676 - `caBundle` ((#v-connectinject-cabundle)) (`string: ""`) - The PEM-encoded CA public certificate 677 bundle for the TLS certificate served by the injector. This must be specified as a string 678 and can't come from a secret because it must be statically configured on the 679 Kubernetes `MutatingAdmissionWebhook` resource. This only needs to be specified 680 if `secretName` is not null. 681 682 - `certName` ((#v-connectinject-certs-certname)) (`string: "tls.crt"`) - The name of the 683 certificate file within the `secretName` secret. 684 685 - `keyName` ((#v-connectinject-certs-keyname)) (`string: "tls.key"`) - The name of the private key 686 for the certificate file within the `secretName` secret. 687 688 - `nodeSelector` ((#v-connectinject-nodeselector)) (`string: null`) - This value defines 689 [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) 690 labels for `connectInject` pod assignment, formatted as a multi-line string. 691 692 ```yaml 693 nodeSelector: | 694 beta.kubernetes.io/arch: amd64 695 ``` 696 697 - `aclBindingRuleSelector` ((#v-connectinject-acl-bindingrule-selector)) (`string: "serviceaccount.name!=default"`) - A [selector](/docs/acl/auth-methods#binding-rules) 698 for restricting automatic injection to only matching services based on their 699 associated service account. By default, services using the `default` Kubernetes 700 service account will be prevented from logging in. This only has effect if ACLs 701 are enabled. Requires Consul 1.5+ and consul-k8s 0.8.0+. 702 703 - `overrideAuthMethodName` ((#v-connectinject-overrideauthmethodname)) (`string: ""`) - If not using `global.acls.manageSystemACLs` and instead 704 manually setting up an auth method for Connect inject, set this to the name of 705 your Auth method. 706 707 - `aclInjectToken` ((#v-connectinject-aclinjecttoken)) - Refers to a Kubernetes secret that you have created that contains an ACL token for your Consul cluster which allows the Connect injector the correct permissions. This is only needed if Consul namespaces and ACLs are enabled on the Consul cluster and you are not setting `global.acls.manageSystemACLs` to `true`. This token needs to have `operator = "write"` privileges so that it can create namespaces. 708 709 - `secretName` ((#v-connectinject-aclinjecttoken-secretname)) `(string: null)` - The name of the Kubernetes secret. 710 711 - `secretKey` ((#v-connectinject-aclinjecttoken-secretkey)) `(string: null)` - The key within the Kubernetes secret that holds the acl token. 712 713 - `centralConfig` ((#v-connectinject-centralconfig)) - Values that configure Consul's [central configuration](/docs/agent/config_entries) 714 feature (requires Consul v1.5+ and consul-k8s v0.8.1+). 715 716 - `enabled` ((#v-connectinject-centralconfig-enabled)) (`boolean: true`) - Turns on the central 717 configuration feature. Pods that have a Connect proxy injected will have their service automatically registered in this central configuration. 718 719 - `defaultProtocol` ((#v-connectinject-centralconfig-defaultprotocol)) (`string: null`) - If 720 defined, this value will be used as the default protocol type for all services registered with the central configuration. This can be overridden by using the [protocol annotation](/docs/platform/k8s/connect#consul-hashicorp-com-connect-service-protocol) directly on any pod spec. 721 722 - `proxyDefaults` ((#v-connectinject-centralconfig-proxydefaults)) (`string: "{}"`) - This value is 723 a raw json string that will be applied to all Connect proxy sidecar pods. It can include any valid configuration for the configured proxy. 724 725 ```yaml 726 # proxyDefaults values are formatted as a multi-line string: 727 proxyDefaults: | 728 { 729 "envoy_dogstatsd_url": "udp://127.0.0.1:9125" 730 } 731 ``` 732 733- `tests` ((#v-tests)) - Control whether to enable a test for this Helm chart. 734 735 - `enabled` ((#v-tests-enabled)) (`boolean: true`) If true, the test Pod manifest will be generated 736 to be used as a Helm test. The pod will be created when a `helm test` command is executed. 737 738## Helm Chart Examples 739 740The below `config.yaml` results in a single server Consul cluster with a `LoadBalancer` to allow external access to the UI and API. 741 742```yaml 743# config.yaml 744server: 745 replicas: 1 746 bootstrapExpect: 1 747 748ui: 749 service: 750 type: LoadBalancer 751``` 752 753The below `config.yaml` results in a three server Consul Enterprise cluster with 100GB of storage and automatic Connect injection. 754 755Note, this would require a secret that contains the enterprise license key. 756 757```yaml 758# config.yaml 759global: 760 image: 'hashicorp/consul-enterprise:1.4.2-ent' 761 762server: 763 replicas: 3 764 bootstrapExpect: 3 765 enterpriseLicense: 766 secretName: 'consul-license' 767 secretKey: 'key' 768 storage: 100Gi 769 connect: true 770 771client: 772 grpc: true 773 774connectInject: 775 enabled: true 776 default: false 777``` 778 779## Customizing the Helm Chart 780 781Consul within Kubernetes is highly configurable and the Helm chart contains dozens 782of the most commonly used configuration options. 783If you need to extend the Helm chart with additional options, we recommend using a third-party tool, 784such as [kustomize](https://github.com/kubernetes-sigs/kustomize) or [ship](https://github.com/replicatedhq/ship). 785Note that the Helm chart heavily relies on Helm lifecycle hooks, and so features like bootstrapping ACLs or TLS 786will not work as expected. Additionally, we can make changes to the internal implementation (e.g., renaming template files) that 787may be backward incompatible with such customizations. 788