Skip to content

Instantly share code, notes, and snippets.

@codyde

codyde/values.yaml

Created January 3, 2020 20:58
Show Gist options
  • Save codyde/0c013e79dc7f5bba865dec1049ab504b to your computer and use it in GitHub Desktop.
Save codyde/0c013e79dc7f5bba865dec1049ab504b to your computer and use it in GitHub Desktop.
Download ZIP
Consul-Helm Values for KIND
Raw
values.yaml
global:
# enabled is the master enabled switch. Setting this to true or false
# will enable or disable all the components within this chart by default.
# Each component can be overridden using the component-specific "enabled"
# value.
enabled: true
# Domain to register the Consul DNS server to listen for.
domain: consul
# Image is the name (and tag) of the Consul Docker image for clients and
# servers below. This can be overridden per component.
#
# Examples:
# image: "consul:1.5.0"
# image: "hashicorp/consul-enterprise:1.5.0-ent" # Enterprise Consul image
image: "consul:1.6.2"
# imageK8S is the name (and tag) of the consul-k8s Docker image that
# is used for functionality such as the catalog sync. This can be overridden
# per component below.
# Note: support for the catalog sync's liveness and readiness probes was added
# to consul-k8s v0.6.0. If using an older consul-k8s version, you may need to
# remove these checks to make the sync work.
# If using mesh gateways and bootstrapACLs then must be >= 0.9.0.
imageK8S: "hashicorp/consul-k8s:0.9.5"
# Datacenter is the name of the datacenter that the agents should register
# as. This shouldn't be changed once the Consul cluster is up and running
# since Consul doesn't support an automatic way to change this value
# currently: https://github.com/hashicorp/consul/issues/1858
datacenter: dc1
# enablePodSecurityPolicies is a boolean flag that controls whether pod
# security policies are created for the consul components created by this
# chart. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/
enablePodSecurityPolicies: false
# Gossip encryption key. To enable gossip encryption, provide the name of
# a Kubernetes secret that contains a gossip key. You can create a gossip
# key with the "consul keygen" command.
# See https://www.consul.io/docs/commands/keygen.html
gossipEncryption:
secretName: null
secretKey: null
# bootstrapACLs will automatically create and assign ACL tokens within
# the Consul cluster. This currently requires enabling both servers and
# clients within Kubernetes. Additionally requires Consul v1.4+ and
# consul-k8s v0.8.0+.
bootstrapACLs: false
# Server, when enabled, configures a server cluster to run. This should
# be disabled if you plan on connecting to a Consul cluster external to
# the Kube cluster.
server:
enabled: "-"
image: null
replicas: 3
bootstrapExpect: 3 # Should <= replicas count
# enterpriseLicense refers to a Kubernetes secret that you have created that
# contains your enterprise license. It is required if you are using an
# enterprise binary. Defining it here applies it to your cluster once a leader
# has been elected. If you are not using an enterprise image
# or if you plan to introduce the license key via another route, then set
# these fields to null.
enterpriseLicense:
secretName: null
secretKey: null
# storage and storageClass are the settings for configuring stateful
# storage for the server pods. storage should be set to the disk size of
# the attached volume. storageClass is the class of storage which defaults
# to null (the Kube cluster will pick the default).
storage: 10Gi
storageClass: null
# connect will enable Connect on all the servers, initializing a CA
# for Connect-related connections. Other customizations can be done
# via the extraConfig setting.
connect: true
# Resource requests, limits, etc. for the server cluster placement. This
# should map directly to the value of the resources field for a PodSpec,
# formatted as a multi-line string. By default no direct resource request
# is made.
resources: null
# updatePartition is used to control a careful rolling update of Consul
# servers. This should be done particularly when changing the version
# of Consul. Please refer to the documentation for more information.
updatePartition: 0
# disruptionBudget enables the creation of a PodDisruptionBudget to
# prevent voluntary degrading of the Consul server cluster.
disruptionBudget:
enabled: true
# maxUnavailable will default to (n/2)-1 where n is the number of
# replicas. If you'd like a custom value, you can specify an override here.
maxUnavailable: null
# extraConfig is a raw string of extra configuration to set with the
# server. This should be JSON.
extraConfig: |
{}
# extraVolumes is a list of extra volumes to mount. These will be exposed
# to Consul in the path `/consul/userconfig/<name>/`. The value below is
# an array of objects, examples are shown below.
extraVolumes: []
# - type: secret (or "configMap")
# name: my-secret
# load: false # if true, will add to `-config-dir` to load by Consul
# Affinity Settings
# Commenting out or setting as empty the affinity variable, will allow
# deployment to single node services such as Minikube
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: server
topologyKey: kubernetes.io/hostname
# Toleration Settings for server pods
# This should be a multi-line string matching the Toleration array
# in a PodSpec.
tolerations: ""
# nodeSelector labels for server pod assignment, formatted as a muli-line string.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# Example:
# nodeSelector: |
# beta.kubernetes.io/arch: amd64
nodeSelector: null
# used to assign priority to server pods
# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
# Extra annotations to attach to the server pods
# This should be a multi-line string mapping directly to the a map of
# the annotations to apply to the server pods
annotations: null
# extraEnvVars is a list of extra enviroment variables to set with the stateful set. These could be
# used to include proxy settings required for cloud auto-join feature,
# in case kubernetes cluster is behind egress http proxies. Additionally, it could be used to configure
# custom consul parameters.
extraEnvironmentVars: {}
# http_proxy: http://localhost:3128,
# https_proxy: http://localhost:3128,
# no_proxy: internal.domain.com
# Client, when enabled, configures Consul clients to run on every node
# within the Kube cluster. The current deployment model follows a traditional
# DC where a single agent is deployed per node.
client:
enabled: "-"
image: null
join: null
# dataDirectoryHostPath is an absolute path to a directory on the host machine
# to use as the Consul client data directory.
# If set to the empty string or null, the Consul agent will store its data
# in the Pod's local filesystem (which will be lost if the Pod is deleted).
# If using Consul Connect, this directory must be set. Otherwise when the Consul
# agent Pod is deleted, e.g. during an upgrade, all the Connect-injected Pods
# on that node will be de-registered and will need to be restarted to be
# re-registered.
# Security Warning: If setting this, Pod Security Policies *must* be enabled on your cluster
# and in this Helm chart (via the global.enablePodSecurityPolicies setting)
# to prevent other Pods from mounting the same host path and gaining
# access to all of Consul's data. Consul's data is not encrypted at rest.
dataDirectoryHostPath: null
# If true, Consul's gRPC port will be exposed (see https://www.consul.io/docs/agent/options.html#grpc_port).
# This should be set to true if connectInject or meshGateway is enabled.
grpc: true
# exposeGossipPorts exposes the clients' gossip ports as hostPorts.
# This is only necessary if pod IPs in the k8s cluster are not directly
# routable and the Consul servers are outside of the k8s cluster. This
# also changes the clients' advertised IP to the hostIP rather than podIP.
exposeGossipPorts: false
# Resource requests, limits, etc. for the client cluster placement. This
# should map directly to the value of the resources field for a PodSpec,
# formatted as a multi-line string. By default no direct resource request
# is made.
resources: null
# extraConfig is a raw string of extra configuration to set with the
# client. This should be JSON.
extraConfig: |
{}
# extraVolumes is a list of extra volumes to mount. These will be exposed
# to Consul in the path `/consul/userconfig/<name>/`. The value below is
# an array of objects, examples are shown below.
extraVolumes: []
# - type: secret (or "configMap")
# name: my-secret
# load: false # if true, will add to `-config-dir` to load by Consul
# Toleration Settings for Client pods
# This should be a multi-line string matching the Toleration array
# in a PodSpec.
# The example below will allow Client pods to run on every node
# regardless of taints
# tolerations: |
# - operator: "Exists"
tolerations: ""
# nodeSelector labels for client pod assignment, formatted as a muli-line string.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# Example:
# nodeSelector: |
# beta.kubernetes.io/arch: amd64
nodeSelector: null
# Affinity Settings for Client pods, formatted as a multi-line YAML string.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
# Example:
# affinity: |
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: node-role.kubernetes.io/master
# operator: DoesNotExist
affinity: {}
# used to assign priority to client pods
# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
# Extra annotations to attach to the client pods
# This should be a multi-line string mapping directly to the a map of
# the annotations to apply to the client pods
annotations: null
# extraEnvVars is a list of extra enviroment variables to set with the pod. These could be
# used to include proxy settings required for cloud auto-join feature,
# in case kubernetes cluster is behind egress http proxies. Additionally, it could be used to configure
# custom consul parameters.
extraEnvironmentVars: {}
# http_proxy: http://localhost:3128,
# https_proxy: http://localhost:3128,
# no_proxy: internal.domain.com
# dnsPolicy to use.
dnsPolicy: null
# updateStrategy for the DaemonSet.
# See https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy.
# This should be a multi-line string mapping directly to the updateStrategy
# Example:
# updateStrategy: |
# rollingUpdate:
# maxUnavailable: 5
# type: RollingUpdate
updateStrategy: null
# snaphotAgent contains settings for setting up and running snapshot agents
# within the Consul clusters. They are required to be co-located with Consul
# clients, so will inherit the clients' nodeSelector, tolerations and affinity.
# This is an Enterprise feature only.
snapshotAgent:
enabled: false
# replicas determines how many snapshot agent pods are created
replicas: 2
# configSecret references a Kubernetes secret that should be manually created to
# contain the entire config to be used on the snapshot agent. This is the preferred
# method of configuration since there are usually storage credentials present.
# Snapshot agent config details:
# https://www.consul.io/docs/commands/snapshot/agent.html#config-file-options-
# To create a secret:
# https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret-using-kubectl-create-secret
configSecret:
secretName: null
secretKey: null
# Configuration for DNS configuration within the Kubernetes cluster.
# This creates a service that routes to all agents (client or server)
# for serving DNS requests. This DOES NOT automatically configure kube-dns
# today, so you must still manually configure a `stubDomain` with kube-dns
# for this to have any effect:
# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers
dns:
enabled: "-"
# Set a predefined cluster IP for the DNS service.
# Useful if you need to reference the DNS service's IP
# address in CoreDNS config.
clusterIP: null
# Extra annotations to attach to the dns service
# This should be a multi-line string of
# annotations to apply to the dns Service
annotations: null
ui:
# True if you want to enable the Consul UI. The UI will run only
# on the server nodes. This makes UI access via the service below (if
# enabled) predictable rather than "any node" if you're running Consul
# clients as well.
enabled: "-"
# True if you want to create a Service entry for the Consul UI.
#
# serviceType can be used to control the type of service created. For
# example, setting this to "LoadBalancer" will create an external load
# balancer (for supported K8S installations) to access the UI.
service:
enabled: true
type: LoadBalancer
# This should be a multi-line string mapping directly to the a map of
# the annotations to apply to the UI service
annotations: null
# Additional ServiceSpec values
# This should be a multi-line string mapping directly to a Kubernetes
# ServiceSpec object.
additionalSpec: null
# syncCatalog will run the catalog sync process to sync K8S with Consul
# services. This can run bidirectional (default) or unidirectionally (Consul
# to K8S or K8S to Consul only).
#
# This process assumes that a Consul agent is available on the host IP.
# This is done automatically if clients are enabled. If clients are not
# enabled then set the node selection so that it chooses a node with a
# Consul agent.
syncCatalog:
# True if you want to enable the catalog sync. Set to "-" to inherit from
# global.enabled.
enabled: true
image: null
default: true # true will sync by default, otherwise requires annotation
# toConsul and toK8S control whether syncing is enabled to Consul or K8S
# as a destination. If both of these are disabled, the sync will do nothing.
toConsul: true
toK8S: true
# k8sPrefix is the service prefix to prepend to services before registering
# with Kubernetes. For example "consul-" will register all services
# prepended with "consul-". (Consul -> Kubernetes sync)
k8sPrefix: null
# k8sSourceNamespace is the Kubernetes namespace to watch for service
# changes and sync to Consul. If this is not set then it will default
# to all namespaces.
k8sSourceNamespace: null
# addK8SNamespaceSuffix appends Kubernetes namespace suffix to
# each service name synced to Consul, separated by a dash.
# For example, for a service 'foo' in the default namespace,
# the sync process will create a Consul service named 'foo-default'.
# Set this flag to true to avoid registering services with the same name
# but in different namespaces as instances for the same Consul service.
# Namespace suffix is not added if 'annotationServiceName' is provided.
addK8SNamespaceSuffix: true
# consulPrefix is the service prefix which prepends itself
# to Kubernetes services registered within Consul
# For example, "k8s-" will register all services prepended with "k8s-".
# (Kubernetes -> Consul sync)
# consulPrefix is ignored when 'annotationServiceName' is provided.
# NOTE: Updating this property to a non-null value for an existing installation will result in deregistering
# of existing services in Consul and registering them with a new name.
consulPrefix: null
# k8sTag is an optional tag that is applied to all of the Kubernetes services
# that are synced into Consul. If nothing is set, defaults to "k8s".
# (Kubernetes -> Consul sync)
k8sTag: null
# syncClusterIPServices syncs services of the ClusterIP type, which may
# or may not be broadly accessible depending on your Kubernetes cluster.
# Set this to false to skip syncing ClusterIP services.
syncClusterIPServices: true
# nodePortSyncType configures the type of syncing that happens for NodePort
# services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst.
# - ExternalOnly will only use a node's ExternalIP address for the sync
# - InternalOnly use's the node's InternalIP address
# - ExternalFirst will preferentially use the node's ExternalIP address, but
# if it doesn't exist, it will use the node's InternalIP address instead.
nodePortSyncType: ExternalFirst
# aclSyncToken refers to a Kubernetes secret that you have created that contains
# an ACL token for your Consul cluster which allows the sync process the correct
# permissions. This is only needed if ACLs are enabled on the Consul cluster.
aclSyncToken:
secretName: null
secretKey: null
# nodeSelector labels for syncCatalog pod assignment, formatted as a muli-line string.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# Example:
# nodeSelector: |
# beta.kubernetes.io/arch: amd64
nodeSelector: null
# Log verbosity level. One of "trace", "debug", "info", "warn", or "error".
logLevel: info
# Override the default interval to perform syncing operations creating Consul services.
consulWriteInterval: null
# ConnectInject will enable the automatic Connect sidecar injector.
connectInject:
# True if you want to enable connect injection. Set to "-" to inherit from
# global.enabled.
enabled: true
image: null # image for consul-k8s that contains the injector
default: false # true will inject by default, otherwise requires annotation
# imageConsul and imageEnvoy can be set to Docker images for Consul and
# Envoy, respectively. If the Consul image is not specified, the global
# default will be used. If the Envoy image is not specified, an early
# version of Envoy will be used.
imageConsul: null
imageEnvoy: null
# namespaceSelector is the selector for restricting the webhook to only
# specific namespaces. This should be set to a multiline string.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
# for more details.
# Example:
# namespaceSelector: |
# matchLabels:
# namespace-label: label-value
namespaceSelector: null
# The certs section configures how the webhook TLS certs are configured.
# These are the TLS certs for the Kube apiserver communicating to the
# webhook. By default, the injector will generate and manage its own certs,
# but this requires the ability for the injector to update its own
# MutatingWebhookConfiguration. In a production environment, custom certs
# should probaly be used. Configure the values below to enable this.
certs:
# secretName is the name of the secret that has the TLS certificate and
# private key to serve the injector webhook. If this is null, then the
# injector will default to its automatic management mode that will assign
# a service account to the injector to generate its own certificates.
secretName: null
# caBundle is a base64-encoded PEM-encoded certificate bundle for the
# CA that signed the TLS certificate that the webhook serves. This must
# be set if secretName is non-null.
caBundle: ""
# certName and keyName are the names of the files within the secret for
# the TLS cert and private key, respectively. These have reasonable
# defaults but can be customized if necessary.
certName: tls.crt
keyName: tls.key
# nodeSelector labels for connectInject pod assignment, formatted as a muli-line string.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# Example:
# nodeSelector: |
# beta.kubernetes.io/arch: amd64
nodeSelector: null
# aclBindingRuleSelector accepts a query that defines which Service Accounts
# can authenticate to Consul and receive an ACL token during Connect injection.
# The default setting, i.e. serviceaccount.name!=default, prevents the
# 'default' Service Account from logging in.
# If set to an empty string all service accounts can log in.
# This only has effect if ACLs are enabled.
#
# See https://www.consul.io/docs/acl/acl-auth-methods.html#binding-rules
# and https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes
# for more details.
# Requires Consul >= v1.5 and consul-k8s >= v0.8.0.
aclBindingRuleSelector: "serviceaccount.name!=default"
# If not using global.bootstrapACLs and instead manually setting up an auth
# method for Connect inject, set this to the name of your auth method.
overrideAuthMethodName: ""
# Requires Consul >= v1.5 and consul-k8s >= v0.8.1.
centralConfig:
enabled: false
# defaultProtocol allows you to specify a convenience default protocol if
# most of your services are of the same protocol type. The individual annotation
# on any given pod will override this value. A protocol must be provided,
# either through this setting or individual annotation, for a service to be
# registered correctly. Valid values are "http", "http2", "grpc" and "tcp".
defaultProtocol: null
# proxyDefaults is a raw json string that will be applied to all Connect
# proxy sidecar pods that can include any valid configuration for the
# configured proxy.
proxyDefaults: |
{}
# Mesh Gateways enable Consul Connect to work across Consul datacenters.
meshGateway:
# If mesh gateways are enabled, a Deployment will be created that runs
# gateways and Consul Connect will be configured to use gateways.
# See https://www.consul.io/docs/connect/mesh_gateway.html
# Requirements: consul >= 1.6.0 and consul-k8s >= 0.9.0 if using global.bootstrapACLs.
enabled: false
# Globally configure which mode the gateway should run in.
# Can be set to either "remote", "local", "none" or empty string or null.
# See https://consul.io/docs/connect/mesh_gateway.html#modes-of-operation for
# a description of each mode.
# If set to anything other than "" or null, connectInject.centralConfig.enabled
# should be set to true so that the global config will actually be used.
# If set to the empty string, no global default will be set and the gateway mode
# will need to be set individually for each service.
globalMode: local
# Number of replicas for the Deployment.
replicas: 2
# What gets registered as wan address for the gateway.
wanAddress:
# Port that gets registered.
port: 443
# If true, each Gateway Pod will advertise its NodeIP
# (as provided by the Kubernetes downward API) as the wan address.
# This is useful if the node IPs are routable from other DCs.
# useNodeName and host must be false and "" respectively.
useNodeIP: true
# If true, each Gateway Pod will advertise its NodeName
# (as provided by the Kubernetes downward API) as the wan address.
# This is useful if the node names are DNS entries that are
# routable from other DCs.
# meshGateway.wanAddress.port will be used as the port for the wan address.
# useNodeIP and host must be false and "" respectively.
useNodeName: false
# If set, each gateway Pod will use this host as its wan address.
# Users must ensure that this address routes to the Gateway pods,
# for example via a DNS entry that routes to the Service fronting the Deployment.
# meshGateway.wanAddress.port will be used as the port for the wan address.
# useNodeIP and useNodeName must be false.
host: ""
# The service option configures the Service that fronts the Gateway Deployment.
service:
# Whether to create a Service or not.
enabled: false
# Type of service, ex. LoadBalancer, ClusterIP.
type: ClusterIP
# Port that the service will be exposed on.
# The targetPort will be set to meshGateway.containerPort.
port: 443
# Optional nodePort of the service. Can be used in conjunction with
# type: NodePort.
nodePort: null
# Optional YAML string for additional annotations.
annotations: null
# Optional YAML string that will be appended to the Service spec.
additionalSpec: null
# Envoy image to use.
imageEnvoy: envoyproxy/envoy:v1.10.0
# If set to true, gateway Pods will run on the host network.
hostNetwork: false
# dnsPolicy to use.
dnsPolicy: null
# Override the default 'mesh-gateway' service name registered in Consul.
# Cannot be used if bootstrapACLs is true since the ACL token generated
# is only for the name 'mesh-gateway'.
consulServiceName: ""
# Port that the gateway will run on inside the container.
containerPort: 443
# Optional hostPort for the gateway to be exposed on.
# This can be used with wanAddress.port and wanAddress.useNodeIP
# to expose the gateways directly from the node.
# If hostNetwork is true, this must be null or set to the same port as
# containerPort.
# NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul
# agent.
hostPort: null
# If there are no connect-enabled services running, then the gateway
# will fail health checks. You may disable health checks as a temporary
# workaround.
enableHealthChecks: true
resources: |
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "256Mi"
cpu: "500m"
# By default, we set an anti affinity so that two gateway pods won't be
# on the same node. NOTE: Gateways require that Consul client agents are
# also running on the nodes alongside each gateway Pod.
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: mesh-gateway
topologyKey: kubernetes.io/hostname
# Optional YAML string to specify tolerations.
tolerations: null
# Optional YAML string to specify a nodeSelector config.
nodeSelector: null
# Optional priorityClassName.
priorityClassName: ""
# Optional YAML string for additional annotations.
annotations: null
# Control whether a test Pod manifest is generated when running helm template.
# When using helm install, the test Pod is not submitted to the cluster so this
# is only useful when running helm template.
tests:
enabled: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment