1--- 2layout: docs 3page_title: Helm Chart Configuration 4description: Configuration for the Consul Helm chart. 5--- 6 7# Helm Chart Configuration 8 9## Configuration (Values) 10 11The chart is highly customizable using 12[Helm configuration values](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). 13Each value has a sane default tuned for an optimal getting started experience 14with Consul. Before going into production, please review the parameters below 15and consider if they're appropriate for your deployment. 16 17<!-- DO NOT EDIT. The docs below are generated automatically. To change, edit 18 the consul-helm repo's values.yaml file --> 19<!-- codegen: start --> 20 21### global 22 23- `global` ((#v-global)) - Holds values that affect multiple components of the chart. 24 25 - `enabled` ((#v-global-enabled)) (`boolean: true`) - The main enabled/disabled setting. If true, servers, 26 clients, Consul DNS and the Consul UI will be enabled. Each component can override 27 this default via its component-specific "enabled" config. If false, no components 28 will be installed by default and per-component opt-in is required, such as by 29 setting `server.enabled` to true. 30 31 - `logLevel` ((#v-global-loglevel)) (`string: info`) - The default log level to apply to all components which do not otherwise override this setting. 32 It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity. 33 One of "debug", "info", "warn", or "error". 34 35 - `logJSON` ((#v-global-logjson)) (`boolean: false`) - Enable all component logs to be output in JSON format. 36 37 - `name` ((#v-global-name)) (`string: null`) - Set the prefix used for all resources in the Helm chart. If not set, 38 the prefix will be `<helm release name>-consul`. 39 40 - `domain` ((#v-global-domain)) (`string: consul`) - The domain Consul will answer DNS queries for 41 (see `-domain` (https://consul.io/docs/agent/options#_domain)) and the domain services synced from 42 Consul into Kubernetes will have, e.g. `service-name.service.consul`. 43 44 - `image` ((#v-global-image)) (`string: hashicorp/consul:<latest version>`) - The name (and tag) of the Consul Docker image for clients and servers. 45 This can be overridden per component. This should be pinned to a specific 46 version tag, otherwise you may inadvertently upgrade your Consul version. 47 48 Examples: 49 50 ```yaml 51 # Consul 1.10.0 52 image: "consul:1.10.0" 53 # Consul Enterprise 1.10.0 54 image: "hashicorp/consul-enterprise:1.10.0-ent" 55 ``` 56 57 - `imagePullSecrets` ((#v-global-imagepullsecrets)) (`array<map>`) - Array of objects containing image pull secret names that will be applied to each service account. 58 This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. 59 See https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry for reference. 60 61 Example: 62 63 ```yaml 64 imagePullSecrets: 65 - name: pull-secret-name 66 - name: pull-secret-name-2 67 ``` 68 69 - `imageK8S` ((#v-global-imagek8s)) (`string: hashicorp/consul-k8s-control-plane:<latest version>`) - The name (and tag) of the consul-k8s-control-plane Docker 70 image that is used for functionality such as catalog sync. 71 This can be overridden per component. 72 73 - `datacenter` ((#v-global-datacenter)) (`string: dc1`) - The name of the datacenter that the agents should 74 register as. This can't be changed once the Consul cluster is up and running 75 since Consul doesn't support an automatic way to change this value currently: 76 https://github.com/hashicorp/consul/issues/1858. 77 78 - `enablePodSecurityPolicies` ((#v-global-enablepodsecuritypolicies)) (`boolean: false`) - Controls whether pod security policies are created for the Consul components 79 created by this chart. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/. 80 81 - `gossipEncryption` ((#v-global-gossipencryption)) - Configures which Kubernetes secret to retrieve Consul's 82 gossip encryption key from (see `-encrypt` (https://consul.io/docs/agent/options#_encrypt)). If secretName or 83 secretKey are not set, gossip encryption will not be enabled. The secret must 84 be in the same namespace that Consul is installed into. 85 86 The secret can be created by running: 87 88 ```shell 89 $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) 90 ``` 91 92 To reference, use: 93 94 ```yaml 95 global: 96 gossipEncryption: 97 secretName: consul-gossip-encryption-key 98 secretKey: key 99 ``` 100 101 - `secretName` ((#v-global-gossipencryption-secretname)) (`string: ""`) - secretName is the name of the Kubernetes secret that holds the gossip 102 encryption key. The secret must be in the same namespace that Consul is installed into. 103 104 - `secretKey` ((#v-global-gossipencryption-secretkey)) (`string: ""`) - secretKey is the key within the Kubernetes secret that holds the gossip 105 encryption key. 106 107 - `recursors` ((#v-global-recursors)) (`array<string>: []`) - A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. 108 These values are given as `-recursor` flags to Consul servers and clients. 109 See https://www.consul.io/docs/agent/options#_recursor for more details. 110 If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). 111 112 - `tls` ((#v-global-tls)) - Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure) 113 across the cluster to verify authenticity of the Consul servers and clients. 114 Requires Consul v1.4.1+. 115 116 - `enabled` ((#v-global-tls-enabled)) (`boolean: false`) - If true, the Helm chart will enable TLS for Consul 117 servers and clients and all consul-k8s-control-plane components, as well as generate certificate 118 authority (optional) and server and client certificates. 119 120 - `enableAutoEncrypt` ((#v-global-tls-enableautoencrypt)) (`boolean: false`) - If true, turns on the auto-encrypt feature on clients and servers. 121 It also switches consul-k8s-control-plane components to retrieve the CA from the servers 122 via the API. Requires Consul 1.7.1+. 123 124 - `serverAdditionalDNSSANs` ((#v-global-tls-serveradditionaldnssans)) (`array<string>: []`) - A list of additional DNS names to set as Subject Alternative Names (SANs) 125 in the server certificate. This is useful when you need to access the 126 Consul server(s) externally, for example, if you're using the UI. 127 128 - `serverAdditionalIPSANs` ((#v-global-tls-serveradditionalipsans)) (`array<string>: []`) - A list of additional IP addresses to set as Subject Alternative Names (SANs) 129 in the server certificate. This is useful when you need to access the 130 Consul server(s) externally, for example, if you're using the UI. 131 132 - `verify` ((#v-global-tls-verify)) (`boolean: true`) - If true, `verify_outgoing`, `verify_server_hostname`, 133 and `verify_incoming_rpc` will be set to `true` for Consul servers and clients. 134 Set this to false to incrementally roll out TLS on an existing Consul cluster. 135 Please see https://consul.io/docs/k8s/operations/tls-on-existing-cluster 136 for more details. 137 138 - `httpsOnly` ((#v-global-tls-httpsonly)) (`boolean: true`) - If true, the Helm chart will configure Consul to disable the HTTP port on 139 both clients and servers and to only accept HTTPS connections. 140 141 - `caCert` ((#v-global-tls-cacert)) - A Kubernetes secret containing the certificate of the CA to use for 142 TLS communication within the Consul cluster. If you have generated the CA yourself 143 with the consul CLI, you could use the following command to create the secret 144 in Kubernetes: 145 146 ```bash 147 kubectl create secret generic consul-ca-cert \ 148 --from-file='tls.crt=./consul-agent-ca.pem' 149 ``` 150 151 - `secretName` ((#v-global-tls-cacert-secretname)) (`string: null`) - The name of the Kubernetes secret. 152 153 - `secretKey` ((#v-global-tls-cacert-secretkey)) (`string: null`) - The key of the Kubernetes secret. 154 155 - `caKey` ((#v-global-tls-cakey)) - A Kubernetes secret containing the private key of the CA to use for 156 TLS communication within the Consul cluster. If you have generated the CA yourself 157 with the consul CLI, you could use the following command to create the secret 158 in Kubernetes: 159 160 ```bash 161 kubectl create secret generic consul-ca-key \ 162 --from-file='tls.key=./consul-agent-ca-key.pem' 163 ``` 164 165 Note that we need the CA key so that we can generate server and client certificates. 166 It is particularly important for the client certificates since they need to have host IPs 167 as Subject Alternative Names. In the future, we may support bringing your own server 168 certificates. 169 170 - `secretName` ((#v-global-tls-cakey-secretname)) (`string: null`) - The name of the Kubernetes secret. 171 172 - `secretKey` ((#v-global-tls-cakey-secretkey)) (`string: null`) - The key of the Kubernetes secret. 173 174 - `enableConsulNamespaces` ((#v-global-enableconsulnamespaces)) (`boolean: false`) - <EnterpriseAlert inline /> `enableConsulNamespaces` indicates that you are running 175 Consul Enterprise v1.7+ with a valid Consul Enterprise license and would 176 like to make use of configuration beyond registering everything into 177 the `default` Consul namespace. Additional configuration 178 options are found in the `consulNamespaces` section of both the catalog sync 179 and connect injector. 180 181 - `acls` ((#v-global-acls)) - Configure ACLs. 182 183 - `manageSystemACLs` ((#v-global-acls-managesystemacls)) (`boolean: false`) - If true, the Helm chart will automatically manage ACL tokens and policies 184 for all Consul and consul-k8s-control-plane components. 185 This requires Consul >= 1.4. 186 187 - `bootstrapToken` ((#v-global-acls-bootstraptoken)) - A Kubernetes secret containing the bootstrap token to use for 188 creating policies and tokens for all Consul and consul-k8s-control-plane components. 189 If set, we will skip ACL bootstrapping of the servers and will only 190 initialize ACLs for the Consul clients and consul-k8s-control-plane system components. 191 192 - `secretName` ((#v-global-acls-bootstraptoken-secretname)) (`string: null`) - The name of the Kubernetes secret. 193 194 - `secretKey` ((#v-global-acls-bootstraptoken-secretkey)) (`string: null`) - The key of the Kubernetes secret. 195 196 - `createReplicationToken` ((#v-global-acls-createreplicationtoken)) (`boolean: false`) - If true, an ACL token will be created that can be used in secondary 197 datacenters for replication. This should only be set to true in the 198 primary datacenter since the replication token must be created from that 199 datacenter. 200 In secondary datacenters, the secret needs to be imported from the primary 201 datacenter and referenced via `global.acls.replicationToken`. 202 203 - `replicationToken` ((#v-global-acls-replicationtoken)) - replicationToken references a secret containing the replication ACL token. 204 This token will be used by secondary datacenters to perform ACL replication 205 and create ACL tokens and policies. 206 This value is ignored if `bootstrapToken` is also set. 207 208 - `secretName` ((#v-global-acls-replicationtoken-secretname)) (`string: null`) - The name of the Kubernetes secret. 209 210 - `secretKey` ((#v-global-acls-replicationtoken-secretkey)) (`string: null`) - The key of the Kubernetes secret. 211 212 - `federation` ((#v-global-federation)) - Configure federation. 213 214 - `enabled` ((#v-global-federation-enabled)) (`boolean: false`) - If enabled, this datacenter will be federation-capable. Only federation 215 via mesh gateways is supported. 216 Mesh gateways and servers will be configured to allow federation. 217 Requires `global.tls.enabled`, `meshGateway.enabled` and `connectInject.enabled` 218 to be true. Requires Consul 1.8+. 219 220 - `createFederationSecret` ((#v-global-federation-createfederationsecret)) (`boolean: false`) - If true, the chart will create a Kubernetes secret that can be imported 221 into secondary datacenters so they can federate with this datacenter. The 222 secret contains all the information secondary datacenters need to contact 223 and authenticate with this datacenter. This should only be set to true 224 in your primary datacenter. The secret name is 225 `<global.name>-federation` (if setting `global.name`), otherwise 226 `<helm-release-name>-consul-federation`. 227 228 - `metrics` ((#v-global-metrics)) - Configures metrics for Consul service mesh 229 230 - `enabled` ((#v-global-metrics-enabled)) (`boolean: false`) - Configures the Helm chart’s components 231 to expose Prometheus metrics for the Consul service mesh. By default 232 this includes gateway metrics and sidecar metrics. 233 234 - `enableAgentMetrics` ((#v-global-metrics-enableagentmetrics)) (`boolean: false`) - Configures consul agent metrics. Only applicable if 235 `global.metrics.enabled` is true. 236 237 - `agentMetricsRetentionTime` ((#v-global-metrics-agentmetricsretentiontime)) (`string: 1m`) - Configures the retention time for metrics in Consul clients and 238 servers. This must be greater than 0 for Consul clients and servers 239 to expose any metrics at all. 240 Only applicable if `global.metrics.enabled` is true. 241 242 - `enableGatewayMetrics` ((#v-global-metrics-enablegatewaymetrics)) (`boolean: true`) - If true, mesh, terminating, and ingress gateways will expose their 243 Envoy metrics on port `20200` at the `/metrics` path and all gateway pods 244 will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true. 245 246 - `consulSidecarContainer` ((#v-global-consulsidecarcontainer)) (`map`) - For connect-injected pods, the consul sidecar is responsible for metrics merging. For ingress/mesh/terminating 247 gateways, it additionally ensures the Consul services are always registered with their local Consul client. 248 249 - `imageEnvoy` ((#v-global-imageenvoy)) (`string: envoyproxy/envoy-alpine:<latest supported version>`) - The name (and tag) of the Envoy Docker image used for the 250 connect-injected sidecar proxies and mesh, terminating, and ingress gateways. 251 See https://www.consul.io/docs/connect/proxies/envoy for full compatibility matrix between Consul and Envoy. 252 253 - `openshift` ((#v-global-openshift)) - Configuration for running this Helm chart on the Red Hat OpenShift platform. 254 This Helm chart currently supports OpenShift v4.x+. 255 256 - `enabled` ((#v-global-openshift-enabled)) (`boolean: false`) - If true, the Helm chart will create necessary configuration for running 257 its components on OpenShift. 258 259### server 260 261- `server` ((#v-server)) - Server, when enabled, configures a server cluster to run. This should 262 be disabled if you plan on connecting to a Consul cluster external to 263 the Kube cluster. 264 265 - `enabled` ((#v-server-enabled)) (`boolean: global.enabled`) - If true, the chart will install all the resources necessary for a 266 Consul server cluster. If you're running Consul externally and want agents 267 within Kubernetes to join that cluster, this should probably be false. 268 269 - `image` ((#v-server-image)) (`string: null`) - The name of the Docker image (including any tag) for the containers running 270 Consul server agents. 271 272 - `replicas` ((#v-server-replicas)) (`integer: 3`) - The number of server agents to run. This determines the fault tolerance of 273 the cluster. Please see the deployment table (https://consul.io/docs/internals/consensus#deployment-table) 274 for more information. 275 276 - `bootstrapExpect` ((#v-server-bootstrapexpect)) (`int: null`) - The number of servers that are expected to be running. 277 It defaults to server.replicas. 278 In most cases the default should be used, however if there are more 279 servers in this datacenter than server.replicas it might make sense 280 to override the default. This would be the case if two kube clusters 281 were joined into the same datacenter and each cluster ran a certain number 282 of servers. 283 284 - `enterpriseLicense` ((#v-server-enterpriselicense)) - <EnterpriseAlert inline /> This value refers to a Kubernetes secret that you have created 285 that contains your enterprise license. It is required if you are using an 286 enterprise binary. Defining it here applies it to your cluster once a leader 287 has been elected. If you are not using an enterprise image or if you plan to 288 introduce the license key via another route, then set these fields to null. 289 Note: the job to apply license runs on both Helm installs and upgrades. 290 291 - `secretName` ((#v-server-enterpriselicense-secretname)) (`string: null`) - The name of the Kubernetes secret that holds the enterprise license. 292 The secret must be in the same namespace that Consul is installed into. 293 294 - `secretKey` ((#v-server-enterpriselicense-secretkey)) (`string: null`) - The key within the Kubernetes secret that holds the enterprise license. 295 296 - `enableLicenseAutoload` ((#v-server-enterpriselicense-enablelicenseautoload)) (`boolean: true`) - Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. 297 298 - `serverCert` ((#v-server-servercert)) - A Kubernetes secret containing a certificate & key for the server agents to use 299 for TLS communication within the Consul cluster. Cert needs to be provided with 300 additional DNS name SANs so that it will work within the Kubernetes cluster: 301 302 ```bash 303 consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \ 304 -key=consul-agent-ca-key.pem -dc={{datacenter}} \ 305 -additional-dnsname="{{fullname}}-server" \ 306 -additional-dnsname="*.{{fullname}}-server" \ 307 -additional-dnsname="*.{{fullname}}-server.{{namespace}}" \ 308 -additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \ 309 -additional-dnsname="*.server.{{datacenter}}.{{domain}}" \ 310 -additional-dnsname="server.{{datacenter}}.{{domain}}" 311 ``` 312 313 If you have generated the 314 server-cert yourself with the consul CLI, you could use the following command 315 to create the secret in Kubernetes: 316 317 ```bash 318 kubectl create secret generic consul-server-cert \ 319 --from-file='tls.crt=./dc1-server-consul-0.pem' 320 --from-file='tls.key=./dc1-server-consul-0-key.pem' 321 ``` 322 323 - `secretName` ((#v-server-servercert-secretname)) (`string: null`) - The name of the Kubernetes secret. 324 325 - `exposeGossipAndRPCPorts` ((#v-server-exposegossipandrpcports)) (`boolean: false`) - Exposes the servers' gossip and RPC ports as hostPorts. To enable a client 326 agent outside of the k8s cluster to join the datacenter, you would need to 327 enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and 328 set `server.ports.serflan.port` to a port not being used on the host. Since 329 `client.exposeGossipPorts` uses the hostPort 8301, 330 `server.ports.serflan.port` must be set to something other than 8301. 331 332 - `ports` ((#v-server-ports)) - Configures ports for the consul servers. 333 334 - `serflan` ((#v-server-ports-serflan)) - Configures the LAN gossip port for the consul servers. If you choose to 335 enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, 336 that will configure the LAN gossip ports on the servers and clients to be 337 hostPorts, so if you are running clients and servers on the same node the 338 ports will conflict if they are both 8301. When you enable 339 `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must 340 change this from the default to an unused port on the host, e.g. 9301. By 341 default the LAN gossip port is 8301 and configured as a containerPort on 342 the consul server Pods. 343 344 - `port` ((#v-server-ports-serflan-port)) (`integer: 8301`) 345 346 - `storage` ((#v-server-storage)) (`string: 10Gi`) - This defines the disk size for configuring the 347 servers' StatefulSet storage. For dynamically provisioned storage classes, this is the 348 desired size. For manually defined persistent volumes, this should be set to 349 the disk size of the attached volume. 350 351 - `storageClass` ((#v-server-storageclass)) (`string: null`) - The StorageClass to use for the servers' StatefulSet storage. It must be 352 able to be dynamically provisioned if you want the storage 353 to be automatically created. For example, to use local 354 (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) 355 storage classes, the PersistentVolumeClaims would need to be manually created. 356 A `null` value will use the Kubernetes cluster's default StorageClass. If a default 357 StorageClass does not exist, you will need to create one. 358 359 - `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable Connect (https://consul.io/docs/connect). Setting this to true 360 _will not_ automatically secure pod communication, this 361 setting will only enable usage of the feature. Consul will automatically initialize 362 a new CA and set of certificates. Additional Connect settings can be configured 363 by setting the `server.extraConfig` value. 364 365 - `serviceAccount` ((#v-server-serviceaccount)) 366 367 - `annotations` ((#v-server-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the server service account. This should be formatted as a multi-line 368 string. 369 370 ```yaml 371 annotations: | 372 "sample/annotation1": "foo" 373 "sample/annotation2": "bar" 374 ``` 375 376 - `resources` ((#v-server-resources)) (`map`) - The resource requests (CPU, memory, etc.) 377 for each of the server agents. This should be a YAML map corresponding to a Kubernetes 378 ResourceRequirements (https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core) 379 object. NOTE: The use of a YAML string is deprecated. 380 381 Example: 382 383 ```yaml 384 resources: 385 requests: 386 memory: '100Mi' 387 cpu: '100m' 388 limits: 389 memory: '100Mi' 390 cpu: '100m' 391 ``` 392 393 - `securityContext` ((#v-server-securitycontext)) (`map`) - The security context for the server pods. This should be a YAML map corresponding to a 394 Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. 395 By default, servers will run as non-root, with user ID `100` and group ID `1000`, 396 which correspond to the consul user and group created by the Consul docker image. 397 Note: if running on OpenShift, this setting is ignored because the user and group are set automatically 398 by the OpenShift platform. 399 400 - `updatePartition` ((#v-server-updatepartition)) (`integer: 0`) - This value is used to carefully 401 control a rolling update of Consul server agents. This value specifies the 402 partition (https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) 403 for performing a rolling update. Please read the linked Kubernetes documentation 404 and https://www.consul.io/docs/k8s/upgrade#upgrading-consul-servers for more information. 405 406 - `disruptionBudget` ((#v-server-disruptionbudget)) - This configures the PodDisruptionBudget (https://kubernetes.io/docs/tasks/run-application/configure-pdb/) 407 for the server cluster. 408 409 - `enabled` ((#v-server-disruptionbudget-enabled)) (`boolean: true`) - This will enable/disable registering a PodDisruptionBudget for the server 410 cluster. If this is enabled, it will only register the budget so long as 411 the server cluster is enabled. 412 413 - `maxUnavailable` ((#v-server-disruptionbudget-maxunavailable)) (`integer: null`) - The maximum number of unavailable pods. By default, this will be 414 automatically computed based on the `server.replicas` value to be `(n/2)-1`. 415 If you need to set this to `0`, you will need to add a 416 --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation 417 command because of a limitation in the Helm templating language. 418 419 - `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul 420 servers. This will be saved as-is into a ConfigMap that is read by the Consul 421 server agents. This can be used to add additional configuration that 422 isn't directly exposed by the chart. 423 424 Example: 425 426 ```yaml 427 extraConfig: | 428 { 429 "log_level": "DEBUG" 430 } 431 ``` 432 433 This can also be set using Helm's `--set` flag using the following syntax: 434 435 ```shell 436 --set 'server.extraConfig="{"log_level": "DEBUG"}"' 437 ``` 438 439 - `extraVolumes` ((#v-server-extravolumes)) (`array<map>`) - A list of extra volumes to mount for server agents. This 440 is useful for bringing in extra data that can be referenced by other configurations 441 at a well known path, such as TLS certificates or Gossip encryption keys. The 442 value of this should be a list of objects. 443 444 Example: 445 446 ```yaml 447 extraVolumes: 448 - type: secret 449 name: consul-certs 450 load: false 451 ``` 452 453 Each object supports the following keys: 454 455 - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. 456 457 - `name` - Name of the configMap or secret to be mounted. This also controls 458 the path that it is mounted to. The volume will be mounted to `/consul/userconfig/<name>`. 459 460 - `load` - If true, then the agent will be 461 configured to automatically load HCL/JSON configuration files from this volume 462 with `-config-dir`. This defaults to false. 463 464 - `affinity` ((#v-server-affinity)) (`string`) - This value defines the affinity (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) 465 for server pods. It defaults to allowing only a single server pod on each node, which 466 minimizes risk of the cluster becoming unusable if a node is lost. If you need 467 to run more pods per node (for example, testing on Minikube), set this value 468 to `null`. 469 470 Example: 471 472 ```yaml 473 affinity: | 474 podAntiAffinity: 475 requiredDuringSchedulingIgnoredDuringExecution: 476 - labelSelector: 477 matchLabels: 478 app: {{ template "consul.name" . }} 479 release: "{{ .Release.Name }}" 480 component: server 481 topologyKey: kubernetes.io/hostname 482 ``` 483 484 - `tolerations` ((#v-server-tolerations)) (`string: ""`) - Toleration settings for server pods. This 485 should be a multi-line string matching the Tolerations 486 (https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. 487 488 - `topologySpreadConstraints` ((#v-server-topologyspreadconstraints)) (`string: ""`) - Pod topology spread constraints for server pods. 489 This should be a multi-line YAML string matching the `topologySpreadConstraints` array 490 (https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) in a Pod Spec. 491 492 This requires K8S >= 1.18 (beta) or 1.19 (stable). 493 494 Example: 495 496 ```yaml 497 topologySpreadConstraints: | 498 - maxSkew: 1 499 topologyKey: topology.kubernetes.io/zone 500 whenUnsatisfiable: DoNotSchedule 501 labelSelector: 502 matchLabels: 503 app: {{ template "consul.name" . }} 504 release: "{{ .Release.Name }}" 505 component: server 506 ``` 507 508 - `nodeSelector` ((#v-server-nodeselector)) (`string: null`) - This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) 509 labels for server pod assignment, formatted as a multi-line string. 510 511 Example: 512 513 ```yaml 514 nodeSelector: | 515 beta.kubernetes.io/arch: amd64 516 ``` 517 518 - `priorityClassName` ((#v-server-priorityclassname)) (`string: ""`) - This value references an existing 519 Kubernetes `priorityClassName` (https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) 520 that can be assigned to server pods. 521 522 - `extraLabels` ((#v-server-extralabels)) (`map`) - Extra labels to attach to the server pods. This should be a YAML map. 523 524 Example: 525 526 ```yaml 527 extraLabels: 528 labelKey: label-value 529 anotherLabelKey: another-label-value 530 ``` 531 532 - `annotations` ((#v-server-annotations)) (`string: null`) - This value defines additional annotations for 533 server pods. This should be formatted as a multi-line string. 534 535 ```yaml 536 annotations: | 537 "sample/annotation1": "foo" 538 "sample/annotation2": "bar" 539 ``` 540 541 - `service` ((#v-server-service)) - Server service properties. 542 543 - `annotations` ((#v-server-service-annotations)) (`string: null`) - Annotations to apply to the server service. 544 545 ```yaml 546 annotations: | 547 "annotation-key": "annotation-value" 548 ``` 549 550 - `extraEnvironmentVars` ((#v-server-extraenvironmentvars)) (`map`) - A list of extra environment variables to set within the stateful set. 551 These could be used to include proxy settings required for cloud auto-join 552 feature, in case kubernetes cluster is behind egress http proxies. Additionally, 553 it could be used to configure custom consul parameters. 554 555### externalServers 556 557- `externalServers` ((#v-externalservers)) - Configuration for Consul servers when the servers are running outside of Kubernetes. 558 When running external servers, configuring these values is recommended 559 if setting `global.tls.enableAutoEncrypt` to true 560 or `global.acls.manageSystemACLs` to true. 561 562 - `enabled` ((#v-externalservers-enabled)) (`boolean: false`) - If true, the Helm chart will be configured to talk to the external servers. 563 If setting this to true, you must also set `server.enabled` to false. 564 565 - `hosts` ((#v-externalservers-hosts)) (`array<string>: []`) - An array of external Consul server hosts that are used to make 566 HTTPS connections from the components in this Helm chart. 567 Valid values include IPs, DNS names, or Cloud auto-join string. 568 The port must be provided separately below. 569 Note: `client.join` must also be set to the hosts that should be 570 used to join the cluster. In most cases, the `client.join` values 571 should be the same, however, they may be different if you 572 wish to use separate hosts for the HTTPS connections. 573 574 - `httpsPort` ((#v-externalservers-httpsport)) (`integer: 8501`) - The HTTPS port of the Consul servers. 575 576 - `tlsServerName` ((#v-externalservers-tlsservername)) (`string: null`) - The server name to use as the SNI host header when connecting with HTTPS. 577 578 - `useSystemRoots` ((#v-externalservers-usesystemroots)) (`boolean: false`) - If true, consul-k8s-control-plane components will ignore the CA set in 579 `global.tls.caCert` when making HTTPS calls to Consul servers and 580 will instead use the consul-k8s-control-plane image's system CAs for TLS verification. 581 If false, consul-k8s-control-plane components will use `global.tls.caCert` when 582 making HTTPS calls to Consul servers. 583 **NOTE:** This does not affect Consul's internal RPC communication which will 584 always use `global.tls.caCert`. 585 586 - `k8sAuthMethodHost` ((#v-externalservers-k8sauthmethodhost)) (`string: null`) - If you are setting `global.acls.manageSystemACLs` and 587 `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. 588 This address must be reachable from the Consul servers. 589 Please see the Kubernetes Auth Method documentation (https://consul.io/docs/acl/auth-methods/kubernetes). 590 591 You could retrieve this value from your `kubeconfig` by running: 592 593 ```shell 594 kubectl config view \ 595 -o jsonpath="{.clusters[?(@.name=='<your cluster name>')].cluster.server}" 596 ``` 597 598### client 599 600- `client` ((#v-client)) - Values that configure running a Consul client on Kubernetes nodes. 601 602 - `enabled` ((#v-client-enabled)) (`boolean: global.enabled`) - If true, the chart will install all 603 the resources necessary for a Consul client on every Kubernetes node. This _does not_ require 604 `server.enabled`, since the agents can be configured to join an external cluster. 605 606 - `image` ((#v-client-image)) (`string: null`) - The name of the Docker image (including any tag) for the containers 607 running Consul client agents. 608 609 - `join` ((#v-client-join)) (`array<string>: null`) - A list of valid `-retry-join` values (https://consul.io/docs/agent/options#retry-join). 610 If this is `null` (default), then the clients will attempt to automatically 611 join the server cluster running within Kubernetes. 612 This means that with `server.enabled` set to true, clients will automatically 613 join that cluster. If `server.enabled` is not true, then a value must be 614 specified so the clients can join a valid cluster. 615 616 - `dataDirectoryHostPath` ((#v-client-datadirectoryhostpath)) (`string: null`) - An absolute path to a directory on the host machine to use as the Consul 617 client data directory. If set to the empty string or null, the Consul agent 618 will store its data in the Pod's local filesystem (which will 619 be lost if the Pod is deleted). Security Warning: If setting this, Pod Security 620 Policies _must_ be enabled on your cluster and in this Helm chart (via the 621 `global.enablePodSecurityPolicies` setting) to prevent other pods from 622 mounting the same host path and gaining access to all of Consul's data. 623 Consul's data is not encrypted at rest. 624 625 - `grpc` ((#v-client-grpc)) (`boolean: true`) - If true, agents will enable their GRPC listener on 626 port 8502 and expose it to the host. This will use slightly more resources, but is 627 required for Connect. 628 629 - `nodeMeta` ((#v-client-nodemeta)) - nodeMeta specifies an arbitrary metadata key/value pair to associate with the node 630 (see https://www.consul.io/docs/agent/options.html#_node_meta) 631 632 - `pod-name` ((#v-client-nodemeta-pod-name)) (`string: ${HOSTNAME}`) 633 634 - `host-ip` ((#v-client-nodemeta-host-ip)) (`string: ${HOST_IP}`) 635 636 - `exposeGossipPorts` ((#v-client-exposegossipports)) (`boolean: false`) - If true, the Helm chart will expose the clients' gossip ports as hostPorts. 637 This is only necessary if pod IPs in the k8s cluster are not directly routable 638 and the Consul servers are outside of the k8s cluster. 639 This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. 640 641 - `serviceAccount` ((#v-client-serviceaccount)) 642 643 - `annotations` ((#v-client-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the client service account. This should be formatted as a multi-line 644 string. 645 646 ```yaml 647 annotations: | 648 "sample/annotation1": "foo" 649 "sample/annotation2": "bar" 650 ``` 651 652 - `resources` ((#v-client-resources)) (`map`) - Resource settings for Client agents. 653 NOTE: The use of a YAML string is deprecated. Instead, set directly as a 654 YAML map. 655 656 - `securityContext` ((#v-client-securitycontext)) (`map`) - The security context for the client pods. This should be a YAML map corresponding to a 657 Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. 658 By default, servers will run as non-root, with user ID `100` and group ID `1000`, 659 which correspond to the consul user and group created by the Consul docker image. 660 Note: if running on OpenShift, this setting is ignored because the user and group are set automatically 661 by the OpenShift platform. 662 663 - `extraConfig` ((#v-client-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul 664 clients. This will be saved as-is into a ConfigMap that is read by the Consul 665 client agents. This can be used to add additional configuration that 666 isn't directly exposed by the chart. 667 668 Example: 669 670 ```yaml 671 extraConfig: | 672 { 673 "log_level": "DEBUG" 674 } 675 ``` 676 677 This can also be set using Helm's `--set` flag using the following syntax: 678 679 ```shell 680 --set 'client.extraConfig="{"log_level": "DEBUG"}"' 681 ``` 682 683 - `extraVolumes` ((#v-client-extravolumes)) (`array<map>`) - A list of extra volumes to mount for client agents. This 684 is useful for bringing in extra data that can be referenced by other configurations 685 at a well known path, such as TLS certificates or Gossip encryption keys. The 686 value of this should be a list of objects. 687 688 Example: 689 690 ```yaml 691 extraVolumes: 692 - type: secret 693 name: consul-certs 694 load: false 695 ``` 696 697 Each object supports the following keys: 698 699 - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. 700 701 - `name` - Name of the configMap or secret to be mounted. This also controls 702 the path that it is mounted to. The volume will be mounted to `/consul/userconfig/<name>`. 703 704 - `load` - If true, then the agent will be 705 configured to automatically load HCL/JSON configuration files from this volume 706 with `-config-dir`. This defaults to false. 707 708 - `tolerations` ((#v-client-tolerations)) (`string: ""`) - Toleration Settings for Client pods 709 This should be a multi-line string matching the Toleration array 710 in a PodSpec. 711 The example below will allow Client pods to run on every node 712 regardless of taints 713 714 ```yaml 715 tolerations: | 716 - operator: Exists 717 ``` 718 719 - `nodeSelector` ((#v-client-nodeselector)) (`string: null`) - nodeSelector labels for client pod assignment, formatted as a multi-line string. 720 ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector 721 722 Example: 723 724 ```yaml 725 nodeSelector: | 726 beta.kubernetes.io/arch: amd64 727 ``` 728 729 - `affinity` ((#v-client-affinity)) (`string: null`) - Affinity Settings for Client pods, formatted as a multi-line YAML string. 730 ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity 731 732 Example: 733 734 ```yaml 735 affinity: | 736 nodeAffinity: 737 requiredDuringSchedulingIgnoredDuringExecution: 738 nodeSelectorTerms: 739 - matchExpressions: 740 - key: node-role.kubernetes.io/master 741 operator: DoesNotExist 742 ``` 743 744 - `priorityClassName` ((#v-client-priorityclassname)) (`string: ""`) - This value references an existing 745 Kubernetes `priorityClassName` (https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) 746 that can be assigned to client pods. 747 748 - `annotations` ((#v-client-annotations)) (`string: null`) - This value defines additional annotations for 749 client pods. This should be formatted as a multi-line string. 750 751 ```yaml 752 annotations: | 753 "sample/annotation1": "foo" 754 "sample/annotation2": "bar" 755 ``` 756 757 - `extraLabels` ((#v-client-extralabels)) (`map`) - Extra labels to attach to the client pods. This should be a regular YAML map. 758 759 Example: 760 761 ```yaml 762 extraLabels: 763 labelKey: label-value 764 anotherLabelKey: another-label-value 765 ``` 766 767 - `extraEnvironmentVars` ((#v-client-extraenvironmentvars)) (`map`) - A list of extra environment variables to set within the stateful set. 768 These could be used to include proxy settings required for cloud auto-join 769 feature, in case kubernetes cluster is behind egress http proxies. Additionally, 770 it could be used to configure custom consul parameters. 771 772 - `dnsPolicy` ((#v-client-dnspolicy)) (`string: null`) - This value defines the Pod DNS policy (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) 773 for client pods to use. 774 775 - `hostNetwork` ((#v-client-hostnetwork)) (`boolean: false`) - hostNetwork defines whether or not we use host networking instead of hostPort in the event 776 that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended 777 as doing so gives the consul client unnecessary access to all network traffic on the host. 778 In most cases, pod network and host network are on different networks so this should be 779 combined with `dnsPolicy: ClusterFirstWithHostNet` 780 781 - `updateStrategy` ((#v-client-updatestrategy)) (`string: null`) - updateStrategy for the DaemonSet. 782 See https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy. 783 This should be a multi-line string mapping directly to the updateStrategy 784 785 Example: 786 787 ```yaml 788 updateStrategy: | 789 rollingUpdate: 790 maxUnavailable: 5 791 type: RollingUpdate 792 ``` 793 794 - `snapshotAgent` ((#v-client-snapshotagent)) - <EnterpriseAlert inline /> Values for setting up and running snapshot agents 795 (https://consul.io/commands/snapshot/agent) 796 within the Consul clusters. They are required to be co-located with Consul clients, 797 so will inherit the clients' nodeSelector, tolerations and affinity. 798 799 - `enabled` ((#v-client-snapshotagent-enabled)) (`boolean: false`) - If true, the chart will install resources necessary to run the snapshot agent. 800 801 - `replicas` ((#v-client-snapshotagent-replicas)) (`integer: 2`) - The number of snapshot agents to run. 802 803 - `configSecret` ((#v-client-snapshotagent-configsecret)) - A Kubernetes secret that should be manually created to contain the entire 804 config to be used on the snapshot agent. 805 This is the preferred method of configuration since there are usually storage 806 credentials present. Please see Snapshot agent config (https://consul.io/commands/snapshot/agent#config-file-options) 807 for details. 808 809 - `secretName` ((#v-client-snapshotagent-configsecret-secretname)) (`string: null`) - The name of the Kubernetes secret. 810 811 - `secretKey` ((#v-client-snapshotagent-configsecret-secretkey)) (`string: null`) - The key of the Kubernetes secret. 812 813 - `serviceAccount` ((#v-client-snapshotagent-serviceaccount)) 814 815 - `annotations` ((#v-client-snapshotagent-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the snapshot agent service account. This should be formatted as a 816 multi-line string. 817 818 ```yaml 819 annotations: | 820 "sample/annotation1": "foo" 821 "sample/annotation2": "bar" 822 ``` 823 824 - `resources` ((#v-client-snapshotagent-resources)) (`map`) - Resource settings for snapshot agent pods. 825 826 - `caCert` ((#v-client-snapshotagent-cacert)) (`string: null`) - Optional PEM-encoded CA certificate that will be added to the trusted system CAs. 827 Useful if using an S3-compatible storage exposing a self-signed certificate. 828 829 Example: 830 831 ```yaml 832 caCert: | 833 -----BEGIN CERTIFICATE----- 834 MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx 835 ... 836 ``` 837 838### dns 839 840- `dns` ((#v-dns)) - Configuration for DNS configuration within the Kubernetes cluster. 841 This creates a service that routes to all agents (client or server) 842 for serving DNS requests. This DOES NOT automatically configure kube-dns 843 today, so you must still manually configure a `stubDomain` with kube-dns 844 for this to have any effect: 845 https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers 846 847 - `enabled` ((#v-dns-enabled)) (`boolean: -`) 848 849 - `type` ((#v-dns-type)) (`string: ClusterIP`) - Used to control the type of service created. For 850 example, setting this to "LoadBalancer" will create an external load 851 balancer (for supported K8S installations) 852 853 - `clusterIP` ((#v-dns-clusterip)) (`string: null`) - Set a predefined cluster IP for the DNS service. 854 Useful if you need to reference the DNS service's IP 855 address in CoreDNS config. 856 857 - `annotations` ((#v-dns-annotations)) (`string: null`) - Extra annotations to attach to the dns service 858 This should be a multi-line string of 859 annotations to apply to the dns Service 860 861 - `additionalSpec` ((#v-dns-additionalspec)) (`string: null`) - Additional ServiceSpec values 862 This should be a multi-line string mapping directly to a Kubernetes 863 ServiceSpec object. 864 865### ui 866 867- `ui` ((#v-ui)) - Values that configure the Consul UI. 868 869 - `enabled` ((#v-ui-enabled)) (`boolean: global.enabled`) - If true, the UI will be enabled. This will 870 only _enable_ the UI, it doesn't automatically register any service for external 871 access. The UI will only be enabled on server agents. If `server.enabled` is 872 false, then this setting has no effect. To expose the UI in some way, you must 873 configure `ui.service`. 874 875 - `service` ((#v-ui-service)) - Configure the service for the Consul UI. 876 877 - `enabled` ((#v-ui-service-enabled)) (`boolean: true`) - This will enable/disable registering a 878 Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is 879 true and taking effect. 880 881 - `type` ((#v-ui-service-type)) (`string: null`) - The service type to register. 882 883 - `nodePort` ((#v-ui-service-nodeport)) - Optionally set the nodePort value of the ui service if using a NodePort service. 884 If not set and using a NodePort service, Kubernetes will automatically assign 885 a port. 886 887 - `http` ((#v-ui-service-nodeport-http)) (`integer: null`) - HTTP node port 888 889 - `https` ((#v-ui-service-nodeport-https)) (`integer: null`) - HTTPS node port 890 891 - `annotations` ((#v-ui-service-annotations)) (`string: null`) - Annotations to apply to the UI service. 892 893 Example: 894 895 ```yaml 896 annotations: | 897 'annotation-key': annotation-value 898 ``` 899 900 - `additionalSpec` ((#v-ui-service-additionalspec)) (`string: null`) - Additional ServiceSpec values 901 This should be a multi-line string mapping directly to a Kubernetes 902 ServiceSpec object. 903 904 - `ingress` ((#v-ui-ingress)) - Configure Ingress for the Consul UI. 905 If `global.tls.enabled` is set to `true`, the Ingress will expose 906 the port 443 on the UI service. Please ensure the Ingress Controller 907 supports SSL pass-through and it is enabled to ensure traffic forwarded 908 to port 443 has not been TLS terminated. 909 910 - `enabled` ((#v-ui-ingress-enabled)) (`boolean: false`) - This will create an Ingress resource for the Consul UI. 911 912 - `pathType` ((#v-ui-ingress-pathtype)) (`string: Prefix`) - pathType override - see: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types 913 914 - `hosts` ((#v-ui-ingress-hosts)) (`array<map>`) - hosts is a list of host name to create Ingress rules. 915 916 ```yaml 917 hosts: 918 - host: foo.bar 919 paths: 920 - /example 921 - /test 922 ``` 923 924 - `tls` ((#v-ui-ingress-tls)) (`array<map>`) - tls is a list of hosts and secret name in an Ingress 925 which tells the Ingress controller to secure the channel. 926 927 ```yaml 928 tls: 929 - hosts: 930 - chart-example.local 931 secretName: testsecret-tls 932 ``` 933 934 - `annotations` ((#v-ui-ingress-annotations)) (`string: null`) - Annotations to apply to the UI ingress. 935 936 Example: 937 938 ```yaml 939 annotations: | 940 'annotation-key': annotation-value 941 ``` 942 943 - `metrics` ((#v-ui-metrics)) - Configurations for displaying metrics in the UI. 944 945 - `enabled` ((#v-ui-metrics-enabled)) (`boolean: global.metrics.enabled`) - Enable displaying metrics in the UI. The default value of "-" 946 will inherit from `global.metrics.enabled` value. 947 948 - `provider` ((#v-ui-metrics-provider)) (`string: prometheus`) - Provider for metrics. See 949 https://www.consul.io/docs/agent/options#ui_config_metrics_provider 950 This value is only used if `ui.enabled` is set to true. 951 952 - `baseURL` ((#v-ui-metrics-baseurl)) (`string: http://prometheus-server`) - baseURL is the URL of the prometheus server, usually the service URL. 953 This value is only used if `ui.enabled` is set to true. 954 955### syncCatalog 956 957- `syncCatalog` ((#v-synccatalog)) - Configure the catalog sync process to sync K8S with Consul 958 services. This can run bidirectional (default) or unidirectionally (Consul 959 to K8S or K8S to Consul only). 960 961 This process assumes that a Consul agent is available on the host IP. 962 This is done automatically if clients are enabled. If clients are not 963 enabled then set the node selection so that it chooses a node with a 964 Consul agent. 965 966 - `enabled` ((#v-synccatalog-enabled)) (`boolean: false`) - True if you want to enable the catalog sync. Set to "-" to inherit from 967 global.enabled. 968 969 - `image` ((#v-synccatalog-image)) (`string: null`) - The name of the Docker image (including any tag) for consul-k8s-control-plane 970 to run the sync program. 971 972 - `default` ((#v-synccatalog-default)) (`boolean: true`) - If true, all valid services in K8S are 973 synced by default. If false, the service must be annotated 974 (https://consul.io/docs/k8s/service-sync#sync-enable-disable) properly to sync. 975 In either case an annotation can override the default. 976 977 - `priorityClassName` ((#v-synccatalog-priorityclassname)) (`string: ""`) - Optional priorityClassName. 978 979 - `toConsul` ((#v-synccatalog-toconsul)) (`boolean: true`) - If true, will sync Kubernetes services to Consul. This can be disabled to 980 have a one-way sync. 981 982 - `toK8S` ((#v-synccatalog-tok8s)) (`boolean: true`) - If true, will sync Consul services to Kubernetes. This can be disabled to 983 have a one-way sync. 984 985 - `k8sPrefix` ((#v-synccatalog-k8sprefix)) (`string: null`) - Service prefix to prepend to services before registering 986 with Kubernetes. For example "consul-" will register all services 987 prepended with "consul-". (Consul -> Kubernetes sync) 988 989 - `k8sAllowNamespaces` ((#v-synccatalog-k8sallownamespaces)) (`array<string>: ["*"]`) - List of k8s namespaces to sync the k8s services from. 990 If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, 991 services in that k8s namespace will not be synced even if they are explicitly 992 annotated. Use `["*"]` to automatically allow all k8s namespaces. 993 994 For example, `["namespace1", "namespace2"]` will only allow services in the k8s 995 namespaces `namespace1` and `namespace2` to be synced and registered 996 with Consul. All other k8s namespaces will be ignored. 997 998 To deny all namespaces, set this to `[]`. 999 1000 Note: `k8sDenyNamespaces` takes precedence over values defined here. 1001 1002 - `k8sDenyNamespaces` ((#v-synccatalog-k8sdenynamespaces)) (`array<string>: ["kube-system", "kube-public"]`) - List of k8s namespaces that should not have their 1003 services synced. This list takes precedence over `k8sAllowNamespaces`. 1004 `*` is not supported because then nothing would be allowed to sync. 1005 1006 For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is 1007 `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` 1008 and `namespace2` will be synced. 1009 1010 - `k8sSourceNamespace` ((#v-synccatalog-k8ssourcenamespace)) (`string: null`) - [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For 1011 backwards compatibility, if both this and the allow/deny lists are set, 1012 the allow/deny lists will be ignored. 1013 k8sSourceNamespace is the Kubernetes namespace to watch for service 1014 changes and sync to Consul. If this is not set then it will default 1015 to all namespaces. 1016 1017 - `consulNamespaces` ((#v-synccatalog-consulnamespaces)) - <EnterpriseAlert inline /> These settings manage the catalog sync's interaction with 1018 Consul namespaces (requires consul-ent v1.7+). 1019 Also, `global.enableConsulNamespaces` must be true. 1020 1021 - `consulDestinationNamespace` ((#v-synccatalog-consulnamespaces-consuldestinationnamespace)) (`string: default`) - Name of the Consul namespace to register all 1022 k8s services into. If the Consul namespace does not already exist, 1023 it will be created. This will be ignored if `mirroringK8S` is true. 1024 1025 - `mirroringK8S` ((#v-synccatalog-consulnamespaces-mirroringk8s)) (`boolean: false`) - If true, k8s services will be registered into a Consul namespace 1026 of the same name as their k8s namespace, optionally prefixed if 1027 `mirroringK8SPrefix` is set below. If the Consul namespace does not 1028 already exist, it will be created. Turning this on overrides the 1029 `consulDestinationNamespace` setting. 1030 `addK8SNamespaceSuffix` may no longer be needed if enabling this option. 1031 1032 - `mirroringK8SPrefix` ((#v-synccatalog-consulnamespaces-mirroringk8sprefix)) (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace 1033 to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a 1034 service in the k8s `staging` namespace will be registered into the 1035 `k8s-staging` Consul namespace. 1036 1037 - `addK8SNamespaceSuffix` ((#v-synccatalog-addk8snamespacesuffix)) (`boolean: true`) - Appends Kubernetes namespace suffix to 1038 each service name synced to Consul, separated by a dash. 1039 For example, for a service 'foo' in the default namespace, 1040 the sync process will create a Consul service named 'foo-default'. 1041 Set this flag to true to avoid registering services with the same name 1042 but in different namespaces as instances for the same Consul service. 1043 Namespace suffix is not added if 'annotationServiceName' is provided. 1044 1045 - `consulPrefix` ((#v-synccatalog-consulprefix)) (`string: null`) - Service prefix which prepends itself 1046 to Kubernetes services registered within Consul 1047 For example, "k8s-" will register all services prepended with "k8s-". 1048 (Kubernetes -> Consul sync) 1049 consulPrefix is ignored when 'annotationServiceName' is provided. 1050 NOTE: Updating this property to a non-null value for an existing installation will result in deregistering 1051 of existing services in Consul and registering them with a new name. 1052 1053 - `k8sTag` ((#v-synccatalog-k8stag)) (`string: null`) - Optional tag that is applied to all of the Kubernetes services 1054 that are synced into Consul. If nothing is set, defaults to "k8s". 1055 (Kubernetes -> Consul sync) 1056 1057 - `consulNodeName` ((#v-synccatalog-consulnodename)) (`string: k8s-sync`) - Defines the Consul synthetic node that all services 1058 will be registered to. 1059 NOTE: Changing the node name and upgrading the Helm chart will leave 1060 all of the previously sync'd services registered with Consul and 1061 register them again under the new Consul node name. The out-of-date 1062 registrations will need to be explicitly removed. 1063 1064 - `syncClusterIPServices` ((#v-synccatalog-syncclusteripservices)) (`boolean: true`) - Syncs services of the ClusterIP type, which may 1065 or may not be broadly accessible depending on your Kubernetes cluster. 1066 Set this to false to skip syncing ClusterIP services. 1067 1068 - `nodePortSyncType` ((#v-synccatalog-nodeportsynctype)) (`string: ExternalFirst`) - Configures the type of syncing that happens for NodePort 1069 services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst. 1070 1071 - ExternalOnly will only use a node's ExternalIP address for the sync 1072 - InternalOnly use's the node's InternalIP address 1073 - ExternalFirst will preferentially use the node's ExternalIP address, but 1074 if it doesn't exist, it will use the node's InternalIP address instead. 1075 1076 - `aclSyncToken` ((#v-synccatalog-aclsynctoken)) - Refers to a Kubernetes secret that you have created that contains 1077 an ACL token for your Consul cluster which allows the sync process the correct 1078 permissions. This is only needed if ACLs are enabled on the Consul cluster. 1079 1080 - `secretName` ((#v-synccatalog-aclsynctoken-secretname)) (`string: null`) - The name of the Kubernetes secret. 1081 1082 - `secretKey` ((#v-synccatalog-aclsynctoken-secretkey)) (`string: null`) - The key of the Kubernetes secret. 1083 1084 - `nodeSelector` ((#v-synccatalog-nodeselector)) (`string: null`) - This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) 1085 labels for catalog sync pod assignment, formatted as a multi-line string. 1086 1087 Example: 1088 1089 ```yaml 1090 nodeSelector: | 1091 beta.kubernetes.io/arch: amd64 1092 ``` 1093 1094 - `affinity` ((#v-synccatalog-affinity)) (`string: null`) - Affinity Settings 1095 This should be a multi-line string matching the affinity object 1096 1097 - `tolerations` ((#v-synccatalog-tolerations)) (`string: null`) - Toleration Settings 1098 This should be a multi-line string matching the Toleration array 1099 in a PodSpec. 1100 1101 - `serviceAccount` ((#v-synccatalog-serviceaccount)) 1102 1103 - `annotations` ((#v-synccatalog-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the mesh gateways' service account. This should be formatted as a 1104 multi-line string. 1105 1106 ```yaml 1107 annotations: | 1108 "sample/annotation1": "foo" 1109 "sample/annotation2": "bar" 1110 ``` 1111 1112 - `resources` ((#v-synccatalog-resources)) (`map`) - Resource settings for sync catalog pods. 1113 1114 - `logLevel` ((#v-synccatalog-loglevel)) (`string: ""`) - Override global log verbosity level. One of "debug", "info", "warn", or "error". 1115 1116 - `consulWriteInterval` ((#v-synccatalog-consulwriteinterval)) (`string: null`) - Override the default interval to perform syncing operations creating Consul services. 1117 1118 - `extraLabels` ((#v-synccatalog-extralabels)) (`map`) - Extra labels to attach to the sync catalog pods. This should be a YAML map. 1119 1120 Example: 1121 1122 ```yaml 1123 extraLabels: 1124 labelKey: label-value 1125 anotherLabelKey: another-label-value 1126 ``` 1127 1128### connectInject 1129 1130- `connectInject` ((#v-connectinject)) - Configures the automatic Connect sidecar injector. 1131 1132 - `enabled` ((#v-connectinject-enabled)) (`boolean: false`) - True if you want to enable connect injection. Set to "-" to inherit from 1133 global.enabled. 1134 1135 - `replicas` ((#v-connectinject-replicas)) (`integer: 2`) - The number of deployment replicas. 1136 1137 - `image` ((#v-connectinject-image)) (`string: null`) - Image for consul-k8s-control-plane that contains the injector. 1138 1139 - `default` ((#v-connectinject-default)) (`boolean: false`) - If true, the injector will inject the 1140 Connect sidecar into all pods by default. Otherwise, pods must specify the 1141 injection annotation (https://consul.io/docs/k8s/connect#consul-hashicorp-com-connect-inject) 1142 to opt-in to Connect injection. If this is true, pods can use the same annotation 1143 to explicitly opt-out of injection. 1144 1145 - `transparentProxy` ((#v-connectinject-transparentproxy)) - Configures Transparent Proxy for Consul Service mesh services. 1146 Using this feature requires Consul 1.10.0-beta1+. 1147 1148 - `defaultEnabled` ((#v-connectinject-transparentproxy-defaultenabled)) (`boolean: true`) - If true, then all Consul Service mesh will run with transparent proxy enabled by default, 1149 i.e. we enforce that all traffic within the pod will go through the proxy. 1150 This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation. 1151 1152 - `defaultOverwriteProbes` ((#v-connectinject-transparentproxy-defaultoverwriteprobes)) (`boolean: true`) - If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead. 1153 This setting is recommended because with traffic being enforced to go through the Envoy proxy, 1154 the probes on the pod will fail because kube-proxy doesn't have the right certificates 1155 to talk to Envoy. 1156 This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation. 1157 Note: This value has no effect if transparent proxy is disabled on the pod. 1158 1159 - `metrics` ((#v-connectinject-metrics)) - Configures metrics for Consul Connect services. All values are overridable 1160 via annotations on a per-pod basis. 1161 1162 - `defaultEnabled` ((#v-connectinject-metrics-defaultenabled)) (`string: -`) - If true, the connect-injector will automatically 1163 add prometheus annotations to connect-injected pods. It will also 1164 add a listener on the Envoy sidecar to expose metrics. The exposed 1165 metrics will depend on whether metrics merging is enabled: 1166 1167 - If metrics merging is enabled: 1168 the Consul sidecar will run a merged metrics server 1169 combining Envoy sidecar and Connect service metrics, 1170 i.e. if your service exposes its own Prometheus metrics. 1171 - If metrics merging is disabled: 1172 the listener will just expose Envoy sidecar metrics. 1173 This will inherit from `global.metrics.enabled`. 1174 1175 - `defaultEnableMerging` ((#v-connectinject-metrics-defaultenablemerging)) (`boolean: false`) - Configures the Consul sidecar to run a merged metrics server 1176 to combine and serve both Envoy and Connect service metrics. 1177 This feature is available only in Consul v1.10.0 or greater. 1178 1179 - `defaultMergedMetricsPort` ((#v-connectinject-metrics-defaultmergedmetricsport)) (`integer: 20100`) - Configures the port at which the Consul sidecar will listen on to return 1180 combined metrics. This port only needs to be changed if it conflicts with 1181 the application's ports. 1182 1183 - `defaultPrometheusScrapePort` ((#v-connectinject-metrics-defaultprometheusscrapeport)) (`integer: 20200`) - Configures the port Prometheus will scrape metrics from, by configuring 1184 the Pod annotation `prometheus.io/port` and the corresponding listener in 1185 the Envoy sidecar. 1186 NOTE: This is _not_ the port that your application exposes metrics on. 1187 That can be configured with the 1188 `consul.hashicorp.com/service-metrics-port` annotation. 1189 1190 - `defaultPrometheusScrapePath` ((#v-connectinject-metrics-defaultprometheusscrapepath)) (`string: /metrics`) - Configures the path Prometheus will scrape metrics from, by configuring the pod 1191 annotation `prometheus.io/path` and the corresponding handler in the Envoy 1192 sidecar. 1193 NOTE: This is _not_ the path that your application exposes metrics on. 1194 That can be configured with the 1195 `consul.hashicorp.com/service-metrics-path` annotation. 1196 1197 - `envoyExtraArgs` ((#v-connectinject-envoyextraargs)) (`string: null`) - Used to pass arguments to the injected envoy sidecar. 1198 Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli 1199 e.g "--log-level debug --disable-hot-restart" 1200 1201 - `priorityClassName` ((#v-connectinject-priorityclassname)) (`string: ""`) - Optional priorityClassName. 1202 1203 - `imageConsul` ((#v-connectinject-imageconsul)) (`string: null`) - The Docker image for Consul to use when performing Connect injection. 1204 Defaults to global.image. 1205 1206 - `logLevel` ((#v-connectinject-loglevel)) (`string: ""`) - Override global log verbosity level. One of "debug", "info", "warn", or "error". 1207 1208 - `serviceAccount` ((#v-connectinject-serviceaccount)) 1209 1210 - `annotations` ((#v-connectinject-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the injector service account. This should be formatted as a 1211 multi-line string. 1212 1213 ```yaml 1214 annotations: | 1215 "sample/annotation1": "foo" 1216 "sample/annotation2": "bar" 1217 ``` 1218 1219 - `resources` ((#v-connectinject-resources)) (`map`) - Resource settings for connect inject pods. 1220 1221 - `failurePolicy` ((#v-connectinject-failurepolicy)) (`string: Fail`) - Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook 1222 is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. 1223 Once the webhook is back online the pod will be scheduled. 1224 In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running 1225 which can lead to hangs. In these environments it is recommend to use "Ignore" instead. 1226 This setting can be safely disabled by setting to "Ignore". 1227 1228 - `namespaceSelector` ((#v-connectinject-namespaceselector)) (`string: null`) - Selector for restricting the webhook to only 1229 specific namespaces. This should be set to a multiline string. 1230 See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector 1231 for more details. 1232 1233 Example: 1234 1235 ```yaml 1236 namespaceSelector: | 1237 matchLabels: 1238 namespace-label: label-value 1239 ``` 1240 1241 - `k8sAllowNamespaces` ((#v-connectinject-k8sallownamespaces)) (`array<string>: ["*"]`) - List of k8s namespaces to allow Connect sidecar 1242 injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, 1243 pods in that k8s namespace will not be injected even if they are explicitly 1244 annotated. Use `["*"]` to automatically allow all k8s namespaces. 1245 1246 For example, `["namespace1", "namespace2"]` will only allow pods in the k8s 1247 namespaces `namespace1` and `namespace2` to have Connect sidecars injected 1248 and registered with Consul. All other k8s namespaces will be ignored. 1249 1250 To deny all namespaces, set this to `[]`. 1251 1252 Note: `k8sDenyNamespaces` takes precedence over values defined here and 1253 `namespaceSelector` takes precedence over both since it is applied first. 1254 `kube-system` and `kube-public` are never injected, even if included here. 1255 1256 - `k8sDenyNamespaces` ((#v-connectinject-k8sdenynamespaces)) (`array<string>: []`) - List of k8s namespaces that should not allow Connect 1257 sidecar injection. This list takes precedence over `k8sAllowNamespaces`. 1258 `*` is not supported because then nothing would be allowed to be injected. 1259 1260 For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is 1261 `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" 1262 and "namespace2" will be available for injection. 1263 1264 Note: `namespaceSelector` takes precedence over this since it is applied first. 1265 `kube-system` and `kube-public` are never injected. 1266 1267 - `consulNamespaces` ((#v-connectinject-consulnamespaces)) - <EnterpriseAlert inline /> These settings manage the connect injector's interaction with 1268 Consul namespaces (requires consul-ent v1.7+). 1269 Also, `global.enableConsulNamespaces` must be true. 1270 1271 - `consulDestinationNamespace` ((#v-connectinject-consulnamespaces-consuldestinationnamespace)) (`string: default`) - Name of the Consul namespace to register all 1272 k8s pods into. If the Consul namespace does not already exist, 1273 it will be created. This will be ignored if `mirroringK8S` is true. 1274 1275 - `mirroringK8S` ((#v-connectinject-consulnamespaces-mirroringk8s)) (`boolean: false`) - Causes k8s pods to be registered into a Consul namespace 1276 of the same name as their k8s namespace, optionally prefixed if 1277 `mirroringK8SPrefix` is set below. If the Consul namespace does not 1278 already exist, it will be created. Turning this on overrides the 1279 `consulDestinationNamespace` setting. 1280 1281 - `mirroringK8SPrefix` ((#v-connectinject-consulnamespaces-mirroringk8sprefix)) (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace 1282 to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a 1283 pod in the k8s `staging` namespace will be registered into the 1284 `k8s-staging` Consul namespace. 1285 1286 - `nodeSelector` ((#v-connectinject-nodeselector)) (`string: null`) - Selector labels for connectInject pod assignment, formatted as a multi-line string. 1287 ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector 1288 1289 Example: 1290 1291 ```yaml 1292 nodeSelector: | 1293 beta.kubernetes.io/arch: amd64 1294 ``` 1295 1296 - `affinity` ((#v-connectinject-affinity)) (`string: null`) - Affinity Settings 1297 This should be a multi-line string matching the affinity object 1298 1299 - `tolerations` ((#v-connectinject-tolerations)) (`string: null`) - Toleration Settings 1300 This should be a multi-line string matching the Toleration array 1301 in a PodSpec. 1302 1303 - `aclBindingRuleSelector` ((#v-connectinject-aclbindingruleselector)) (`string: serviceaccount.name!=default`) - Query that defines which Service Accounts 1304 can authenticate to Consul and receive an ACL token during Connect injection. 1305 The default setting, i.e. serviceaccount.name!=default, prevents the 1306 'default' Service Account from logging in. 1307 If set to an empty string all service accounts can log in. 1308 This only has effect if ACLs are enabled. 1309 1310 See https://www.consul.io/docs/acl/acl-auth-methods.html#binding-rules 1311 and https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes 1312 for more details. 1313 Requires Consul >= v1.5. 1314 1315 - `overrideAuthMethodName` ((#v-connectinject-overrideauthmethodname)) (`string: ""`) - If you are not using global.acls.manageSystemACLs and instead manually setting up an 1316 auth method for Connect inject, set this to the name of your auth method. 1317 1318 - `aclInjectToken` ((#v-connectinject-aclinjecttoken)) - Refers to a Kubernetes secret that you have created that contains 1319 an ACL token for your Consul cluster which allows the Connect injector the correct 1320 permissions. This is only needed if Consul namespaces <EnterpriseAlert inline /> and ACLs 1321 are enabled on the Consul cluster and you are not setting 1322 `global.acls.manageSystemACLs` to `true`. 1323 This token needs to have `operator = "write"` privileges to be able to 1324 create Consul namespaces. 1325 1326 - `secretName` ((#v-connectinject-aclinjecttoken-secretname)) (`string: null`) - The name of the Kubernetes secret. 1327 1328 - `secretKey` ((#v-connectinject-aclinjecttoken-secretkey)) (`string: null`) - The key of the Kubernetes secret. 1329 1330 - `sidecarProxy` ((#v-connectinject-sidecarproxy)) 1331 1332 - `resources` ((#v-connectinject-sidecarproxy-resources)) (`map`) - Set default resources for sidecar proxy. If null, that resource won't 1333 be set. 1334 These settings can be overridden on a per-pod basis via these annotations: 1335 1336 - `consul.hashicorp.com/sidecar-proxy-cpu-limit` 1337 - `consul.hashicorp.com/sidecar-proxy-cpu-request` 1338 - `consul.hashicorp.com/sidecar-proxy-memory-limit` 1339 - `consul.hashicorp.com/sidecar-proxy-memory-request` 1340 1341 - `requests` ((#v-connectinject-sidecarproxy-resources-requests)) 1342 1343 - `memory` ((#v-connectinject-sidecarproxy-resources-requests-memory)) (`string: null`) - Recommended default: 100Mi 1344 1345 - `cpu` ((#v-connectinject-sidecarproxy-resources-requests-cpu)) (`string: null`) - Recommended default: 100m 1346 1347 - `limits` ((#v-connectinject-sidecarproxy-resources-limits)) 1348 1349 - `memory` ((#v-connectinject-sidecarproxy-resources-limits-memory)) (`string: null`) - Recommended default: 100Mi 1350 1351 - `cpu` ((#v-connectinject-sidecarproxy-resources-limits-cpu)) (`string: null`) - Recommended default: 100m 1352 1353 - `initContainer` ((#v-connectinject-initcontainer)) (`map`) - Resource settings for the Connect injected init container. 1354 1355### controller 1356 1357- `controller` ((#v-controller)) - Controller handles config entry custom resources. 1358 Requires consul >= 1.8.4. 1359 ServiceIntentions require consul 1.9+. 1360 1361 - `enabled` ((#v-controller-enabled)) (`boolean: false`) - Enables the controller for managing custom resources. 1362 1363 - `replicas` ((#v-controller-replicas)) (`integer: 1`) - The number of deployment replicas. 1364 1365 - `logLevel` ((#v-controller-loglevel)) (`string: ""`) - Log verbosity level. One of "debug", "info", "warn", or "error". 1366 1367 - `serviceAccount` ((#v-controller-serviceaccount)) 1368 1369 - `annotations` ((#v-controller-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the controller service account. This should be formatted as a 1370 multi-line string. 1371 1372 ```yaml 1373 annotations: | 1374 "sample/annotation1": "foo" 1375 "sample/annotation2": "bar" 1376 ``` 1377 1378 - `resources` ((#v-controller-resources)) (`map`) - Resource settings for controller pods. 1379 1380 - `nodeSelector` ((#v-controller-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config. 1381 1382 - `tolerations` ((#v-controller-tolerations)) (`string: null`) - Optional YAML string to specify tolerations. 1383 1384 - `affinity` ((#v-controller-affinity)) (`string: null`) - Affinity Settings 1385 This should be a multi-line string matching the affinity object 1386 1387 - `priorityClassName` ((#v-controller-priorityclassname)) (`string: ""`) - Optional priorityClassName. 1388 1389 - `aclToken` ((#v-controller-acltoken)) - Refers to a Kubernetes secret that you have created that contains 1390 an ACL token for your Consul cluster which grants the controller process the correct 1391 permissions. This is only needed if you are managing ACLs yourself (i.e. not using 1392 `global.acls.manageSystemACLs`). 1393 1394 If running Consul OSS, requires permissions: 1395 1396 ```hcl 1397 operator = "write" 1398 service_prefix "" { 1399 policy = "write" 1400 intentions = "write" 1401 } 1402 ``` 1403 1404 If running Consul Enterprise, talk to your account manager for assistance. 1405 1406 - `secretName` ((#v-controller-acltoken-secretname)) (`string: null`) - The name of the Kubernetes secret. 1407 1408 - `secretKey` ((#v-controller-acltoken-secretkey)) (`string: null`) - The key of the Kubernetes secret. 1409 1410### meshGateway 1411 1412- `meshGateway` ((#v-meshgateway)) - Mesh Gateways enable Consul Connect to work across Consul datacenters. 1413 1414 - `enabled` ((#v-meshgateway-enabled)) (`boolean: false`) - If mesh gateways are enabled, a Deployment will be created that runs 1415 gateways and Consul Connect will be configured to use gateways. 1416 See https://www.consul.io/docs/connect/mesh_gateway.html 1417 Requirements: consul 1.6.0+ if using 1418 global.acls.manageSystemACLs. 1419 1420 - `replicas` ((#v-meshgateway-replicas)) (`integer: 2`) - Number of replicas for the Deployment. 1421 1422 - `wanAddress` ((#v-meshgateway-wanaddress)) - What gets registered as WAN address for the gateway. 1423 1424 - `source` ((#v-meshgateway-wanaddress-source)) (`string: Service`) - source configures where to retrieve the WAN address (and possibly port) 1425 for the mesh gateway from. 1426 Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. 1427 1428 - `Service` - Determine the address based on the service type. 1429 1430 - If `service.type=LoadBalancer` use the external IP or hostname of 1431 the service. Use the port set by `service.port`. 1432 1433 - If `service.type=NodePort` use the Node IP. The port will be set to 1434 `service.nodePort` so `service.nodePort` cannot be null. 1435 1436 - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to 1437 `service.port`. 1438 1439 - `service.type=ExternalName` is not supported. 1440 1441 - `NodeIP` - The node IP as provided by the Kubernetes downward API. 1442 1443 - `NodeName` - The name of the node as provided by the Kubernetes downward 1444 API. This is useful if the node names are DNS entries that 1445 are routable from other datacenters. 1446 1447 - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`. 1448 1449 - `port` ((#v-meshgateway-wanaddress-port)) (`integer: 443`) - Port that gets registered for WAN traffic. 1450 If source is set to "Service" then this setting will have no effect. 1451 See the documentation for source as to which port will be used in that 1452 case. 1453 1454 - `static` ((#v-meshgateway-wanaddress-static)) (`string: ""`) - If source is set to "Static" then this value will be used as the WAN 1455 address of the mesh gateways. This is useful if you've configured a 1456 DNS entry to point to your mesh gateways. 1457 1458 - `service` ((#v-meshgateway-service)) - The service option configures the Service that fronts the Gateway Deployment. 1459 1460 - `enabled` ((#v-meshgateway-service-enabled)) (`boolean: true`) - Whether to create a Service or not. 1461 1462 - `type` ((#v-meshgateway-service-type)) (`string: LoadBalancer`) - Type of service, ex. LoadBalancer, ClusterIP. 1463 1464 - `port` ((#v-meshgateway-service-port)) (`integer: 443`) - Port that the service will be exposed on. 1465 The targetPort will be set to meshGateway.containerPort. 1466 1467 - `nodePort` ((#v-meshgateway-service-nodeport)) (`integer: null`) - Optionally set the nodePort value of the service if using a NodePort service. 1468 If not set and using a NodePort service, Kubernetes will automatically assign 1469 a port. 1470 1471 - `annotations` ((#v-meshgateway-service-annotations)) (`string: null`) - Annotations to apply to the mesh gateway service. 1472 1473 Example: 1474 1475 ```yaml 1476 annotations: | 1477 'annotation-key': annotation-value 1478 ``` 1479 1480 - `additionalSpec` ((#v-meshgateway-service-additionalspec)) (`string: null`) - Optional YAML string that will be appended to the Service spec. 1481 1482 - `hostNetwork` ((#v-meshgateway-hostnetwork)) (`boolean: false`) - If set to true, gateway Pods will run on the host network. 1483 1484 - `dnsPolicy` ((#v-meshgateway-dnspolicy)) (`string: null`) - dnsPolicy to use. 1485 1486 - `consulServiceName` ((#v-meshgateway-consulservicename)) (`string: mesh-gateway`) - Consul service name for the mesh gateways. 1487 Cannot be set to anything other than "mesh-gateway" if 1488 global.acls.manageSystemACLs is true since the ACL token 1489 generated is only for the name 'mesh-gateway'. 1490 1491 - `containerPort` ((#v-meshgateway-containerport)) (`integer: 8443`) - Port that the gateway will run on inside the container. 1492 1493 - `hostPort` ((#v-meshgateway-hostport)) (`integer: null`) - Optional hostPort for the gateway to be exposed on. 1494 This can be used with wanAddress.port and wanAddress.useNodeIP 1495 to expose the gateways directly from the node. 1496 If hostNetwork is true, this must be null or set to the same port as 1497 containerPort. 1498 NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul 1499 agent. 1500 1501 - `serviceAccount` ((#v-meshgateway-serviceaccount)) 1502 1503 - `annotations` ((#v-meshgateway-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the mesh gateways' service account. This should be formatted as a 1504 multi-line string. 1505 1506 ```yaml 1507 annotations: | 1508 "sample/annotation1": "foo" 1509 "sample/annotation2": "bar" 1510 ``` 1511 1512 - `resources` ((#v-meshgateway-resources)) (`map`) - Resource settings for mesh gateway pods. 1513 NOTE: The use of a YAML string is deprecated. Instead, set directly as a 1514 YAML map. 1515 1516 - `initCopyConsulContainer` ((#v-meshgateway-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container. 1517 1518 - `affinity` ((#v-meshgateway-affinity)) (`string`) - By default, we set an anti-affinity so that two gateway pods won't be 1519 on the same node. NOTE: Gateways require that Consul client agents are 1520 also running on the nodes alongside each gateway pod. 1521 1522 - `tolerations` ((#v-meshgateway-tolerations)) (`string: null`) - Optional YAML string to specify tolerations. 1523 1524 - `nodeSelector` ((#v-meshgateway-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config. 1525 1526 - `priorityClassName` ((#v-meshgateway-priorityclassname)) (`string: ""`) - Optional priorityClassName. 1527 1528 - `annotations` ((#v-meshgateway-annotations)) (`string: null`) - Annotations to apply to the mesh gateway deployment. 1529 1530 Example: 1531 1532 ```yaml 1533 annotations: | 1534 'annotation-key': annotation-value 1535 ``` 1536 1537### ingressGateways 1538 1539- `ingressGateways` ((#v-ingressgateways)) - Configuration options for ingress gateways. Default values for all 1540 ingress gateways are defined in `ingressGateways.defaults`. Any of 1541 these values may be overridden in `ingressGateways.gateways` for a 1542 specific gateway with the exception of annotations. Annotations will 1543 include both the default annotations and any additional ones defined 1544 for a specific gateway. 1545 Requirements: consul >= 1.8.0 1546 1547 - `enabled` ((#v-ingressgateways-enabled)) (`boolean: false`) - Enable ingress gateway deployment. Requires `connectInject.enabled=true` 1548 and `client.enabled=true`. 1549 1550 - `defaults` ((#v-ingressgateways-defaults)) - Defaults sets default values for all gateway fields. With the exception 1551 of annotations, defining any of these values in the `gateways` list 1552 will override the default values provided here. Annotations will 1553 include both the default annotations and any additional ones defined 1554 for a specific gateway. 1555 1556 - `replicas` ((#v-ingressgateways-defaults-replicas)) (`integer: 2`) - Number of replicas for each ingress gateway defined. 1557 1558 - `service` ((#v-ingressgateways-defaults-service)) - The service options configure the Service that fronts the gateway Deployment. 1559 1560 - `type` ((#v-ingressgateways-defaults-service-type)) (`string: ClusterIP`) - Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service 1561 type, you must set the desired nodePorts in the `ports` setting below. 1562 1563 - `ports` ((#v-ingressgateways-defaults-service-ports)) (`array<map>: [{port: 8080, port: 8443}]`) - Ports that will be exposed on the service and gateway container. Any 1564 ports defined as ingress listeners on the gateway's Consul configuration 1565 entry should be included here. The first port will be used as part of 1566 the Consul service registration for the gateway and be listed in its 1567 SRV record. If using a NodePort service type, you must specify the 1568 desired nodePort for each exposed port. 1569 1570 - `annotations` ((#v-ingressgateways-defaults-service-annotations)) (`string: null`) - Annotations to apply to the ingress gateway service. Annotations defined 1571 here will be applied to all ingress gateway services in addition to any 1572 service annotations defined for a specific gateway in `ingressGateways.gateways`. 1573 1574 Example: 1575 1576 ```yaml 1577 annotations: | 1578 'annotation-key': annotation-value 1579 ``` 1580 1581 - `additionalSpec` ((#v-ingressgateways-defaults-service-additionalspec)) (`string: null`) - Optional YAML string that will be appended to the Service spec. 1582 1583 - `serviceAccount` ((#v-ingressgateways-defaults-serviceaccount)) 1584 1585 - `annotations` ((#v-ingressgateways-defaults-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the ingress gateways' service account. This should be formatted 1586 as a multi-line string. 1587 1588 ```yaml 1589 annotations: | 1590 "sample/annotation1": "foo" 1591 "sample/annotation2": "bar" 1592 ``` 1593 1594 - `resources` ((#v-ingressgateways-defaults-resources)) (`map`) - Resource limits for all ingress gateway pods 1595 1596 - `initCopyConsulContainer` ((#v-ingressgateways-defaults-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container. 1597 1598 - `affinity` ((#v-ingressgateways-defaults-affinity)) (`string`) - By default, we set an anti-affinity so that two of the same gateway pods 1599 won't be on the same node. NOTE: Gateways require that Consul client agents are 1600 also running on the nodes alongside each gateway pod. 1601 1602 - `tolerations` ((#v-ingressgateways-defaults-tolerations)) (`string: null`) - Optional YAML string to specify tolerations. 1603 1604 - `nodeSelector` ((#v-ingressgateways-defaults-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config. 1605 1606 - `priorityClassName` ((#v-ingressgateways-defaults-priorityclassname)) (`string: ""`) - Optional priorityClassName. 1607 1608 - `annotations` ((#v-ingressgateways-defaults-annotations)) (`string: null`) - Annotations to apply to the ingress gateway deployment. Annotations defined 1609 here will be applied to all ingress gateway deployments in addition to any 1610 annotations defined for a specific gateway in `ingressGateways.gateways`. 1611 1612 Example: 1613 1614 ```yaml 1615 annotations: | 1616 "annotation-key": 'annotation-value' 1617 ``` 1618 1619 - `consulNamespace` ((#v-ingressgateways-defaults-consulnamespace)) (`string: default`) - <EnterpriseAlert inline /> `consulNamespace` defines the Consul namespace to register 1620 the gateway into. Requires `global.enableConsulNamespaces` to be true and 1621 Consul Enterprise v1.7+ with a valid Consul Enterprise license. 1622 Note: The Consul namespace MUST exist before the gateway is deployed. 1623 1624 - `gateways` ((#v-ingressgateways-gateways)) (`array<map>`) - Gateways is a list of gateway objects. The only required field for 1625 each is `name`, though they can also contain any of the fields in 1626 `defaults`. Values defined here override the defaults except in the 1627 case of annotations where both will be applied. 1628 1629 - `name` ((#v-ingressgateways-gateways-name)) (`string: ingress-gateway`) 1630 1631### terminatingGateways 1632 1633- `terminatingGateways` ((#v-terminatinggateways)) - Configuration options for terminating gateways. Default values for all 1634 terminating gateways are defined in `terminatingGateways.defaults`. Any of 1635 these values may be overridden in `terminatingGateways.gateways` for a 1636 specific gateway with the exception of annotations. Annotations will 1637 include both the default annotations and any additional ones defined 1638 for a specific gateway. 1639 Requirements: consul >= 1.8.0 1640 1641 - `enabled` ((#v-terminatinggateways-enabled)) (`boolean: false`) - Enable terminating gateway deployment. Requires `connectInject.enabled=true` 1642 and `client.enabled=true`. 1643 1644 - `defaults` ((#v-terminatinggateways-defaults)) - Defaults sets default values for all gateway fields. With the exception 1645 of annotations, defining any of these values in the `gateways` list 1646 will override the default values provided here. Annotations will 1647 include both the default annotations and any additional ones defined 1648 for a specific gateway. 1649 1650 - `replicas` ((#v-terminatinggateways-defaults-replicas)) (`integer: 2`) - Number of replicas for each terminating gateway defined. 1651 1652 - `extraVolumes` ((#v-terminatinggateways-defaults-extravolumes)) (`array<map>`) - A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig/<name>/`. 1653 1654 Example: 1655 1656 ```yaml 1657 extraVolumes: 1658 - type: secret 1659 name: my-secret 1660 items: # optional items array 1661 - key: key 1662 path: path # secret will now mount to /consul/userconfig/my-secret/path 1663 ``` 1664 1665 - `resources` ((#v-terminatinggateways-defaults-resources)) (`map`) - Resource limits for all terminating gateway pods 1666 1667 - `initCopyConsulContainer` ((#v-terminatinggateways-defaults-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container. 1668 1669 - `affinity` ((#v-terminatinggateways-defaults-affinity)) (`string`) - By default, we set an anti-affinity so that two of the same gateway pods 1670 won't be on the same node. NOTE: Gateways require that Consul client agents are 1671 also running on the nodes alongside each gateway pod. 1672 1673 - `tolerations` ((#v-terminatinggateways-defaults-tolerations)) (`string: null`) - Optional YAML string to specify tolerations. 1674 1675 - `nodeSelector` ((#v-terminatinggateways-defaults-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config. 1676 1677 - `priorityClassName` ((#v-terminatinggateways-defaults-priorityclassname)) (`string: ""`) - Optional priorityClassName. 1678 1679 - `annotations` ((#v-terminatinggateways-defaults-annotations)) (`string: null`) - Annotations to apply to the terminating gateway deployment. Annotations defined 1680 here will be applied to all terminating gateway deployments in addition to any 1681 annotations defined for a specific gateway in `terminatingGateways.gateways`. 1682 1683 Example: 1684 1685 ```yaml 1686 annotations: | 1687 'annotation-key': annotation-value 1688 ``` 1689 1690 - `serviceAccount` ((#v-terminatinggateways-defaults-serviceaccount)) 1691 1692 - `annotations` ((#v-terminatinggateways-defaults-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the terminating gateways' service account. This should be 1693 formatted as a multi-line string. 1694 1695 ```yaml 1696 annotations: | 1697 "sample/annotation1": "foo" 1698 "sample/annotation2": "bar" 1699 ``` 1700 1701 - `consulNamespace` ((#v-terminatinggateways-defaults-consulnamespace)) (`string: default`) - <EnterpriseAlert inline /> `consulNamespace` defines the Consul namespace to register 1702 the gateway into. Requires `global.enableConsulNamespaces` to be true and 1703 Consul Enterprise v1.7+ with a valid Consul Enterprise license. 1704 Note: The Consul namespace MUST exist before the gateway is deployed. 1705 1706 - `gateways` ((#v-terminatinggateways-gateways)) (`array<map>`) - Gateways is a list of gateway objects. The only required field for 1707 each is `name`, though they can also contain any of the fields in 1708 `defaults`. Values defined here override the defaults except in the 1709 case of annotations where both will be applied. 1710 1711 - `name` ((#v-terminatinggateways-gateways-name)) (`string: terminating-gateway`) 1712 1713### prometheus 1714 1715- `prometheus` ((#v-prometheus)) - Configures a demo Prometheus installation. 1716 1717 - `enabled` ((#v-prometheus-enabled)) (`boolean: false`) - When true, the Helm chart will install a demo Prometheus server instance 1718 alongside Consul. 1719 1720### tests 1721 1722- `tests` ((#v-tests)) - Control whether a test Pod manifest is generated when running helm template. 1723 When using helm install, the test Pod is not submitted to the cluster so this 1724 is only useful when running helm template. 1725 1726 - `enabled` ((#v-tests-enabled)) (`boolean: true`) 1727 <!-- codegen: end --> 1728 1729## Helm Chart Examples 1730 1731The below `config.yaml` results in a single server Consul cluster with a `LoadBalancer` to allow external access to the UI and API. 1732 1733```yaml 1734# config.yaml 1735server: 1736 replicas: 1 1737 bootstrapExpect: 1 1738 1739ui: 1740 service: 1741 type: LoadBalancer 1742``` 1743 1744The below `config.yaml` results in a three server Consul Enterprise cluster with 100GB of storage and automatic Connect injection. 1745 1746Note, this would require a secret that contains the enterprise license key. 1747 1748```yaml 1749# config.yaml 1750global: 1751 image: 'hashicorp/consul-enterprise:1.4.2-ent' 1752 1753server: 1754 replicas: 3 1755 bootstrapExpect: 3 1756 enterpriseLicense: 1757 secretName: 'consul-license' 1758 secretKey: 'key' 1759 storage: 100Gi 1760 connect: true 1761 1762client: 1763 grpc: true 1764 1765connectInject: 1766 enabled: true 1767 default: false 1768``` 1769 1770## Customizing the Helm Chart 1771 1772Consul within Kubernetes is highly configurable and the Helm chart contains dozens 1773of the most commonly used configuration options. 1774If you need to extend the Helm chart with additional options, we recommend using a third-party tool, 1775such as [kustomize](https://github.com/kubernetes-sigs/kustomize) or [ship](https://github.com/replicatedhq/ship). 1776Note that the Helm chart heavily relies on Helm lifecycle hooks, and so features like bootstrapping ACLs or TLS 1777will not work as expected. Additionally, we can make changes to the internal implementation (e.g., renaming template files) that 1778may be backward incompatible with such customizations. 1779