docs/k8s/helm.mdx

---
layout: docs
page_title: Helm Chart Configuration
description: Configuration for the Consul Helm chart.
---

# Helm Chart Configuration

## Configuration (Values)

The chart is highly customizable using
[Helm configuration values](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
Each value has a sane default tuned for an optimal getting started experience
with Consul. Before going into production, please review the parameters below
and consider if they're appropriate for your deployment.

<!-- DO NOT EDIT. The docs below are generated automatically. To change, edit
                  the consul-helm repo's values.yaml file -->
<!-- codegen: start -->

### global

- `global` ((#v-global)) - Holds values that affect multiple components of the chart.

  - `enabled` ((#v-global-enabled)) (`boolean: true`) - The main enabled/disabled setting. If true, servers,
    clients, Consul DNS and the Consul UI will be enabled. Each component can override
    this default via its component-specific "enabled" config. If false, no components
    will be installed by default and per-component opt-in is required, such as by
    setting `server.enabled` to true.

  - `logLevel` ((#v-global-loglevel)) (`string: info`) - The default log level to apply to all components which do not otherwise override this setting.
    It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity.
    One of "debug", "info", "warn", or "error".

  - `logJSON` ((#v-global-logjson)) (`boolean: false`) - Enable all component logs to be output in JSON format.

  - `name` ((#v-global-name)) (`string: null`) - Set the prefix used for all resources in the Helm chart. If not set,
    the prefix will be `<helm release name>-consul`.

  - `domain` ((#v-global-domain)) (`string: consul`) - The domain Consul will answer DNS queries for
    (see `-domain` (https://consul.io/docs/agent/options#_domain)) and the domain services synced from
    Consul into Kubernetes will have, e.g. `service-name.service.consul`.

  - `image` ((#v-global-image)) (`string: hashicorp/consul:<latest version>`) - The name (and tag) of the Consul Docker image for clients and servers.
    This can be overridden per component. This should be pinned to a specific
    version tag, otherwise you may inadvertently upgrade your Consul version.

    Examples:

    ```yaml
    # Consul 1.10.0
    image: "consul:1.10.0"
    # Consul Enterprise 1.10.0
    image: "hashicorp/consul-enterprise:1.10.0-ent"
    ```

  - `imagePullSecrets` ((#v-global-imagepullsecrets)) (`array<map>`) - Array of objects containing image pull secret names that will be applied to each service account.
    This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image.
    See https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry for reference.

    Example:

    ```yaml
    imagePullSecrets:
      - name: pull-secret-name
      - name: pull-secret-name-2
    ```

  - `imageK8S` ((#v-global-imagek8s)) (`string: hashicorp/consul-k8s-control-plane:<latest version>`) - The name (and tag) of the consul-k8s-control-plane Docker
    image that is used for functionality such as catalog sync.
    This can be overridden per component.

  - `datacenter` ((#v-global-datacenter)) (`string: dc1`) - The name of the datacenter that the agents should
    register as. This can't be changed once the Consul cluster is up and running
    since Consul doesn't support an automatic way to change this value currently:
    https://github.com/hashicorp/consul/issues/1858.

  - `enablePodSecurityPolicies` ((#v-global-enablepodsecuritypolicies)) (`boolean: false`) - Controls whether pod security policies are created for the Consul components
    created by this chart. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/.

  - `gossipEncryption` ((#v-global-gossipencryption)) - Configures which Kubernetes secret to retrieve Consul's
    gossip encryption key from (see `-encrypt` (https://consul.io/docs/agent/options#_encrypt)). If secretName or
    secretKey are not set, gossip encryption will not be enabled. The secret must
    be in the same namespace that Consul is installed into.

    The secret can be created by running:

    ```shell
    $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen)
    ```

    To reference, use:

    ```yaml
    global:
      gossipEncryption:
        secretName: consul-gossip-encryption-key
        secretKey: key
    ```

    - `secretName` ((#v-global-gossipencryption-secretname)) (`string: ""`) - secretName is the name of the Kubernetes secret that holds the gossip
      encryption key. The secret must be in the same namespace that Consul is installed into.

    - `secretKey` ((#v-global-gossipencryption-secretkey)) (`string: ""`) - secretKey is the key within the Kubernetes secret that holds the gossip
      encryption key.

  - `recursors` ((#v-global-recursors)) (`array<string>: []`) - A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries.
    These values are given as `-recursor` flags to Consul servers and clients.
    See https://www.consul.io/docs/agent/options#_recursor for more details.
    If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`).

  - `tls` ((#v-global-tls)) - Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure)
    across the cluster to verify authenticity of the Consul servers and clients.
    Requires Consul v1.4.1+.

    - `enabled` ((#v-global-tls-enabled)) (`boolean: false`) - If true, the Helm chart will enable TLS for Consul
      servers and clients and all consul-k8s-control-plane components, as well as generate certificate
      authority (optional) and server and client certificates.

    - `enableAutoEncrypt` ((#v-global-tls-enableautoencrypt)) (`boolean: false`) - If true, turns on the auto-encrypt feature on clients and servers.
      It also switches consul-k8s-control-plane components to retrieve the CA from the servers
      via the API. Requires Consul 1.7.1+.

    - `serverAdditionalDNSSANs` ((#v-global-tls-serveradditionaldnssans)) (`array<string>: []`) - A list of additional DNS names to set as Subject Alternative Names (SANs)
      in the server certificate. This is useful when you need to access the
      Consul server(s) externally, for example, if you're using the UI.

    - `serverAdditionalIPSANs` ((#v-global-tls-serveradditionalipsans)) (`array<string>: []`) - A list of additional IP addresses to set as Subject Alternative Names (SANs)
      in the server certificate. This is useful when you need to access the
      Consul server(s) externally, for example, if you're using the UI.

    - `verify` ((#v-global-tls-verify)) (`boolean: true`) - If true, `verify_outgoing`, `verify_server_hostname`,
      and `verify_incoming_rpc` will be set to `true` for Consul servers and clients.
      Set this to false to incrementally roll out TLS on an existing Consul cluster.
      Please see https://consul.io/docs/k8s/operations/tls-on-existing-cluster
      for more details.

    - `httpsOnly` ((#v-global-tls-httpsonly)) (`boolean: true`) - If true, the Helm chart will configure Consul to disable the HTTP port on
      both clients and servers and to only accept HTTPS connections.

    - `caCert` ((#v-global-tls-cacert)) - A Kubernetes secret containing the certificate of the CA to use for
      TLS communication within the Consul cluster. If you have generated the CA yourself
      with the consul CLI, you could use the following command to create the secret
      in Kubernetes:

      ```bash
      kubectl create secret generic consul-ca-cert \
          --from-file='tls.crt=./consul-agent-ca.pem'
      ```

      - `secretName` ((#v-global-tls-cacert-secretname)) (`string: null`) - The name of the Kubernetes secret.

      - `secretKey` ((#v-global-tls-cacert-secretkey)) (`string: null`) - The key of the Kubernetes secret.

    - `caKey` ((#v-global-tls-cakey)) - A Kubernetes secret containing the private key of the CA to use for
      TLS communication within the Consul cluster. If you have generated the CA yourself
      with the consul CLI, you could use the following command to create the secret
      in Kubernetes:

      ```bash
      kubectl create secret generic consul-ca-key \
          --from-file='tls.key=./consul-agent-ca-key.pem'
      ```

      Note that we need the CA key so that we can generate server and client certificates.
      It is particularly important for the client certificates since they need to have host IPs
      as Subject Alternative Names. In the future, we may support bringing your own server
      certificates.

      - `secretName` ((#v-global-tls-cakey-secretname)) (`string: null`) - The name of the Kubernetes secret.

      - `secretKey` ((#v-global-tls-cakey-secretkey)) (`string: null`) - The key of the Kubernetes secret.

  - `enableConsulNamespaces` ((#v-global-enableconsulnamespaces)) (`boolean: false`) - <EnterpriseAlert inline /> `enableConsulNamespaces` indicates that you are running
    Consul Enterprise v1.7+ with a valid Consul Enterprise license and would
    like to make use of configuration beyond registering everything into
    the `default` Consul namespace. Additional configuration
    options are found in the `consulNamespaces` section of both the catalog sync
    and connect injector.

  - `acls` ((#v-global-acls)) - Configure ACLs.

    - `manageSystemACLs` ((#v-global-acls-managesystemacls)) (`boolean: false`) - If true, the Helm chart will automatically manage ACL tokens and policies
      for all Consul and consul-k8s-control-plane components.
      This requires Consul >= 1.4.

    - `bootstrapToken` ((#v-global-acls-bootstraptoken)) - A Kubernetes secret containing the bootstrap token to use for
      creating policies and tokens for all Consul and consul-k8s-control-plane components.
      If set, we will skip ACL bootstrapping of the servers and will only
      initialize ACLs for the Consul clients and consul-k8s-control-plane system components.

      - `secretName` ((#v-global-acls-bootstraptoken-secretname)) (`string: null`) - The name of the Kubernetes secret.

      - `secretKey` ((#v-global-acls-bootstraptoken-secretkey)) (`string: null`) - The key of the Kubernetes secret.

    - `createReplicationToken` ((#v-global-acls-createreplicationtoken)) (`boolean: false`) - If true, an ACL token will be created that can be used in secondary
      datacenters for replication. This should only be set to true in the
      primary datacenter since the replication token must be created from that
      datacenter.
      In secondary datacenters, the secret needs to be imported from the primary
      datacenter and referenced via `global.acls.replicationToken`.

    - `replicationToken` ((#v-global-acls-replicationtoken)) - replicationToken references a secret containing the replication ACL token.
      This token will be used by secondary datacenters to perform ACL replication
      and create ACL tokens and policies.
      This value is ignored if `bootstrapToken` is also set.

      - `secretName` ((#v-global-acls-replicationtoken-secretname)) (`string: null`) - The name of the Kubernetes secret.

      - `secretKey` ((#v-global-acls-replicationtoken-secretkey)) (`string: null`) - The key of the Kubernetes secret.

  - `federation` ((#v-global-federation)) - Configure federation.

    - `enabled` ((#v-global-federation-enabled)) (`boolean: false`) - If enabled, this datacenter will be federation-capable. Only federation
      via mesh gateways is supported.
      Mesh gateways and servers will be configured to allow federation.
      Requires `global.tls.enabled`, `meshGateway.enabled` and `connectInject.enabled`
      to be true. Requires Consul 1.8+.

    - `createFederationSecret` ((#v-global-federation-createfederationsecret)) (`boolean: false`) - If true, the chart will create a Kubernetes secret that can be imported
      into secondary datacenters so they can federate with this datacenter. The
      secret contains all the information secondary datacenters need to contact
      and authenticate with this datacenter. This should only be set to true
      in your primary datacenter. The secret name is
      `<global.name>-federation` (if setting `global.name`), otherwise
      `<helm-release-name>-consul-federation`.

  - `metrics` ((#v-global-metrics)) - Configures metrics for Consul service mesh

    - `enabled` ((#v-global-metrics-enabled)) (`boolean: false`) - Configures the Helm chart’s components
      to expose Prometheus metrics for the Consul service mesh. By default
      this includes gateway metrics and sidecar metrics.

    - `enableAgentMetrics` ((#v-global-metrics-enableagentmetrics)) (`boolean: false`) - Configures consul agent metrics. Only applicable if
      `global.metrics.enabled` is true.

    - `agentMetricsRetentionTime` ((#v-global-metrics-agentmetricsretentiontime)) (`string: 1m`) - Configures the retention time for metrics in Consul clients and
      servers. This must be greater than 0 for Consul clients and servers
      to expose any metrics at all.
      Only applicable if `global.metrics.enabled` is true.

    - `enableGatewayMetrics` ((#v-global-metrics-enablegatewaymetrics)) (`boolean: true`) - If true, mesh, terminating, and ingress gateways will expose their
      Envoy metrics on port `20200` at the `/metrics` path and all gateway pods
      will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true.

  - `consulSidecarContainer` ((#v-global-consulsidecarcontainer)) (`map`) - For connect-injected pods, the consul sidecar is responsible for metrics merging. For ingress/mesh/terminating
    gateways, it additionally ensures the Consul services are always registered with their local Consul client.

  - `imageEnvoy` ((#v-global-imageenvoy)) (`string: envoyproxy/envoy-alpine:<latest supported version>`) - The name (and tag) of the Envoy Docker image used for the
    connect-injected sidecar proxies and mesh, terminating, and ingress gateways.
    See https://www.consul.io/docs/connect/proxies/envoy for full compatibility matrix between Consul and Envoy.

  - `openshift` ((#v-global-openshift)) - Configuration for running this Helm chart on the Red Hat OpenShift platform.
    This Helm chart currently supports OpenShift v4.x+.

    - `enabled` ((#v-global-openshift-enabled)) (`boolean: false`) - If true, the Helm chart will create necessary configuration for running
      its components on OpenShift.

### server

- `server` ((#v-server)) - Server, when enabled, configures a server cluster to run. This should
  be disabled if you plan on connecting to a Consul cluster external to
  the Kube cluster.

  - `enabled` ((#v-server-enabled)) (`boolean: global.enabled`) - If true, the chart will install all the resources necessary for a
    Consul server cluster. If you're running Consul externally and want agents
    within Kubernetes to join that cluster, this should probably be false.

  - `image` ((#v-server-image)) (`string: null`) - The name of the Docker image (including any tag) for the containers running
    Consul server agents.

  - `replicas` ((#v-server-replicas)) (`integer: 3`) - The number of server agents to run. This determines the fault tolerance of
    the cluster. Please see the deployment table (https://consul.io/docs/internals/consensus#deployment-table)
    for more information.

  - `bootstrapExpect` ((#v-server-bootstrapexpect)) (`int: null`) - The number of servers that are expected to be running.
    It defaults to server.replicas.
    In most cases the default should be used, however if there are more
    servers in this datacenter than server.replicas it might make sense
    to override the default. This would be the case if two kube clusters
    were joined into the same datacenter and each cluster ran a certain number
    of servers.

  - `enterpriseLicense` ((#v-server-enterpriselicense)) - <EnterpriseAlert inline /> This value refers to a Kubernetes secret that you have created
    that contains your enterprise license. It is required if you are using an
    enterprise binary. Defining it here applies it to your cluster once a leader
    has been elected. If you are not using an enterprise image or if you plan to
    introduce the license key via another route, then set these fields to null.
    Note: the job to apply license runs on both Helm installs and upgrades.

    - `secretName` ((#v-server-enterpriselicense-secretname)) (`string: null`) - The name of the Kubernetes secret that holds the enterprise license.
      The secret must be in the same namespace that Consul is installed into.

    - `secretKey` ((#v-server-enterpriselicense-secretkey)) (`string: null`) - The key within the Kubernetes secret that holds the enterprise license.

    - `enableLicenseAutoload` ((#v-server-enterpriselicense-enablelicenseautoload)) (`boolean: true`) - Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+.

  - `serverCert` ((#v-server-servercert)) - A Kubernetes secret containing a certificate & key for the server agents to use
    for TLS communication within the Consul cluster. Cert needs to be provided with
    additional DNS name SANs so that it will work within the Kubernetes cluster:

    ```bash
    consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \
        -key=consul-agent-ca-key.pem -dc={{datacenter}} \
        -additional-dnsname="{{fullname}}-server" \
        -additional-dnsname="*.{{fullname}}-server" \
        -additional-dnsname="*.{{fullname}}-server.{{namespace}}" \
        -additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \
        -additional-dnsname="*.server.{{datacenter}}.{{domain}}" \
        -additional-dnsname="server.{{datacenter}}.{{domain}}"
    ```

    If you have generated the
    server-cert yourself with the consul CLI, you could use the following command
    to create the secret in Kubernetes:

    ```bash
    kubectl create secret generic consul-server-cert \
        --from-file='tls.crt=./dc1-server-consul-0.pem'
        --from-file='tls.key=./dc1-server-consul-0-key.pem'
    ```

    - `secretName` ((#v-server-servercert-secretname)) (`string: null`) - The name of the Kubernetes secret.

  - `exposeGossipAndRPCPorts` ((#v-server-exposegossipandrpcports)) (`boolean: false`) - Exposes the servers' gossip and RPC ports as hostPorts. To enable a client
    agent outside of the k8s cluster to join the datacenter, you would need to
    enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and
    set `server.ports.serflan.port` to a port not being used on the host. Since
    `client.exposeGossipPorts` uses the hostPort 8301,
    `server.ports.serflan.port` must be set to something other than 8301.

  - `ports` ((#v-server-ports)) - Configures ports for the consul servers.

    - `serflan` ((#v-server-ports-serflan)) - Configures the LAN gossip port for the consul servers. If you choose to
      enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`,
      that will configure the LAN gossip ports on the servers and clients to be
      hostPorts, so if you are running clients and servers on the same node the
      ports will conflict if they are both 8301. When you enable
      `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must
      change this from the default to an unused port on the host, e.g. 9301. By
      default the LAN gossip port is 8301 and configured as a containerPort on
      the consul server Pods.

      - `port` ((#v-server-ports-serflan-port)) (`integer: 8301`)

  - `storage` ((#v-server-storage)) (`string: 10Gi`) - This defines the disk size for configuring the
    servers' StatefulSet storage. For dynamically provisioned storage classes, this is the
    desired size. For manually defined persistent volumes, this should be set to
    the disk size of the attached volume.

  - `storageClass` ((#v-server-storageclass)) (`string: null`) - The StorageClass to use for the servers' StatefulSet storage. It must be
    able to be dynamically provisioned if you want the storage
    to be automatically created. For example, to use local
    (https://kubernetes.io/docs/concepts/storage/storage-classes/#local)
    storage classes, the PersistentVolumeClaims would need to be manually created.
    A `null` value will use the Kubernetes cluster's default StorageClass. If a default
    StorageClass does not exist, you will need to create one.

  - `connect` ((#v-server-connect)) (`boolean: true`) - This will enable/disable Connect (https://consul.io/docs/connect). Setting this to true
    _will not_ automatically secure pod communication, this
    setting will only enable usage of the feature. Consul will automatically initialize
    a new CA and set of certificates. Additional Connect settings can be configured
    by setting the `server.extraConfig` value.

  - `serviceAccount` ((#v-server-serviceaccount))

    - `annotations` ((#v-server-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the server service account. This should be formatted as a multi-line
      string.

      ```yaml
      annotations: |
        "sample/annotation1": "foo"
        "sample/annotation2": "bar"
      ```

  - `resources` ((#v-server-resources)) (`map`) - The resource requests (CPU, memory, etc.)
    for each of the server agents. This should be a YAML map corresponding to a Kubernetes
    ResourceRequirements (https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#resourcerequirements-v1-core)
    object. NOTE: The use of a YAML string is deprecated.

    Example:

    ```yaml
    resources:
      requests:
        memory: '100Mi'
        cpu: '100m'
      limits:
        memory: '100Mi'
        cpu: '100m'
    ```

  - `securityContext` ((#v-server-securitycontext)) (`map`) - The security context for the server pods. This should be a YAML map corresponding to a
    Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object.
    By default, servers will run as non-root, with user ID `100` and group ID `1000`,
    which correspond to the consul user and group created by the Consul docker image.
    Note: if running on OpenShift, this setting is ignored because the user and group are set automatically
    by the OpenShift platform.

  - `updatePartition` ((#v-server-updatepartition)) (`integer: 0`) - This value is used to carefully
    control a rolling update of Consul server agents. This value specifies the
    partition (https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions)
    for performing a rolling update. Please read the linked Kubernetes documentation
    and https://www.consul.io/docs/k8s/upgrade#upgrading-consul-servers for more information.

  - `disruptionBudget` ((#v-server-disruptionbudget)) - This configures the PodDisruptionBudget (https://kubernetes.io/docs/tasks/run-application/configure-pdb/)
    for the server cluster.

    - `enabled` ((#v-server-disruptionbudget-enabled)) (`boolean: true`) - This will enable/disable registering a PodDisruptionBudget for the server
      cluster. If this is enabled, it will only register the budget so long as
      the server cluster is enabled.

    - `maxUnavailable` ((#v-server-disruptionbudget-maxunavailable)) (`integer: null`) - The maximum number of unavailable pods. By default, this will be
      automatically computed based on the `server.replicas` value to be `(n/2)-1`.
      If you need to set this to `0`, you will need to add a
      --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation
      command because of a limitation in the Helm templating language.

  - `extraConfig` ((#v-server-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul
    servers. This will be saved as-is into a ConfigMap that is read by the Consul
    server agents. This can be used to add additional configuration that
    isn't directly exposed by the chart.

    Example:

    ```yaml
    extraConfig: |
      {
        "log_level": "DEBUG"
      }
    ```

    This can also be set using Helm's `--set` flag using the following syntax:

    ```shell
    --set 'server.extraConfig="{"log_level": "DEBUG"}"'
    ```

  - `extraVolumes` ((#v-server-extravolumes)) (`array<map>`) - A list of extra volumes to mount for server agents. This
    is useful for bringing in extra data that can be referenced by other configurations
    at a well known path, such as TLS certificates or Gossip encryption keys. The
    value of this should be a list of objects.

    Example:

    ```yaml
    extraVolumes:
      - type: secret
        name: consul-certs
        load: false
    ```

    Each object supports the following keys:

    - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive.

    - `name` - Name of the configMap or secret to be mounted. This also controls
      the path that it is mounted to. The volume will be mounted to `/consul/userconfig/<name>`.

    - `load` - If true, then the agent will be
      configured to automatically load HCL/JSON configuration files from this volume
      with `-config-dir`. This defaults to false.

  - `affinity` ((#v-server-affinity)) (`string`) - This value defines the affinity (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
    for server pods. It defaults to allowing only a single server pod on each node, which
    minimizes risk of the cluster becoming unusable if a node is lost. If you need
    to run more pods per node (for example, testing on Minikube), set this value
    to `null`.

    Example:

    ```yaml
    affinity: |
      podAntiAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchLabels:
                app: {{ template "consul.name" . }}
                release: "{{ .Release.Name }}"
                component: server
          topologyKey: kubernetes.io/hostname
    ```

  - `tolerations` ((#v-server-tolerations)) (`string: ""`) - Toleration settings for server pods. This
    should be a multi-line string matching the Tolerations
    (https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec.

  - `topologySpreadConstraints` ((#v-server-topologyspreadconstraints)) (`string: ""`) - Pod topology spread constraints for server pods.
    This should be a multi-line YAML string matching the `topologySpreadConstraints` array
    (https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) in a Pod Spec.

    This requires K8S >= 1.18 (beta) or 1.19 (stable).

    Example:

    ```yaml
    topologySpreadConstraints: |
      - maxSkew: 1
        topologyKey: topology.kubernetes.io/zone
        whenUnsatisfiable: DoNotSchedule
        labelSelector:
          matchLabels:
            app: {{ template "consul.name" . }}
            release: "{{ .Release.Name }}"
            component: server
    ```

  - `nodeSelector` ((#v-server-nodeselector)) (`string: null`) - This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
    labels for server pod assignment, formatted as a multi-line string.

    Example:

    ```yaml
    nodeSelector: |
      beta.kubernetes.io/arch: amd64
    ```

  - `priorityClassName` ((#v-server-priorityclassname)) (`string: ""`) - This value references an existing
    Kubernetes `priorityClassName` (https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority)
    that can be assigned to server pods.

  - `extraLabels` ((#v-server-extralabels)) (`map`) - Extra labels to attach to the server pods. This should be a YAML map.

    Example:

    ```yaml
    extraLabels:
      labelKey: label-value
      anotherLabelKey: another-label-value
    ```

  - `annotations` ((#v-server-annotations)) (`string: null`) - This value defines additional annotations for
    server pods. This should be formatted as a multi-line string.

    ```yaml
    annotations: |
      "sample/annotation1": "foo"
      "sample/annotation2": "bar"
    ```

  - `service` ((#v-server-service)) - Server service properties.

    - `annotations` ((#v-server-service-annotations)) (`string: null`) - Annotations to apply to the server service.

      ```yaml
      annotations: |
        "annotation-key": "annotation-value"
      ```

  - `extraEnvironmentVars` ((#v-server-extraenvironmentvars)) (`map`) - A list of extra environment variables to set within the stateful set.
    These could be used to include proxy settings required for cloud auto-join
    feature, in case kubernetes cluster is behind egress http proxies. Additionally,
    it could be used to configure custom consul parameters.

### externalServers

- `externalServers` ((#v-externalservers)) - Configuration for Consul servers when the servers are running outside of Kubernetes.
  When running external servers, configuring these values is recommended
  if setting `global.tls.enableAutoEncrypt` to true
  or `global.acls.manageSystemACLs` to true.

  - `enabled` ((#v-externalservers-enabled)) (`boolean: false`) - If true, the Helm chart will be configured to talk to the external servers.
    If setting this to true, you must also set `server.enabled` to false.

  - `hosts` ((#v-externalservers-hosts)) (`array<string>: []`) - An array of external Consul server hosts that are used to make
    HTTPS connections from the components in this Helm chart.
    Valid values include IPs, DNS names, or Cloud auto-join string.
    The port must be provided separately below.
    Note: `client.join` must also be set to the hosts that should be
    used to join the cluster. In most cases, the `client.join` values
    should be the same, however, they may be different if you
    wish to use separate hosts for the HTTPS connections.

  - `httpsPort` ((#v-externalservers-httpsport)) (`integer: 8501`) - The HTTPS port of the Consul servers.

  - `tlsServerName` ((#v-externalservers-tlsservername)) (`string: null`) - The server name to use as the SNI host header when connecting with HTTPS.

  - `useSystemRoots` ((#v-externalservers-usesystemroots)) (`boolean: false`) - If true, consul-k8s-control-plane components will ignore the CA set in
    `global.tls.caCert` when making HTTPS calls to Consul servers and
    will instead use the consul-k8s-control-plane image's system CAs for TLS verification.
    If false, consul-k8s-control-plane components will use `global.tls.caCert` when
    making HTTPS calls to Consul servers.
    **NOTE:** This does not affect Consul's internal RPC communication which will
    always use `global.tls.caCert`.

  - `k8sAuthMethodHost` ((#v-externalservers-k8sauthmethodhost)) (`string: null`) - If you are setting `global.acls.manageSystemACLs` and
    `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server.
    This address must be reachable from the Consul servers.
    Please see the Kubernetes Auth Method documentation (https://consul.io/docs/acl/auth-methods/kubernetes).

    You could retrieve this value from your `kubeconfig` by running:

    ```shell
    kubectl config view \
      -o jsonpath="{.clusters[?(@.name=='<your cluster name>')].cluster.server}"
    ```

### client

- `client` ((#v-client)) - Values that configure running a Consul client on Kubernetes nodes.

  - `enabled` ((#v-client-enabled)) (`boolean: global.enabled`) - If true, the chart will install all
    the resources necessary for a Consul client on every Kubernetes node. This _does not_ require
    `server.enabled`, since the agents can be configured to join an external cluster.

  - `image` ((#v-client-image)) (`string: null`) - The name of the Docker image (including any tag) for the containers
    running Consul client agents.

  - `join` ((#v-client-join)) (`array<string>: null`) - A list of valid `-retry-join` values (https://consul.io/docs/agent/options#retry-join).
    If this is `null` (default), then the clients will attempt to automatically
    join the server cluster running within Kubernetes.
    This means that with `server.enabled` set to true, clients will automatically
    join that cluster. If `server.enabled` is not true, then a value must be
    specified so the clients can join a valid cluster.

  - `dataDirectoryHostPath` ((#v-client-datadirectoryhostpath)) (`string: null`) - An absolute path to a directory on the host machine to use as the Consul
    client data directory. If set to the empty string or null, the Consul agent
    will store its data in the Pod's local filesystem (which will
    be lost if the Pod is deleted). Security Warning: If setting this, Pod Security
    Policies _must_ be enabled on your cluster and in this Helm chart (via the
    `global.enablePodSecurityPolicies` setting) to prevent other pods from
    mounting the same host path and gaining access to all of Consul's data.
    Consul's data is not encrypted at rest.

  - `grpc` ((#v-client-grpc)) (`boolean: true`) - If true, agents will enable their GRPC listener on
    port 8502 and expose it to the host. This will use slightly more resources, but is
    required for Connect.

  - `nodeMeta` ((#v-client-nodemeta)) - nodeMeta specifies an arbitrary metadata key/value pair to associate with the node
    (see https://www.consul.io/docs/agent/options.html#_node_meta)

    - `pod-name` ((#v-client-nodemeta-pod-name)) (`string: ${HOSTNAME}`)

    - `host-ip` ((#v-client-nodemeta-host-ip)) (`string: ${HOST_IP}`)

  - `exposeGossipPorts` ((#v-client-exposegossipports)) (`boolean: false`) - If true, the Helm chart will expose the clients' gossip ports as hostPorts.
    This is only necessary if pod IPs in the k8s cluster are not directly routable
    and the Consul servers are outside of the k8s cluster.
    This also changes the clients' advertised IP to the `hostIP` rather than `podIP`.

  - `serviceAccount` ((#v-client-serviceaccount))

    - `annotations` ((#v-client-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the client service account. This should be formatted as a multi-line
      string.

      ```yaml
      annotations: |
        "sample/annotation1": "foo"
        "sample/annotation2": "bar"
      ```

  - `resources` ((#v-client-resources)) (`map`) - Resource settings for Client agents.
    NOTE: The use of a YAML string is deprecated. Instead, set directly as a
    YAML map.

  - `securityContext` ((#v-client-securitycontext)) (`map`) - The security context for the client pods. This should be a YAML map corresponding to a
    Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object.
    By default, servers will run as non-root, with user ID `100` and group ID `1000`,
    which correspond to the consul user and group created by the Consul docker image.
    Note: if running on OpenShift, this setting is ignored because the user and group are set automatically
    by the OpenShift platform.

  - `extraConfig` ((#v-client-extraconfig)) (`string: {}`) - A raw string of extra JSON configuration (https://consul.io/docs/agent/options) for Consul
    clients. This will be saved as-is into a ConfigMap that is read by the Consul
    client agents. This can be used to add additional configuration that
    isn't directly exposed by the chart.

    Example:

    ```yaml
    extraConfig: |
      {
        "log_level": "DEBUG"
      }
    ```

    This can also be set using Helm's `--set` flag using the following syntax:

    ```shell
    --set 'client.extraConfig="{"log_level": "DEBUG"}"'
    ```

  - `extraVolumes` ((#v-client-extravolumes)) (`array<map>`) - A list of extra volumes to mount for client agents. This
    is useful for bringing in extra data that can be referenced by other configurations
    at a well known path, such as TLS certificates or Gossip encryption keys. The
    value of this should be a list of objects.

    Example:

    ```yaml
    extraVolumes:
      - type: secret
        name: consul-certs
        load: false
    ```

    Each object supports the following keys:

    - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive.

    - `name` - Name of the configMap or secret to be mounted. This also controls
      the path that it is mounted to. The volume will be mounted to `/consul/userconfig/<name>`.

    - `load` - If true, then the agent will be
      configured to automatically load HCL/JSON configuration files from this volume
      with `-config-dir`. This defaults to false.

  - `tolerations` ((#v-client-tolerations)) (`string: ""`) - Toleration Settings for Client pods
    This should be a multi-line string matching the Toleration array
    in a PodSpec.
    The example below will allow Client pods to run on every node
    regardless of taints

    ```yaml
    tolerations: |
      - operator: Exists
    ```

  - `nodeSelector` ((#v-client-nodeselector)) (`string: null`) - nodeSelector labels for client pod assignment, formatted as a multi-line string.
    ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector

    Example:

    ```yaml
    nodeSelector: |
      beta.kubernetes.io/arch: amd64
    ```

  - `affinity` ((#v-client-affinity)) (`string: null`) - Affinity Settings for Client pods, formatted as a multi-line YAML string.
    ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

    Example:

    ```yaml
    affinity: |
      nodeAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          nodeSelectorTerms:
          - matchExpressions:
            - key: node-role.kubernetes.io/master
              operator: DoesNotExist
    ```

  - `priorityClassName` ((#v-client-priorityclassname)) (`string: ""`) - This value references an existing
    Kubernetes `priorityClassName` (https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority)
    that can be assigned to client pods.

  - `annotations` ((#v-client-annotations)) (`string: null`) - This value defines additional annotations for
    client pods. This should be formatted as a multi-line string.

    ```yaml
    annotations: |
      "sample/annotation1": "foo"
      "sample/annotation2": "bar"
    ```

  - `extraLabels` ((#v-client-extralabels)) (`map`) - Extra labels to attach to the client pods. This should be a regular YAML map.

    Example:

    ```yaml
    extraLabels:
      labelKey: label-value
      anotherLabelKey: another-label-value
    ```

  - `extraEnvironmentVars` ((#v-client-extraenvironmentvars)) (`map`) - A list of extra environment variables to set within the stateful set.
    These could be used to include proxy settings required for cloud auto-join
    feature, in case kubernetes cluster is behind egress http proxies. Additionally,
    it could be used to configure custom consul parameters.

  - `dnsPolicy` ((#v-client-dnspolicy)) (`string: null`) - This value defines the Pod DNS policy (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy)
    for client pods to use.

  - `hostNetwork` ((#v-client-hostnetwork)) (`boolean: false`) - hostNetwork defines whether or not we use host networking instead of hostPort in the event
    that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended
    as doing so gives the consul client unnecessary access to all network traffic on the host.
    In most cases, pod network and host network are on different networks so this should be
    combined with `dnsPolicy: ClusterFirstWithHostNet`

  - `updateStrategy` ((#v-client-updatestrategy)) (`string: null`) - updateStrategy for the DaemonSet.
    See https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy.
    This should be a multi-line string mapping directly to the updateStrategy

    Example:

    ```yaml
    updateStrategy: |
      rollingUpdate:
        maxUnavailable: 5
      type: RollingUpdate
    ```

  - `snapshotAgent` ((#v-client-snapshotagent)) - <EnterpriseAlert inline /> Values for setting up and running snapshot agents
    (https://consul.io/commands/snapshot/agent)
    within the Consul clusters. They are required to be co-located with Consul clients,
    so will inherit the clients' nodeSelector, tolerations and affinity.

    - `enabled` ((#v-client-snapshotagent-enabled)) (`boolean: false`) - If true, the chart will install resources necessary to run the snapshot agent.

    - `replicas` ((#v-client-snapshotagent-replicas)) (`integer: 2`) - The number of snapshot agents to run.

    - `configSecret` ((#v-client-snapshotagent-configsecret)) - A Kubernetes secret that should be manually created to contain the entire
      config to be used on the snapshot agent.
      This is the preferred method of configuration since there are usually storage
      credentials present. Please see Snapshot agent config (https://consul.io/commands/snapshot/agent#config-file-options)
      for details.

      - `secretName` ((#v-client-snapshotagent-configsecret-secretname)) (`string: null`) - The name of the Kubernetes secret.

      - `secretKey` ((#v-client-snapshotagent-configsecret-secretkey)) (`string: null`) - The key of the Kubernetes secret.

    - `serviceAccount` ((#v-client-snapshotagent-serviceaccount))

      - `annotations` ((#v-client-snapshotagent-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the snapshot agent service account. This should be formatted as a
        multi-line string.

        ```yaml
        annotations: |
          "sample/annotation1": "foo"
          "sample/annotation2": "bar"
        ```

    - `resources` ((#v-client-snapshotagent-resources)) (`map`) - Resource settings for snapshot agent pods.

    - `caCert` ((#v-client-snapshotagent-cacert)) (`string: null`) - Optional PEM-encoded CA certificate that will be added to the trusted system CAs.
      Useful if using an S3-compatible storage exposing a self-signed certificate.

      Example:

      ```yaml
      caCert: |
        -----BEGIN CERTIFICATE-----
        MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx
        ...
      ```

### dns

- `dns` ((#v-dns)) - Configuration for DNS configuration within the Kubernetes cluster.
  This creates a service that routes to all agents (client or server)
  for serving DNS requests. This DOES NOT automatically configure kube-dns
  today, so you must still manually configure a `stubDomain` with kube-dns
  for this to have any effect:
  https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers

  - `enabled` ((#v-dns-enabled)) (`boolean: -`)

  - `type` ((#v-dns-type)) (`string: ClusterIP`) - Used to control the type of service created. For
    example, setting this to "LoadBalancer" will create an external load
    balancer (for supported K8S installations)

  - `clusterIP` ((#v-dns-clusterip)) (`string: null`) - Set a predefined cluster IP for the DNS service.
    Useful if you need to reference the DNS service's IP
    address in CoreDNS config.

  - `annotations` ((#v-dns-annotations)) (`string: null`) - Extra annotations to attach to the dns service
    This should be a multi-line string of
    annotations to apply to the dns Service

  - `additionalSpec` ((#v-dns-additionalspec)) (`string: null`) - Additional ServiceSpec values
    This should be a multi-line string mapping directly to a Kubernetes
    ServiceSpec object.

### ui

- `ui` ((#v-ui)) - Values that configure the Consul UI.

  - `enabled` ((#v-ui-enabled)) (`boolean: global.enabled`) - If true, the UI will be enabled. This will
    only _enable_ the UI, it doesn't automatically register any service for external
    access. The UI will only be enabled on server agents. If `server.enabled` is
    false, then this setting has no effect. To expose the UI in some way, you must
    configure `ui.service`.

  - `service` ((#v-ui-service)) - Configure the service for the Consul UI.

    - `enabled` ((#v-ui-service-enabled)) (`boolean: true`) - This will enable/disable registering a
      Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is
      true and taking effect.

    - `type` ((#v-ui-service-type)) (`string: null`) - The service type to register.

    - `nodePort` ((#v-ui-service-nodeport)) - Optionally set the nodePort value of the ui service if using a NodePort service.
      If not set and using a NodePort service, Kubernetes will automatically assign
      a port.

      - `http` ((#v-ui-service-nodeport-http)) (`integer: null`) - HTTP node port

      - `https` ((#v-ui-service-nodeport-https)) (`integer: null`) - HTTPS node port

    - `annotations` ((#v-ui-service-annotations)) (`string: null`) - Annotations to apply to the UI service.

      Example:

      ```yaml
      annotations: |
        'annotation-key': annotation-value
      ```

    - `additionalSpec` ((#v-ui-service-additionalspec)) (`string: null`) - Additional ServiceSpec values
      This should be a multi-line string mapping directly to a Kubernetes
      ServiceSpec object.

  - `ingress` ((#v-ui-ingress)) - Configure Ingress for the Consul UI.
    If `global.tls.enabled` is set to `true`, the Ingress will expose
    the port 443 on the UI service. Please ensure the Ingress Controller
    supports SSL pass-through and it is enabled to ensure traffic forwarded
    to port 443 has not been TLS terminated.

    - `enabled` ((#v-ui-ingress-enabled)) (`boolean: false`) - This will create an Ingress resource for the Consul UI.

    - `pathType` ((#v-ui-ingress-pathtype)) (`string: Prefix`) - pathType override - see: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types

    - `hosts` ((#v-ui-ingress-hosts)) (`array<map>`) - hosts is a list of host name to create Ingress rules.

      ```yaml
      hosts:
        - host: foo.bar
          paths:
            - /example
            - /test
      ```

    - `tls` ((#v-ui-ingress-tls)) (`array<map>`) - tls is a list of hosts and secret name in an Ingress
      which tells the Ingress controller to secure the channel.

      ```yaml
      tls:
        - hosts:
            - chart-example.local
          secretName: testsecret-tls
      ```

    - `annotations` ((#v-ui-ingress-annotations)) (`string: null`) - Annotations to apply to the UI ingress.

      Example:

      ```yaml
      annotations: |
        'annotation-key': annotation-value
      ```

  - `metrics` ((#v-ui-metrics)) - Configurations for displaying metrics in the UI.

    - `enabled` ((#v-ui-metrics-enabled)) (`boolean: global.metrics.enabled`) - Enable displaying metrics in the UI. The default value of "-"
      will inherit from `global.metrics.enabled` value.

    - `provider` ((#v-ui-metrics-provider)) (`string: prometheus`) - Provider for metrics. See
      https://www.consul.io/docs/agent/options#ui_config_metrics_provider
      This value is only used if `ui.enabled` is set to true.

    - `baseURL` ((#v-ui-metrics-baseurl)) (`string: http://prometheus-server`) - baseURL is the URL of the prometheus server, usually the service URL.
      This value is only used if `ui.enabled` is set to true.

### syncCatalog

- `syncCatalog` ((#v-synccatalog)) - Configure the catalog sync process to sync K8S with Consul
  services. This can run bidirectional (default) or unidirectionally (Consul
  to K8S or K8S to Consul only).

  This process assumes that a Consul agent is available on the host IP.
  This is done automatically if clients are enabled. If clients are not
  enabled then set the node selection so that it chooses a node with a
  Consul agent.

  - `enabled` ((#v-synccatalog-enabled)) (`boolean: false`) - True if you want to enable the catalog sync. Set to "-" to inherit from
    global.enabled.

  - `image` ((#v-synccatalog-image)) (`string: null`) - The name of the Docker image (including any tag) for consul-k8s-control-plane
    to run the sync program.

  - `default` ((#v-synccatalog-default)) (`boolean: true`) - If true, all valid services in K8S are
    synced by default. If false, the service must be annotated
    (https://consul.io/docs/k8s/service-sync#sync-enable-disable) properly to sync.
    In either case an annotation can override the default.

  - `priorityClassName` ((#v-synccatalog-priorityclassname)) (`string: ""`) - Optional priorityClassName.

  - `toConsul` ((#v-synccatalog-toconsul)) (`boolean: true`) - If true, will sync Kubernetes services to Consul. This can be disabled to
    have a one-way sync.

  - `toK8S` ((#v-synccatalog-tok8s)) (`boolean: true`) - If true, will sync Consul services to Kubernetes. This can be disabled to
    have a one-way sync.

  - `k8sPrefix` ((#v-synccatalog-k8sprefix)) (`string: null`) - Service prefix to prepend to services before registering
    with Kubernetes. For example "consul-" will register all services
    prepended with "consul-". (Consul -> Kubernetes sync)

  - `k8sAllowNamespaces` ((#v-synccatalog-k8sallownamespaces)) (`array<string>: ["*"]`) - List of k8s namespaces to sync the k8s services from.
    If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`,
    services in that k8s namespace will not be synced even if they are explicitly
    annotated. Use `["*"]` to automatically allow all k8s namespaces.

    For example, `["namespace1", "namespace2"]` will only allow services in the k8s
    namespaces `namespace1` and `namespace2` to be synced and registered
    with Consul. All other k8s namespaces will be ignored.

    To deny all namespaces, set this to `[]`.

    Note: `k8sDenyNamespaces` takes precedence over values defined here.

  - `k8sDenyNamespaces` ((#v-synccatalog-k8sdenynamespaces)) (`array<string>: ["kube-system", "kube-public"]`) - List of k8s namespaces that should not have their
    services synced. This list takes precedence over `k8sAllowNamespaces`.
    `*` is not supported because then nothing would be allowed to sync.

    For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is
    `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1`
    and `namespace2` will be synced.

  - `k8sSourceNamespace` ((#v-synccatalog-k8ssourcenamespace)) (`string: null`) - [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For
    backwards compatibility, if both this and the allow/deny lists are set,
    the allow/deny lists will be ignored.
    k8sSourceNamespace is the Kubernetes namespace to watch for service
    changes and sync to Consul. If this is not set then it will default
    to all namespaces.

  - `consulNamespaces` ((#v-synccatalog-consulnamespaces)) - <EnterpriseAlert inline /> These settings manage the catalog sync's interaction with
    Consul namespaces (requires consul-ent v1.7+).
    Also, `global.enableConsulNamespaces` must be true.

    - `consulDestinationNamespace` ((#v-synccatalog-consulnamespaces-consuldestinationnamespace)) (`string: default`) - Name of the Consul namespace to register all
      k8s services into. If the Consul namespace does not already exist,
      it will be created. This will be ignored if `mirroringK8S` is true.

    - `mirroringK8S` ((#v-synccatalog-consulnamespaces-mirroringk8s)) (`boolean: false`) - If true, k8s services will be registered into a Consul namespace
      of the same name as their k8s namespace, optionally prefixed if
      `mirroringK8SPrefix` is set below. If the Consul namespace does not
      already exist, it will be created. Turning this on overrides the
      `consulDestinationNamespace` setting.
      `addK8SNamespaceSuffix` may no longer be needed if enabling this option.

    - `mirroringK8SPrefix` ((#v-synccatalog-consulnamespaces-mirroringk8sprefix)) (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace
      to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a
      service in the k8s `staging` namespace will be registered into the
      `k8s-staging` Consul namespace.

  - `addK8SNamespaceSuffix` ((#v-synccatalog-addk8snamespacesuffix)) (`boolean: true`) - Appends Kubernetes namespace suffix to
    each service name synced to Consul, separated by a dash.
    For example, for a service 'foo' in the default namespace,
    the sync process will create a Consul service named 'foo-default'.
    Set this flag to true to avoid registering services with the same name
    but in different namespaces as instances for the same Consul service.
    Namespace suffix is not added if 'annotationServiceName' is provided.

  - `consulPrefix` ((#v-synccatalog-consulprefix)) (`string: null`) - Service prefix which prepends itself
    to Kubernetes services registered within Consul
    For example, "k8s-" will register all services prepended with "k8s-".
    (Kubernetes -> Consul sync)
    consulPrefix is ignored when 'annotationServiceName' is provided.
    NOTE: Updating this property to a non-null value for an existing installation will result in deregistering
    of existing services in Consul and registering them with a new name.

  - `k8sTag` ((#v-synccatalog-k8stag)) (`string: null`) - Optional tag that is applied to all of the Kubernetes services
    that are synced into Consul. If nothing is set, defaults to "k8s".
    (Kubernetes -> Consul sync)

  - `consulNodeName` ((#v-synccatalog-consulnodename)) (`string: k8s-sync`) - Defines the Consul synthetic node that all services
    will be registered to.
    NOTE: Changing the node name and upgrading the Helm chart will leave
    all of the previously sync'd services registered with Consul and
    register them again under the new Consul node name. The out-of-date
    registrations will need to be explicitly removed.

  - `syncClusterIPServices` ((#v-synccatalog-syncclusteripservices)) (`boolean: true`) - Syncs services of the ClusterIP type, which may
    or may not be broadly accessible depending on your Kubernetes cluster.
    Set this to false to skip syncing ClusterIP services.

  - `nodePortSyncType` ((#v-synccatalog-nodeportsynctype)) (`string: ExternalFirst`) - Configures the type of syncing that happens for NodePort
    services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst.

    - ExternalOnly will only use a node's ExternalIP address for the sync
    - InternalOnly use's the node's InternalIP address
    - ExternalFirst will preferentially use the node's ExternalIP address, but
      if it doesn't exist, it will use the node's InternalIP address instead.

  - `aclSyncToken` ((#v-synccatalog-aclsynctoken)) - Refers to a Kubernetes secret that you have created that contains
    an ACL token for your Consul cluster which allows the sync process the correct
    permissions. This is only needed if ACLs are enabled on the Consul cluster.

    - `secretName` ((#v-synccatalog-aclsynctoken-secretname)) (`string: null`) - The name of the Kubernetes secret.

    - `secretKey` ((#v-synccatalog-aclsynctoken-secretkey)) (`string: null`) - The key of the Kubernetes secret.

  - `nodeSelector` ((#v-synccatalog-nodeselector)) (`string: null`) - This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
    labels for catalog sync pod assignment, formatted as a multi-line string.

    Example:

    ```yaml
    nodeSelector: |
      beta.kubernetes.io/arch: amd64
    ```

  - `affinity` ((#v-synccatalog-affinity)) (`string: null`) - Affinity Settings
    This should be a multi-line string matching the affinity object

  - `tolerations` ((#v-synccatalog-tolerations)) (`string: null`) - Toleration Settings
    This should be a multi-line string matching the Toleration array
    in a PodSpec.

  - `serviceAccount` ((#v-synccatalog-serviceaccount))

    - `annotations` ((#v-synccatalog-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the mesh gateways' service account. This should be formatted as a
      multi-line string.

      ```yaml
      annotations: |
        "sample/annotation1": "foo"
        "sample/annotation2": "bar"
      ```

  - `resources` ((#v-synccatalog-resources)) (`map`) - Resource settings for sync catalog pods.

  - `logLevel` ((#v-synccatalog-loglevel)) (`string: ""`) - Override global log verbosity level. One of "debug", "info", "warn", or "error".

  - `consulWriteInterval` ((#v-synccatalog-consulwriteinterval)) (`string: null`) - Override the default interval to perform syncing operations creating Consul services.

  - `extraLabels` ((#v-synccatalog-extralabels)) (`map`) - Extra labels to attach to the sync catalog pods. This should be a YAML map.

    Example:

    ```yaml
    extraLabels:
      labelKey: label-value
      anotherLabelKey: another-label-value
    ```

### connectInject

- `connectInject` ((#v-connectinject)) - Configures the automatic Connect sidecar injector.

  - `enabled` ((#v-connectinject-enabled)) (`boolean: false`) - True if you want to enable connect injection. Set to "-" to inherit from
    global.enabled.

  - `replicas` ((#v-connectinject-replicas)) (`integer: 2`) - The number of deployment replicas.

  - `image` ((#v-connectinject-image)) (`string: null`) - Image for consul-k8s-control-plane that contains the injector.

  - `default` ((#v-connectinject-default)) (`boolean: false`) - If true, the injector will inject the
    Connect sidecar into all pods by default. Otherwise, pods must specify the
    injection annotation (https://consul.io/docs/k8s/connect#consul-hashicorp-com-connect-inject)
    to opt-in to Connect injection. If this is true, pods can use the same annotation
    to explicitly opt-out of injection.

  - `transparentProxy` ((#v-connectinject-transparentproxy)) - Configures Transparent Proxy for Consul Service mesh services.
    Using this feature requires Consul 1.10.0-beta1+.

    - `defaultEnabled` ((#v-connectinject-transparentproxy-defaultenabled)) (`boolean: true`) - If true, then all Consul Service mesh will run with transparent proxy enabled by default,
      i.e. we enforce that all traffic within the pod will go through the proxy.
      This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation.

    - `defaultOverwriteProbes` ((#v-connectinject-transparentproxy-defaultoverwriteprobes)) (`boolean: true`) - If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead.
      This setting is recommended because with traffic being enforced to go through the Envoy proxy,
      the probes on the pod will fail because kube-proxy doesn't have the right certificates
      to talk to Envoy.
      This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation.
      Note: This value has no effect if transparent proxy is disabled on the pod.

  - `metrics` ((#v-connectinject-metrics)) - Configures metrics for Consul Connect services. All values are overridable
    via annotations on a per-pod basis.

    - `defaultEnabled` ((#v-connectinject-metrics-defaultenabled)) (`string: -`) - If true, the connect-injector will automatically
      add prometheus annotations to connect-injected pods. It will also
      add a listener on the Envoy sidecar to expose metrics. The exposed
      metrics will depend on whether metrics merging is enabled:

      - If metrics merging is enabled:
        the Consul sidecar will run a merged metrics server
        combining Envoy sidecar and Connect service metrics,
        i.e. if your service exposes its own Prometheus metrics.
      - If metrics merging is disabled:
        the listener will just expose Envoy sidecar metrics.
        This will inherit from `global.metrics.enabled`.

    - `defaultEnableMerging` ((#v-connectinject-metrics-defaultenablemerging)) (`boolean: false`) - Configures the Consul sidecar to run a merged metrics server
      to combine and serve both Envoy and Connect service metrics.
      This feature is available only in Consul v1.10.0 or greater.

    - `defaultMergedMetricsPort` ((#v-connectinject-metrics-defaultmergedmetricsport)) (`integer: 20100`) - Configures the port at which the Consul sidecar will listen on to return
      combined metrics. This port only needs to be changed if it conflicts with
      the application's ports.

    - `defaultPrometheusScrapePort` ((#v-connectinject-metrics-defaultprometheusscrapeport)) (`integer: 20200`) - Configures the port Prometheus will scrape metrics from, by configuring
      the Pod annotation `prometheus.io/port` and the corresponding listener in
      the Envoy sidecar.
      NOTE: This is _not_ the port that your application exposes metrics on.
      That can be configured with the
      `consul.hashicorp.com/service-metrics-port` annotation.

    - `defaultPrometheusScrapePath` ((#v-connectinject-metrics-defaultprometheusscrapepath)) (`string: /metrics`) - Configures the path Prometheus will scrape metrics from, by configuring the pod
      annotation `prometheus.io/path` and the corresponding handler in the Envoy
      sidecar.
      NOTE: This is _not_ the path that your application exposes metrics on.
      That can be configured with the
      `consul.hashicorp.com/service-metrics-path` annotation.

  - `envoyExtraArgs` ((#v-connectinject-envoyextraargs)) (`string: null`) - Used to pass arguments to the injected envoy sidecar.
    Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli
    e.g "--log-level debug --disable-hot-restart"

  - `priorityClassName` ((#v-connectinject-priorityclassname)) (`string: ""`) - Optional priorityClassName.

  - `imageConsul` ((#v-connectinject-imageconsul)) (`string: null`) - The Docker image for Consul to use when performing Connect injection.
    Defaults to global.image.

  - `logLevel` ((#v-connectinject-loglevel)) (`string: ""`) - Override global log verbosity level. One of "debug", "info", "warn", or "error".

  - `serviceAccount` ((#v-connectinject-serviceaccount))

    - `annotations` ((#v-connectinject-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the injector service account. This should be formatted as a
      multi-line string.

      ```yaml
      annotations: |
        "sample/annotation1": "foo"
        "sample/annotation2": "bar"
      ```

  - `resources` ((#v-connectinject-resources)) (`map`) - Resource settings for connect inject pods.

  - `failurePolicy` ((#v-connectinject-failurepolicy)) (`string: Fail`) - Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook
    is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline.
    Once the webhook is back online the pod will be scheduled.
    In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running
    which can lead to hangs. In these environments it is recommend to use "Ignore" instead.
    This setting can be safely disabled by setting to "Ignore".

  - `namespaceSelector` ((#v-connectinject-namespaceselector)) (`string: null`) - Selector for restricting the webhook to only
    specific namespaces. This should be set to a multiline string.
    See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
    for more details.

    Example:

    ```yaml
    namespaceSelector: |
      matchLabels:
        namespace-label: label-value
    ```

  - `k8sAllowNamespaces` ((#v-connectinject-k8sallownamespaces)) (`array<string>: ["*"]`) - List of k8s namespaces to allow Connect sidecar
    injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`,
    pods in that k8s namespace will not be injected even if they are explicitly
    annotated. Use `["*"]` to automatically allow all k8s namespaces.

    For example, `["namespace1", "namespace2"]` will only allow pods in the k8s
    namespaces `namespace1` and `namespace2` to have Connect sidecars injected
    and registered with Consul. All other k8s namespaces will be ignored.

    To deny all namespaces, set this to `[]`.

    Note: `k8sDenyNamespaces` takes precedence over values defined here and
    `namespaceSelector` takes precedence over both since it is applied first.
    `kube-system` and `kube-public` are never injected, even if included here.

  - `k8sDenyNamespaces` ((#v-connectinject-k8sdenynamespaces)) (`array<string>: []`) - List of k8s namespaces that should not allow Connect
    sidecar injection. This list takes precedence over `k8sAllowNamespaces`.
    `*` is not supported because then nothing would be allowed to be injected.

    For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is
    `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1"
    and "namespace2" will be available for injection.

    Note: `namespaceSelector` takes precedence over this since it is applied first.
    `kube-system` and `kube-public` are never injected.

  - `consulNamespaces` ((#v-connectinject-consulnamespaces)) - <EnterpriseAlert inline /> These settings manage the connect injector's interaction with
    Consul namespaces (requires consul-ent v1.7+).
    Also, `global.enableConsulNamespaces` must be true.

    - `consulDestinationNamespace` ((#v-connectinject-consulnamespaces-consuldestinationnamespace)) (`string: default`) - Name of the Consul namespace to register all
      k8s pods into. If the Consul namespace does not already exist,
      it will be created. This will be ignored if `mirroringK8S` is true.

    - `mirroringK8S` ((#v-connectinject-consulnamespaces-mirroringk8s)) (`boolean: false`) - Causes k8s pods to be registered into a Consul namespace
      of the same name as their k8s namespace, optionally prefixed if
      `mirroringK8SPrefix` is set below. If the Consul namespace does not
      already exist, it will be created. Turning this on overrides the
      `consulDestinationNamespace` setting.

    - `mirroringK8SPrefix` ((#v-connectinject-consulnamespaces-mirroringk8sprefix)) (`string: ""`) - If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace
      to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a
      pod in the k8s `staging` namespace will be registered into the
      `k8s-staging` Consul namespace.

  - `nodeSelector` ((#v-connectinject-nodeselector)) (`string: null`) - Selector labels for connectInject pod assignment, formatted as a multi-line string.
    ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector

    Example:

    ```yaml
    nodeSelector: |
      beta.kubernetes.io/arch: amd64
    ```

  - `affinity` ((#v-connectinject-affinity)) (`string: null`) - Affinity Settings
    This should be a multi-line string matching the affinity object

  - `tolerations` ((#v-connectinject-tolerations)) (`string: null`) - Toleration Settings
    This should be a multi-line string matching the Toleration array
    in a PodSpec.

  - `aclBindingRuleSelector` ((#v-connectinject-aclbindingruleselector)) (`string: serviceaccount.name!=default`) - Query that defines which Service Accounts
    can authenticate to Consul and receive an ACL token during Connect injection.
    The default setting, i.e. serviceaccount.name!=default, prevents the
    'default' Service Account from logging in.
    If set to an empty string all service accounts can log in.
    This only has effect if ACLs are enabled.

    See https://www.consul.io/docs/acl/acl-auth-methods.html#binding-rules
    and https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes
    for more details.
    Requires Consul >= v1.5.

  - `overrideAuthMethodName` ((#v-connectinject-overrideauthmethodname)) (`string: ""`) - If you are not using global.acls.manageSystemACLs and instead manually setting up an
    auth method for Connect inject, set this to the name of your auth method.

  - `aclInjectToken` ((#v-connectinject-aclinjecttoken)) - Refers to a Kubernetes secret that you have created that contains
    an ACL token for your Consul cluster which allows the Connect injector the correct
    permissions. This is only needed if Consul namespaces <EnterpriseAlert inline /> and ACLs
    are enabled on the Consul cluster and you are not setting
    `global.acls.manageSystemACLs` to `true`.
    This token needs to have `operator = "write"` privileges to be able to
    create Consul namespaces.

    - `secretName` ((#v-connectinject-aclinjecttoken-secretname)) (`string: null`) - The name of the Kubernetes secret.

    - `secretKey` ((#v-connectinject-aclinjecttoken-secretkey)) (`string: null`) - The key of the Kubernetes secret.

  - `sidecarProxy` ((#v-connectinject-sidecarproxy))

    - `resources` ((#v-connectinject-sidecarproxy-resources)) (`map`) - Set default resources for sidecar proxy. If null, that resource won't
      be set.
      These settings can be overridden on a per-pod basis via these annotations:

      - `consul.hashicorp.com/sidecar-proxy-cpu-limit`
      - `consul.hashicorp.com/sidecar-proxy-cpu-request`
      - `consul.hashicorp.com/sidecar-proxy-memory-limit`
      - `consul.hashicorp.com/sidecar-proxy-memory-request`

      - `requests` ((#v-connectinject-sidecarproxy-resources-requests))

        - `memory` ((#v-connectinject-sidecarproxy-resources-requests-memory)) (`string: null`) - Recommended default: 100Mi

        - `cpu` ((#v-connectinject-sidecarproxy-resources-requests-cpu)) (`string: null`) - Recommended default: 100m

      - `limits` ((#v-connectinject-sidecarproxy-resources-limits))

        - `memory` ((#v-connectinject-sidecarproxy-resources-limits-memory)) (`string: null`) - Recommended default: 100Mi

        - `cpu` ((#v-connectinject-sidecarproxy-resources-limits-cpu)) (`string: null`) - Recommended default: 100m

  - `initContainer` ((#v-connectinject-initcontainer)) (`map`) - Resource settings for the Connect injected init container.

### controller

- `controller` ((#v-controller)) - Controller handles config entry custom resources.
  Requires consul >= 1.8.4.
  ServiceIntentions require consul 1.9+.

  - `enabled` ((#v-controller-enabled)) (`boolean: false`) - Enables the controller for managing custom resources.

  - `replicas` ((#v-controller-replicas)) (`integer: 1`) - The number of deployment replicas.

  - `logLevel` ((#v-controller-loglevel)) (`string: ""`) - Log verbosity level. One of "debug", "info", "warn", or "error".

  - `serviceAccount` ((#v-controller-serviceaccount))

    - `annotations` ((#v-controller-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the controller service account. This should be formatted as a
      multi-line string.

      ```yaml
      annotations: |
        "sample/annotation1": "foo"
        "sample/annotation2": "bar"
      ```

  - `resources` ((#v-controller-resources)) (`map`) - Resource settings for controller pods.

  - `nodeSelector` ((#v-controller-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config.

  - `tolerations` ((#v-controller-tolerations)) (`string: null`) - Optional YAML string to specify tolerations.

  - `affinity` ((#v-controller-affinity)) (`string: null`) - Affinity Settings
    This should be a multi-line string matching the affinity object

  - `priorityClassName` ((#v-controller-priorityclassname)) (`string: ""`) - Optional priorityClassName.

  - `aclToken` ((#v-controller-acltoken)) - Refers to a Kubernetes secret that you have created that contains
    an ACL token for your Consul cluster which grants the controller process the correct
    permissions. This is only needed if you are managing ACLs yourself (i.e. not using
    `global.acls.manageSystemACLs`).

    If running Consul OSS, requires permissions:

    ```hcl
    operator = "write"
    service_prefix "" {
      policy = "write"
      intentions = "write"
    }
    ```

    If running Consul Enterprise, talk to your account manager for assistance.

    - `secretName` ((#v-controller-acltoken-secretname)) (`string: null`) - The name of the Kubernetes secret.

    - `secretKey` ((#v-controller-acltoken-secretkey)) (`string: null`) - The key of the Kubernetes secret.

### meshGateway

- `meshGateway` ((#v-meshgateway)) - Mesh Gateways enable Consul Connect to work across Consul datacenters.

  - `enabled` ((#v-meshgateway-enabled)) (`boolean: false`) - If mesh gateways are enabled, a Deployment will be created that runs
    gateways and Consul Connect will be configured to use gateways.
    See https://www.consul.io/docs/connect/mesh_gateway.html
    Requirements: consul 1.6.0+ if using
    global.acls.manageSystemACLs.

  - `replicas` ((#v-meshgateway-replicas)) (`integer: 2`) - Number of replicas for the Deployment.

  - `wanAddress` ((#v-meshgateway-wanaddress)) - What gets registered as WAN address for the gateway.

    - `source` ((#v-meshgateway-wanaddress-source)) (`string: Service`) - source configures where to retrieve the WAN address (and possibly port)
      for the mesh gateway from.
      Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`.

      - `Service` - Determine the address based on the service type.

        - If `service.type=LoadBalancer` use the external IP or hostname of
          the service. Use the port set by `service.port`.

        - If `service.type=NodePort` use the Node IP. The port will be set to
          `service.nodePort` so `service.nodePort` cannot be null.

        - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to
          `service.port`.

        - `service.type=ExternalName` is not supported.

      - `NodeIP` - The node IP as provided by the Kubernetes downward API.

      - `NodeName` - The name of the node as provided by the Kubernetes downward
        API. This is useful if the node names are DNS entries that
        are routable from other datacenters.

      - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`.

    - `port` ((#v-meshgateway-wanaddress-port)) (`integer: 443`) - Port that gets registered for WAN traffic.
      If source is set to "Service" then this setting will have no effect.
      See the documentation for source as to which port will be used in that
      case.

    - `static` ((#v-meshgateway-wanaddress-static)) (`string: ""`) - If source is set to "Static" then this value will be used as the WAN
      address of the mesh gateways. This is useful if you've configured a
      DNS entry to point to your mesh gateways.

  - `service` ((#v-meshgateway-service)) - The service option configures the Service that fronts the Gateway Deployment.

    - `enabled` ((#v-meshgateway-service-enabled)) (`boolean: true`) - Whether to create a Service or not.

    - `type` ((#v-meshgateway-service-type)) (`string: LoadBalancer`) - Type of service, ex. LoadBalancer, ClusterIP.

    - `port` ((#v-meshgateway-service-port)) (`integer: 443`) - Port that the service will be exposed on.
      The targetPort will be set to meshGateway.containerPort.

    - `nodePort` ((#v-meshgateway-service-nodeport)) (`integer: null`) - Optionally set the nodePort value of the service if using a NodePort service.
      If not set and using a NodePort service, Kubernetes will automatically assign
      a port.

    - `annotations` ((#v-meshgateway-service-annotations)) (`string: null`) - Annotations to apply to the mesh gateway service.

      Example:

      ```yaml
      annotations: |
        'annotation-key': annotation-value
      ```

    - `additionalSpec` ((#v-meshgateway-service-additionalspec)) (`string: null`) - Optional YAML string that will be appended to the Service spec.

  - `hostNetwork` ((#v-meshgateway-hostnetwork)) (`boolean: false`) - If set to true, gateway Pods will run on the host network.

  - `dnsPolicy` ((#v-meshgateway-dnspolicy)) (`string: null`) - dnsPolicy to use.

  - `consulServiceName` ((#v-meshgateway-consulservicename)) (`string: mesh-gateway`) - Consul service name for the mesh gateways.
    Cannot be set to anything other than "mesh-gateway" if
    global.acls.manageSystemACLs is true since the ACL token
    generated is only for the name 'mesh-gateway'.

  - `containerPort` ((#v-meshgateway-containerport)) (`integer: 8443`) - Port that the gateway will run on inside the container.

  - `hostPort` ((#v-meshgateway-hostport)) (`integer: null`) - Optional hostPort for the gateway to be exposed on.
    This can be used with wanAddress.port and wanAddress.useNodeIP
    to expose the gateways directly from the node.
    If hostNetwork is true, this must be null or set to the same port as
    containerPort.
    NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul
    agent.

  - `serviceAccount` ((#v-meshgateway-serviceaccount))

    - `annotations` ((#v-meshgateway-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the mesh gateways' service account. This should be formatted as a
      multi-line string.

      ```yaml
      annotations: |
        "sample/annotation1": "foo"
        "sample/annotation2": "bar"
      ```

  - `resources` ((#v-meshgateway-resources)) (`map`) - Resource settings for mesh gateway pods.
    NOTE: The use of a YAML string is deprecated. Instead, set directly as a
    YAML map.

  - `initCopyConsulContainer` ((#v-meshgateway-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container.

  - `affinity` ((#v-meshgateway-affinity)) (`string`) - By default, we set an anti-affinity so that two gateway pods won't be
    on the same node. NOTE: Gateways require that Consul client agents are
    also running on the nodes alongside each gateway pod.

  - `tolerations` ((#v-meshgateway-tolerations)) (`string: null`) - Optional YAML string to specify tolerations.

  - `nodeSelector` ((#v-meshgateway-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config.

  - `priorityClassName` ((#v-meshgateway-priorityclassname)) (`string: ""`) - Optional priorityClassName.

  - `annotations` ((#v-meshgateway-annotations)) (`string: null`) - Annotations to apply to the mesh gateway deployment.

    Example:

    ```yaml
    annotations: |
      'annotation-key': annotation-value
    ```

### ingressGateways

- `ingressGateways` ((#v-ingressgateways)) - Configuration options for ingress gateways. Default values for all
  ingress gateways are defined in `ingressGateways.defaults`. Any of
  these values may be overridden in `ingressGateways.gateways` for a
  specific gateway with the exception of annotations. Annotations will
  include both the default annotations and any additional ones defined
  for a specific gateway.
  Requirements: consul >= 1.8.0

  - `enabled` ((#v-ingressgateways-enabled)) (`boolean: false`) - Enable ingress gateway deployment. Requires `connectInject.enabled=true`
    and `client.enabled=true`.

  - `defaults` ((#v-ingressgateways-defaults)) - Defaults sets default values for all gateway fields. With the exception
    of annotations, defining any of these values in the `gateways` list
    will override the default values provided here. Annotations will
    include both the default annotations and any additional ones defined
    for a specific gateway.

    - `replicas` ((#v-ingressgateways-defaults-replicas)) (`integer: 2`) - Number of replicas for each ingress gateway defined.

    - `service` ((#v-ingressgateways-defaults-service)) - The service options configure the Service that fronts the gateway Deployment.

      - `type` ((#v-ingressgateways-defaults-service-type)) (`string: ClusterIP`) - Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service
        type, you must set the desired nodePorts in the `ports` setting below.

      - `ports` ((#v-ingressgateways-defaults-service-ports)) (`array<map>: [{port: 8080, port: 8443}]`) - Ports that will be exposed on the service and gateway container. Any
        ports defined as ingress listeners on the gateway's Consul configuration
        entry should be included here. The first port will be used as part of
        the Consul service registration for the gateway and be listed in its
        SRV record. If using a NodePort service type, you must specify the
        desired nodePort for each exposed port.

      - `annotations` ((#v-ingressgateways-defaults-service-annotations)) (`string: null`) - Annotations to apply to the ingress gateway service. Annotations defined
        here will be applied to all ingress gateway services in addition to any
        service annotations defined for a specific gateway in `ingressGateways.gateways`.

        Example:

        ```yaml
        annotations: |
          'annotation-key': annotation-value
        ```

      - `additionalSpec` ((#v-ingressgateways-defaults-service-additionalspec)) (`string: null`) - Optional YAML string that will be appended to the Service spec.

    - `serviceAccount` ((#v-ingressgateways-defaults-serviceaccount))

      - `annotations` ((#v-ingressgateways-defaults-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the ingress gateways' service account. This should be formatted
        as a multi-line string.

        ```yaml
        annotations: |
          "sample/annotation1": "foo"
          "sample/annotation2": "bar"
        ```

    - `resources` ((#v-ingressgateways-defaults-resources)) (`map`) - Resource limits for all ingress gateway pods

    - `initCopyConsulContainer` ((#v-ingressgateways-defaults-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container.

    - `affinity` ((#v-ingressgateways-defaults-affinity)) (`string`) - By default, we set an anti-affinity so that two of the same gateway pods
      won't be on the same node. NOTE: Gateways require that Consul client agents are
      also running on the nodes alongside each gateway pod.

    - `tolerations` ((#v-ingressgateways-defaults-tolerations)) (`string: null`) - Optional YAML string to specify tolerations.

    - `nodeSelector` ((#v-ingressgateways-defaults-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config.

    - `priorityClassName` ((#v-ingressgateways-defaults-priorityclassname)) (`string: ""`) - Optional priorityClassName.

    - `annotations` ((#v-ingressgateways-defaults-annotations)) (`string: null`) - Annotations to apply to the ingress gateway deployment. Annotations defined
      here will be applied to all ingress gateway deployments in addition to any
      annotations defined for a specific gateway in `ingressGateways.gateways`.

      Example:

      ```yaml
      annotations: |
        "annotation-key": 'annotation-value'
      ```

    - `consulNamespace` ((#v-ingressgateways-defaults-consulnamespace)) (`string: default`) - <EnterpriseAlert inline /> `consulNamespace` defines the Consul namespace to register
      the gateway into. Requires `global.enableConsulNamespaces` to be true and
      Consul Enterprise v1.7+ with a valid Consul Enterprise license.
      Note: The Consul namespace MUST exist before the gateway is deployed.

  - `gateways` ((#v-ingressgateways-gateways)) (`array<map>`) - Gateways is a list of gateway objects. The only required field for
    each is `name`, though they can also contain any of the fields in
    `defaults`. Values defined here override the defaults except in the
    case of annotations where both will be applied.

    - `name` ((#v-ingressgateways-gateways-name)) (`string: ingress-gateway`)

### terminatingGateways

- `terminatingGateways` ((#v-terminatinggateways)) - Configuration options for terminating gateways. Default values for all
  terminating gateways are defined in `terminatingGateways.defaults`. Any of
  these values may be overridden in `terminatingGateways.gateways` for a
  specific gateway with the exception of annotations. Annotations will
  include both the default annotations and any additional ones defined
  for a specific gateway.
  Requirements: consul >= 1.8.0

  - `enabled` ((#v-terminatinggateways-enabled)) (`boolean: false`) - Enable terminating gateway deployment. Requires `connectInject.enabled=true`
    and `client.enabled=true`.

  - `defaults` ((#v-terminatinggateways-defaults)) - Defaults sets default values for all gateway fields. With the exception
    of annotations, defining any of these values in the `gateways` list
    will override the default values provided here. Annotations will
    include both the default annotations and any additional ones defined
    for a specific gateway.

    - `replicas` ((#v-terminatinggateways-defaults-replicas)) (`integer: 2`) - Number of replicas for each terminating gateway defined.

    - `extraVolumes` ((#v-terminatinggateways-defaults-extravolumes)) (`array<map>`) - A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig/<name>/`.

      Example:

      ```yaml
      extraVolumes:
        - type: secret
          name: my-secret
          items: # optional items array
            - key: key
              path: path # secret will now mount to /consul/userconfig/my-secret/path
      ```

    - `resources` ((#v-terminatinggateways-defaults-resources)) (`map`) - Resource limits for all terminating gateway pods

    - `initCopyConsulContainer` ((#v-terminatinggateways-defaults-initcopyconsulcontainer)) (`map`) - Resource settings for the `copy-consul-bin` init container.

    - `affinity` ((#v-terminatinggateways-defaults-affinity)) (`string`) - By default, we set an anti-affinity so that two of the same gateway pods
      won't be on the same node. NOTE: Gateways require that Consul client agents are
      also running on the nodes alongside each gateway pod.

    - `tolerations` ((#v-terminatinggateways-defaults-tolerations)) (`string: null`) - Optional YAML string to specify tolerations.

    - `nodeSelector` ((#v-terminatinggateways-defaults-nodeselector)) (`string: null`) - Optional YAML string to specify a nodeSelector config.

    - `priorityClassName` ((#v-terminatinggateways-defaults-priorityclassname)) (`string: ""`) - Optional priorityClassName.

    - `annotations` ((#v-terminatinggateways-defaults-annotations)) (`string: null`) - Annotations to apply to the terminating gateway deployment. Annotations defined
      here will be applied to all terminating gateway deployments in addition to any
      annotations defined for a specific gateway in `terminatingGateways.gateways`.

      Example:

      ```yaml
      annotations: |
        'annotation-key': annotation-value
      ```

    - `serviceAccount` ((#v-terminatinggateways-defaults-serviceaccount))

      - `annotations` ((#v-terminatinggateways-defaults-serviceaccount-annotations)) (`string: null`) - This value defines additional annotations for the terminating gateways' service account. This should be
        formatted as a multi-line string.

        ```yaml
        annotations: |
          "sample/annotation1": "foo"
          "sample/annotation2": "bar"
        ```

    - `consulNamespace` ((#v-terminatinggateways-defaults-consulnamespace)) (`string: default`) - <EnterpriseAlert inline /> `consulNamespace` defines the Consul namespace to register
      the gateway into. Requires `global.enableConsulNamespaces` to be true and
      Consul Enterprise v1.7+ with a valid Consul Enterprise license.
      Note: The Consul namespace MUST exist before the gateway is deployed.

  - `gateways` ((#v-terminatinggateways-gateways)) (`array<map>`) - Gateways is a list of gateway objects. The only required field for
    each is `name`, though they can also contain any of the fields in
    `defaults`. Values defined here override the defaults except in the
    case of annotations where both will be applied.

    - `name` ((#v-terminatinggateways-gateways-name)) (`string: terminating-gateway`)

### prometheus

- `prometheus` ((#v-prometheus)) - Configures a demo Prometheus installation.

  - `enabled` ((#v-prometheus-enabled)) (`boolean: false`) - When true, the Helm chart will install a demo Prometheus server instance
    alongside Consul.

### tests

- `tests` ((#v-tests)) - Control whether a test Pod manifest is generated when running helm template.
  When using helm install, the test Pod is not submitted to the cluster so this
  is only useful when running helm template.

  - `enabled` ((#v-tests-enabled)) (`boolean: true`)
  <!-- codegen: end -->

## Helm Chart Examples

The below `config.yaml` results in a single server Consul cluster with a `LoadBalancer` to allow external access to the UI and API.

```yaml
# config.yaml
server:
  replicas: 1
  bootstrapExpect: 1

ui:
  service:
    type: LoadBalancer
```

The below `config.yaml` results in a three server Consul Enterprise cluster with 100GB of storage and automatic Connect injection.

Note, this would require a secret that contains the enterprise license key.

```yaml
# config.yaml
global:
  image: 'hashicorp/consul-enterprise:1.4.2-ent'

server:
  replicas: 3
  bootstrapExpect: 3
  enterpriseLicense:
    secretName: 'consul-license'
    secretKey: 'key'
  storage: 100Gi
  connect: true

client:
  grpc: true

connectInject:
  enabled: true
  default: false
```

## Customizing the Helm Chart

Consul within Kubernetes is highly configurable and the Helm chart contains dozens
of the most commonly used configuration options.
If you need to extend the Helm chart with additional options, we recommend using a third-party tool,
such as [kustomize](https://github.com/kubernetes-sigs/kustomize) or [ship](https://github.com/replicatedhq/ship).
Note that the Helm chart heavily relies on Helm lifecycle hooks, and so features like bootstrapping ACLs or TLS
will not work as expected. Additionally, we can make changes to the internal implementation (e.g., renaming template files) that
may be backward incompatible with such customizations.