forked from hashicorp/consul-helm
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvalues.yaml
544 lines (458 loc) · 21.7 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
# Available parameters and their default values for the Consul chart.
global:
# enabled is the master enabled switch. Setting this to true or false
# will enable or disable all the components within this chart by default.
# Each component can be overridden using the component-specific "enabled"
# value.
enabled: true
# Domain to register the Consul DNS server to listen for.
domain: consul
# Image is the name (and tag) of the Consul Docker image for clients and
# servers below. This can be overridden per component.
#
# Examples:
# image: "consul:1.5.0"
# image: "hashicorp/consul-enterprise:1.5.0-ent" # Enterprise Consul image
image: "consul:1.5.0"
# imageK8S is the name (and tag) of the consul-k8s Docker image that
# is used for functionality such as the catalog sync. This can be overridden
# per component below.
# Note: support for the catalog sync's liveness and readiness probes was added
# to consul-k8s v0.6.0. If using an older consul-k8s version, you may need to
# remove these checks to make the sync work.
# If using mesh gateways and bootstrapACLs then must be >= 0.9.0.
imageK8S: "hashicorp/consul-k8s:0.9.0"
# Datacenter is the name of the datacenter that the agents should register
# as. This shouldn't be changed once the Consul cluster is up and running
# since Consul doesn't support an automatic way to change this value
# currently: https://github.com/hashicorp/consul/issues/1858
datacenter: dc1
# enablePodSecurityPolicies is a boolean flag that controls whether pod
# security policies are created for the consul components created by this
# chart. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/
enablePodSecurityPolicies: false
# Gossip encryption key. To enable gossip encryption, provide the name of
# a Kubernetes secret that contains a gossip key. You can create a gossip
# key with the "consul keygen" command.
# See https://www.consul.io/docs/commands/keygen.html
gossipEncryption:
secretName: null
secretKey: null
# bootstrapACLs will automatically create and assign ACL tokens within
# the Consul cluster. This currently requires enabling both servers and
# clients within Kubernetes. Additionally requires Consul v1.4+ and
# consul-k8s v0.8.0+.
bootstrapACLs: false
# Server, when enabled, configures a server cluster to run. This should
# be disabled if you plan on connecting to a Consul cluster external to
# the Kube cluster.
server:
enabled: "-"
image: null
replicas: 3
bootstrapExpect: 3 # Should <= replicas count
# enterpriseLicense refers to a Kubernetes secret that you have created that
# contains your enterprise license. It is required if you are using an
# enterprise binary. Defining it here applies it to your cluster once a leader
# has been elected. If you are not using an enterprise image
# or if you plan to introduce the license key via another route, then set
# these fields to null.
enterpriseLicense:
secretName: null
secretKey: null
# storage and storageClass are the settings for configuring stateful
# storage for the server pods. storage should be set to the disk size of
# the attached volume. storageClass is the class of storage which defaults
# to null (the Kube cluster will pick the default).
storage: 10Gi
storageClass: null
# connect will enable Connect on all the servers, initializing a CA
# for Connect-related connections. Other customizations can be done
# via the extraConfig setting.
connect: true
# Resource requests, limits, etc. for the server cluster placement. This
# should map directly to the value of the resources field for a PodSpec,
# formatted as a multi-line string. By default no direct resource request
# is made.
resources: null
# updatePartition is used to control a careful rolling update of Consul
# servers. This should be done particularly when changing the version
# of Consul. Please refer to the documentation for more information.
updatePartition: 0
# disruptionBudget enables the creation of a PodDisruptionBudget to
# prevent voluntary degrading of the Consul server cluster.
disruptionBudget:
enabled: true
# maxUnavailable will default to (n/2)-1 where n is the number of
# replicas. If you'd like a custom value, you can specify an override here.
maxUnavailable: null
# extraConfig is a raw string of extra configuration to set with the
# server. This should be JSON.
extraConfig: |
{}
# extraVolumes is a list of extra volumes to mount. These will be exposed
# to Consul in the path `/consul/userconfig/<name>/`. The value below is
# an array of objects, examples are shown below.
extraVolumes: []
# - type: secret (or "configMap")
# name: my-secret
# load: false # if true, will add to `-config-dir` to load by Consul
# Affinity Settings
# Commenting out or setting as empty the affinity variable, will allow
# deployment to single node services such as Minikube
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: server
topologyKey: kubernetes.io/hostname
# Toleration Settings for server pods
# This should be a multi-line string matching the Toleration array
# in a PodSpec.
tolerations: ""
# nodeSelector labels for server pod assignment, formatted as a muli-line string.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# Example:
# nodeSelector: |
# beta.kubernetes.io/arch: amd64
nodeSelector: null
# used to assign priority to server pods
# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
# Extra annotations to attach to the server pods
# This should be a multi-line string mapping directly to the a map of
# the annotations to apply to the server pods
annotations: null
# extraEnvVars is a list of extra enviroment variables to set with the stateful set. These could be
# used to include proxy settings required for cloud auto-join feature,
# in case kubernetes cluster is behind egress http proxies. Additionally, it could be used to configure
# custom consul parameters.
extraEnvironmentVars: {}
# http_proxy: http://localhost:3128,
# https_proxy: http://localhost:3128,
# no_proxy: internal.domain.com
# Client, when enabled, configures Consul clients to run on every node
# within the Kube cluster. The current deployment model follows a traditional
# DC where a single agent is deployed per node.
client:
enabled: "-"
image: null
join: null
# grpc should be set to true if the gRPC listener should be enabled.
# This should be set to true if connectInject or meshGateway is enabled.
grpc: false
# Resource requests, limits, etc. for the client cluster placement. This
# should map directly to the value of the resources field for a PodSpec,
# formatted as a multi-line string. By default no direct resource request
# is made.
resources: null
# extraConfig is a raw string of extra configuration to set with the
# server. This should be JSON.
extraConfig: |
{}
# extraVolumes is a list of extra volumes to mount. These will be exposed
# to Consul in the path `/consul/userconfig/<name>/`. The value below is
# an array of objects, examples are shown below.
extraVolumes: []
# - type: secret (or "configMap")
# name: my-secret
# load: false # if true, will add to `-config-dir` to load by Consul
# Toleration Settings for Client pods
# This should be a multi-line string matching the Toleration array
# in a PodSpec.
# The example below will allow Client pods to run on every node
# regardless of taints
# tolerations: |
# - operator: "Exists"
tolerations: ""
# nodeSelector labels for client pod assignment, formatted as a muli-line string.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# Example:
# nodeSelector: |
# beta.kubernetes.io/arch: amd64
nodeSelector: null
# used to assign priority to client pods
# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
# Extra annotations to attach to the client pods
# This should be a multi-line string mapping directly to the a map of
# the annotations to apply to the client pods
annotations: null
# extraEnvVars is a list of extra enviroment variables to set with the pod. These could be
# used to include proxy settings required for cloud auto-join feature,
# in case kubernetes cluster is behind egress http proxies. Additionally, it could be used to configure
# custom consul parameters.
extraEnvironmentVars: {}
# http_proxy: http://localhost:3128,
# https_proxy: http://localhost:3128,
# no_proxy: internal.domain.com
# snaphotAgent contains settings for setting up and running snapshot agents
# within the Consul clusters. They are required to be co-located with Consul
# clients, so will inherit the clients' nodeSelector, tolerations and affinity.
# This is an Enterprise feature only.
snapshotAgent:
enabled: false
# replicas determines how many snapshot agent pods are created
replicas: 2
# configSecret references a Kubernetes secret that should be manually created to
# contain the entire config to be used on the snapshot agent. This is the preferred
# method of configuration since there are usually storage credentials present.
# Snapshot agent config details:
# https://www.consul.io/docs/commands/snapshot/agent.html#config-file-options-
# To create a secret:
# https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret-using-kubectl-create-secret
configSecret:
secretName: null
secretKey: null
# Configuration for DNS configuration within the Kubernetes cluster.
# This creates a service that routes to all agents (client or server)
# for serving DNS requests. This DOES NOT automatically configure kube-dns
# today, so you must still manually configure a `stubDomain` with kube-dns
# for this to have any effect:
# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers
dns:
enabled: "-"
ui:
# True if you want to enable the Consul UI. The UI will run only
# on the server nodes. This makes UI access via the service below (if
# enabled) predictable rather than "any node" if you're running Consul
# clients as well.
enabled: "-"
# True if you want to create a Service entry for the Consul UI.
#
# serviceType can be used to control the type of service created. For
# example, setting this to "LoadBalancer" will create an external load
# balancer (for supported K8S installations) to access the UI.
service:
enabled: true
type: null
# This should be a multi-line string mapping directly to the a map of
# the annotations to apply to the UI service
annotations: null
# Additional ServiceSpec values
# This should be a multi-line string mapping directly to a Kubernetes
# ServiceSpec object.
additionalSpec: null
# syncCatalog will run the catalog sync process to sync K8S with Consul
# services. This can run bidirectional (default) or unidirectionally (Consul
# to K8S or K8S to Consul only).
#
# This process assumes that a Consul agent is available on the host IP.
# This is done automatically if clients are enabled. If clients are not
# enabled then set the node selection so that it chooses a node with a
# Consul agent.
syncCatalog:
# True if you want to enable the catalog sync. "-" for default.
enabled: false
image: null
default: true # true will sync by default, otherwise requires annotation
# toConsul and toK8S control whether syncing is enabled to Consul or K8S
# as a destination. If both of these are disabled, the sync will do nothing.
toConsul: true
toK8S: true
# k8sPrefix is the service prefix to prepend to services before registering
# with Kubernetes. For example "consul-" will register all services
# prepended with "consul-". (Consul -> Kubernetes sync)
k8sPrefix: null
# consulPrefix is the service prefix which preprends itself
# to Kubernetes services registered within Consul
# For example, "k8s-" will register all services peprended with "k8s-".
# (Kubernetes -> Consul sync)
consulPrefix: null
# k8sTag is an optional tag that is applied to all of the Kubernetes services
# that are synced into Consul. If nothing is set, defaults to "k8s".
# (Kubernetes -> Consul sync)
k8sTag: null
# syncClusterIPServices syncs services of the ClusterIP type, which may
# or may not be broadly accessible depending on your Kubernetes cluster.
# Set this to false to skip syncing ClusterIP services.
syncClusterIPServices: true
# nodePortSyncType configures the type of syncing that happens for NodePort
# services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst.
# - ExternalOnly will only use a node's ExternalIP address for the sync
# - InternalOnly use's the node's InternalIP address
# - ExternalFirst will preferentially use the node's ExternalIP address, but
# if it doesn't exist, it will use the node's InternalIP address instead.
nodePortSyncType: ExternalFirst
# aclSyncToken refers to a Kubernetes secret that you have created that contains
# an ACL token for your Consul cluster which allows the sync process the correct
# permissions. This is only needed if ACLs are enabled on the Consul cluster.
aclSyncToken:
secretName: null
secretKey: null
# nodeSelector labels for syncCatalog pod assignment, formatted as a muli-line string.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# Example:
# nodeSelector: |
# beta.kubernetes.io/arch: amd64
nodeSelector: null
# ConnectInject will enable the automatic Connect sidecar injector.
connectInject:
enabled: false
image: null # image for consul-k8s that contains the injector
default: false # true will inject by default, otherwise requires annotation
# imageConsul and imageEnvoy can be set to Docker images for Consul and
# Envoy, respectively. If the Consul image is not specified, the global
# default will be used. If the Envoy image is not specified, an early
# version of Envoy will be used.
imageConsul: null
imageEnvoy: null
# namespaceSelector is the selector for restricting the webhook to only
# specific namespaces. This should be set to a multiline string.
namespaceSelector: null
# The certs section configures how the webhook TLS certs are configured.
# These are the TLS certs for the Kube apiserver communicating to the
# webhook. By default, the injector will generate and manage its own certs,
# but this requires the ability for the injector to update its own
# MutatingWebhookConfiguration. In a production environment, custom certs
# should probaly be used. Configure the values below to enable this.
certs:
# secretName is the name of the secret that has the TLS certificate and
# private key to serve the injector webhook. If this is null, then the
# injector will default to its automatic management mode that will assign
# a service account to the injector to generate its own certificates.
secretName: null
# caBundle is a base64-encoded PEM-encoded certificate bundle for the
# CA that signed the TLS certificate that the webhook serves. This must
# be set if secretName is non-null.
caBundle: ""
# certName and keyName are the names of the files within the secret for
# the TLS cert and private key, respectively. These have reasonable
# defaults but can be customized if necessary.
certName: tls.crt
keyName: tls.key
# nodeSelector labels for connectInject pod assignment, formatted as a muli-line string.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# Example:
# nodeSelector: |
# beta.kubernetes.io/arch: amd64
nodeSelector: null
# aclBindingRuleSelector is a string that defines the automatic binding
# rule to control the allowed authentication for Connect injection. The
# default disallows using the default service account for ACl generation.
# Requires Consul v1.5+ and consul-k8s v0.8.0+.
aclBindingRuleSelector: "serviceaccount.name!=default"
# Requires Consul v1.5+ and consul-k8s v0.8.1+
centralConfig:
enabled: false
# defaultProtocol allows you to specify a convenience default protocol if
# most of your services are of the same protocol type. The individual annotation
# on any given pod will override this value. A protocol must be provided,
# either through this setting or individual annotation, for a service to be
# registered correctly. Valid values are "http", "http2", "grpc" and "tcp".
defaultProtocol: null
# proxyDefaults is a raw json string that will be applied to all Connect
# proxy sidecar pods that can include any valid configuration for the
# configured proxy.
proxyDefaults: |
{}
# Mesh Gateways enable Consul Connect to work across Consul datacenters.
meshGateway:
# If mesh gateways are enabled, a Deployment will be created that runs
# gateways and Consul Connect will be configured to use gateways.
# See https://www.consul.io/docs/connect/mesh_gateway.html
# Requirements: consul >= 1.6.0 and consul-k8s >= 0.9.0 if using global.bootstrapACLs.
enabled: false
# Globally configure which mode the gateway should run in.
# Can be set to either "remote", "local", "none" or empty string or null.
# See https://consul.io/docs/connect/mesh_gateway.html#modes-of-operation for
# a description of each mode.
# If set to anything other than "" or null, connectInject.centralConfig.enabled
# should be set to true so that the global config will actually be used.
# If set to the empty string, no global default will be set and the gateway mode
# will need to be set individually for each service.
globalMode: local
# Number of replicas for the Deployment.
replicas: 2
# What gets registered as wan address for the gateway.
wanAddress:
# Port that gets registered.
port: 443
# If true, each Gateway Pod will advertise its NodeIP
# (as provided by the Kubernetes downward API) as the wan address.
# This is useful if the node IPs are routable from other DCs.
# useNodeName and host must be false and "" respectively.
useNodeIP: true
# If true, each Gateway Pod will advertise its NodeName
# (as provided by the Kubernetes downward API) as the wan address.
# This is useful if the node names are DNS entries that are
# routable from other DCs.
# meshGateway.wanAddress.port will be used as the port for the wan address.
# useNodeIP and host must be false and "" respectively.
useNodeName: false
# If set, each gateway Pod will use this host as its wan address.
# Users must ensure that this address routes to the Gateway pods,
# for example via a DNS entry that routes to the Service fronting the Deployment.
# meshGateway.wanAddress.port will be used as the port for the wan address.
# useNodeIP and useNodeName must be false.
host: ""
# The service option configures the Service that fronts the Gateway Deployment.
service:
# Whether to create a Service or not.
enabled: false
# Type of service, ex. LoadBalancer, ClusterIP.
type: ClusterIP
# Port that the service will be exposed on.
# The targetPort will be set to meshGateway.containerPort.
port: 443
# Optional nodePort of the service. Can be used in conjunction with
# type: NodePort.
nodePort: null
# Optional YAML string for additional annotations.
annotations: null
# Optional YAML string that will be appended to the Service spec.
additionalSpec: null
# Envoy image to use.
imageEnvoy: envoyproxy/envoy:v1.10.0
# If set to true, gateway Pods will run on the host network.
hostNetwork: false
# dnsPolicy to use.
dnsPolicy: null
# Override the default 'mesh-gateway' service name registered in Consul.
# Cannot be used if bootstrapACLs is true since the ACL token generated
# is only for the name 'mesh-gateway'.
consulServiceName: ""
# Port that the gateway will run on inside the container.
containerPort: 443
# Optional hostPort for the gateway to be exposed on.
# This can be used with wanAddress.port and wanAddress.useNodeIP
# to expose the gateways directly from the node.
# If hostNetwork is true, this must be null or set to the same port as
# containerPort.
# NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul
# agent.
hostPort: null
# If there are no connect-enabled services running, then the gateway
# will fail health checks. You may disable health checks as a temporary
# workaround.
enableHealthChecks: true
resources: |
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "256Mi"
cpu: "500m"
# By default, we set an anti affinity so that two gateway pods won't be
# on the same node. NOTE: Gateways require that Consul client agents are
# also running on the nodes alongside each gateway Pod.
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: mesh-gateway
topologyKey: kubernetes.io/hostname
# Optional YAML string to specify tolerations.
tolerations: null
# Optional YAML string to specify a nodeSelector config.
nodeSelector: null
# Optional priorityClassName.
priorityClassName: ""
# Optional YAML string for additional annotations.
annotations: null