...
 
Commits (8)
......@@ -9,26 +9,6 @@ before_script:
- rm /home/gitlab-runner/.docker/config.json || true
- docker-compose -p ${CI_COMMIT_REF_SLUG}-${CI_JOB_ID} down -v
k3s_helm2:
stage: start
variables:
DK: docker-compose -p ${CI_COMMIT_REF_SLUG}-${CI_JOB_ID}
DR: docker-compose -p ${CI_COMMIT_REF_SLUG}-${CI_JOB_ID} run client
script:
- ${DK} pull
- ${DK} up -d server
- sleep 10
- ${DR} kubectl apply -f overlays/k3s/volumes
- ${DR} kubectl apply -f tiller.yaml
- ${DR} helm init --service-account tiller --history-max 1 --upgrade --wait
- ${DR} helm upgrade --wait --timeout 1200 --install --atomic noc noc/
tags:
- shell
artifacts:
paths:
- kubeconfig.yaml
expire_in: 1 hours
k3s_helm3:
stage: start
variables:
......@@ -39,6 +19,7 @@ k3s_helm3:
- ${DK} up -d server
- sleep 10
- ${DR} kubectl apply -f overlays/k3s/volumes
- ${DR} kubectl label nodes --all pool=default
- ${DR} helm3 upgrade --wait --timeout 1200s --install --debug --atomic noc noc --set image.tag=master-dev --set image.pullPolicy=Always
tags:
- shell
......
......@@ -4,9 +4,9 @@ volumes:
kubeconfig: {}
services:
server:
image: rancher/k3s:v0.8.1
image: rancher/k3s:v0.10.2
hostname: k3s
command: server --bind-address server --node-label pool=default --kubelet-arg serialize-image-pulls=true
command: server --bind-address server --kubelet-arg serialize-image-pulls=true
tmpfs:
- /run
- /var/run
......
......@@ -3,3 +3,32 @@ appVersion: "19.3.1"
description: A Helm chart for Kubernetes
name: noc
version: 0.2.1
dependencies:
- name: consul
version: 0.8.1
repository: "file://charts/consul-helm"
condition: consul.enabled
- name: clickhouse
version: 0.1.0
repository: "file://charts/clickhouse"
condition: clickhouse.enabled
- name: nsqd
version: 0.1.0
repository: "file://charts/nsqd"
condition: nsqd.enabled
- name: mongodb
version: 7.4.4
repository: "@stable"
condition: mongodb.enabled
- name: postgresql
version: 6.5.5
repository: "@stable"
condition: postgresql.enabled
- name: grafana
version: 4.0.1
repository: "@stable"
.DS_Store
.terraform/
.terraform.tfstate*
terraform.tfstate*
terraform.tfvars
values.dev.yaml
.git/
.terraform/
bin/
test/
## UNRELEASED
## 0.8.1 (May 9, 2019)
IMPROVEMENTS:
* Update default consul-k8s version to 0.8.1 for a central config bug fix
## 0.8.0 (May 8, 2019)
IMPROVEMENTS:
* Support adding a prefix to Kubernetes services registered in Consul [[GH 140](https://github.com/hashicorp/consul-helm/issues/140)]
* Support an option for automatically bootstrapping ACLs in a Consul cluster that is run fully in Kubernetes. If connectInject is enabled with this option on, this also automatically configures a new Kubernetes AuthMethod so that injected services are automatically granted ACL tokens based on their Kubernetes service account.
* Support central service configuration including proxy defaults in Connect (available in Consul 1.5+).
* Remove the `gossipEncryption.enabled` option and instead have the implementation based on the existence of the secretName and secretKey.
## 0.7.0 (March 21, 2019)
IMPROVEMENTS:
* Support pod PriorityClasses for Consul servers and clients
* Add annotation and additional spec values for the UI service
* Add liveness and readiness checks to the catalog sync pod [[consul-k8s GH 57](https://github.com/hashicorp/consul-k8s/issues/57)]
* Support custom annotations for Consul clients and servers
* Support PodSecurityPolicies for Consul components
* Add service accounts and cluster roles/role bindings for each Consul component
* Add the namespace to the metadata volume name
* Support tolerations on Consul client and server pods
* Support gossip protocol encryption
* Allows custom environment variables for Consul client and server pods
* Support nodeSelectors for all components
BUG FIXES:
* Allow setting `extraConfig` variables using Helm's `--set` flag [[GH 74](https://github.com/hashicorp/consul-helm/issues/74)]
* Fix a formatting bug in the enterprise license command
## 0.6.0 (February 8, 2019)
IMPROVEMENTS:
* Supports applying a Consul Enterprise License to the cluster through the Helm chart
* Support assigning an ACL token to the catalog sync process [[GH 26](https://github.com/hashicorp/consul-k8s/issues/26)]
* Updates default `consul` version to `1.4.2` and `consul-k8s` version to `0.5.0`
BUG FIXES:
* Switch the chart labels to a non-changing value to allow helm upgrades [[GH 86](https://github.com/hashicorp/consul-helm/issues/86)]
## 0.5.0 (January 11, 2019)
IMPROVEMENTS:
* Supports new NodePort syncing style that uses the node ip address
* Adds a configurable tab to the Kubernetes -> Consul sync
## 0.4.0 (December 7, 2018)
IMPROVEMENTS:
* RBAC support for `syncCatalog`. This will create the `ClusterRole`, `ClusterRoleBinding`
and `ServiceAccount` that is necessary for the catalog sync. [[GH-20](https://github.com/hashicorp/consul-helm/issues/20)]
* client: agents now have the node name set to the actual K8S node name [[GH-14](https://github.com/hashicorp/consul-helm/issues/14)]
* RBAC support for `connectInject`. This will create a `ClusterRole`, `ClusterRoleBinding`,
and `ServiceAccount` that is necessary for the connect injector to automatically generate
TLS certificates to interact with the Kubernetes API.
* Server affinity is now configurable. This makes it easier to run an entire
Consul cluster on Minikube. [[GH-13](https://github.com/hashicorp/consul-helm/issues/13)]
* Liveness probes are now http calls, reducing errors in the logs.
* All namespaced resources now specify the namespace metadata, making `helm template` usage in
a non-default namespace easier. [[GH-66](https://github.com/hashicorp/consul-helm/issues/66)]
* Add support for ClusterIP service syncing.
BUG FIXES:
* Add catalog sync default behavior flag to the chart [GH-28]
* Updated images to point to latest versions for 0.3.0.
* Add missing continuation characters to long commands [[GH-26](https://github.com/hashicorp/consul-helm/issues/26)].
* connectInject: set the correct namespace for the MutatingWebhookConfiguration
so that deployments work in non-default namespaces. [[GH-38](https://github.com/hashicorp/consul-helm/issues/38)]
* Provide a valid `maxUnavailable` value when replicas=1. [[GH-58](https://github.com/hashicorp/consul-helm/issues/58)]
* Correctly sets server resource requirements.
* Update the `maxUnavailable` default calculation to allow rolling updates on 3 server clusters. [[GH-71](https://github.com/hashicorp/consul-helm/issues/71)]
## 0.3.0 (October 11, 2018)
FEATURES:
* `connectInject` can install the automatic Connect sidecar injector.
## 0.2.0 (September 26, 2018)
FEATURES:
* `syncCatalog` can install the [service catalog sync](https://www.hashicorp.com/blog/consul-and-kubernetes-service-catalog-sync)
functionality.
IMPROVEMENTS:
* server: support `storageClass` [[GH-7](https://github.com/hashicorp/consul-helm/issues/7)]
## 0.1.0
Initial release
apiVersion: v1
name: consul
version: 0.8.1
description: Install and configure Consul on Kubernetes.
home: https://www.consul.io
sources:
- https://github.com/hashicorp/consul
- https://github.com/hashicorp/consul
- https://github.com/hashicorp/consul-k8s
This diff is collapsed.
TEST_IMAGE?=consul-helm-test
test-docker:
@docker build --rm -t '$(TEST_IMAGE)' -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR)
.PHONY: test-docker
# Consul Helm Chart
This repository contains the official HashiCorp Helm chart for installing
and configuring Consul on Kubernetes. This chart supports multiple use
cases of Consul on Kubernetes depending on the values provided.
For full documentation on this Helm chart along with all the ways you can
use Consul with Kubernetes, please see the
[Consul and Kubernetes documentation](https://www.consul.io/docs/platform/k8s/index.html).
## Prerequisites
To use the charts here, [Helm](https://helm.sh/) must be installed in your
Kubernetes cluster. Setting up Kubernetes and Helm and is outside the scope
of this README. Please refer to the Kubernetes and Helm documentation.
The versions required are:
* **Helm 2.10+** - This is the earliest version of Helm tested. It is possible
it works with earlier versions but this chart is untested for those versions.
* **Kubernetes 1.9+** - This is the earliest version of Kubernetes tested.
It is possible that this chart works with earlier versions but it is
untested. Other versions verified are Kubernetes 1.10, 1.11.
## Usage
For now, we do not host a chart repository. To use the charts, you must
download this repository and unpack it into a directory. Either
[download a tagged release](https://github.com/hashicorp/consul-helm/releases) or
use `git checkout` to a tagged release.
Assuming this repository was unpacked into the directory `consul-helm`, the chart can
then be installed directly:
helm install ./consul-helm
Please see the many options supported in the `values.yaml`
file. These are also fully documented directly on the
[Consul website](https://www.consul.io/docs/platform/k8s/helm.html).
## Rebasing contributions against master
PRs in this repo are merged using the [`rebase`](https://git-scm.com/docs/git-rebase) method. This keeps
the git history clean by adding the PR commits to the most recent end of the commit history. It also has
the benefit of keeping all the relevant commits for a given PR together, rather than spread throughout the
git history based on when the commits were first created.
If the changes in your PR do not conflict with any of the existing code in the project, then Github supports
automatic rebasing when the PR is accepted into the code. However, if there are conflicts (there will be
a warning on the PR that reads "This branch cannot be rebased due to conflicts"), you will need to manually
rebase the branch on master, fixing any conflicts along the way before the code can be merged.
## Testing
The Helm chart ships with both unit and acceptance tests.
The unit tests don't require any active Kubernetes cluster and complete
very quickly. These should be used for fast feedback during development.
The acceptance tests require a Kubernetes cluster with a configured `kubectl`.
Both require [Bats](https://github.com/bats-core/bats-core) and `helm` to be
installed and available on the CLI. The unit tests also require the correct
version of [yq](https://pypi.org/project/yq/) if running locally.
To run the unit tests:
bats ./test/unit
To run the acceptance tests:
bats ./test/acceptance
If the acceptance tests fail, deployed resources in the Kubernetes cluster
may not be properly cleaned up. We recommend recycling the Kubernetes cluster to
start from a clean slate.
**Note:** There is a Terraform configuration in the
[`test/terraform/`](https://github.com/hashicorp/consul-helm/tree/master/test/terraform) directory
that can be used to quickly bring up a GKE cluster and configure
`kubectl` and `helm` locally. This can be used to quickly spin up a test
cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes
cluster.
### Writing Unit Tests
Changes to the Helm chart should be accompanied by appropriate unit tests.
#### Formatting
- Put tests in the test file in the same order as the variables appear in the `values.yaml`.
- Start tests for a chart value with a header that says what is being tested, like this:
```
#--------------------------------------------------------------------
# annotations
```
- Name the test based on what it's testing in the following format (this will be its first line):
```
@test "<section being tested>: <short description of the test case>" {
```
When adding tests to an existing file, the first section will be the same as the other tests in the file.
#### Test Details
[Bats](https://github.com/bats-core/bats-core) provides a way to run commands in a shell and inspect the output in an automated way.
In all of the tests in this repo, the base command being run is [helm template](https://docs.helm.sh/helm/#helm-template) which turns the templated files into straight yaml output.
In this way, we're able to test that the various conditionals in the templates render as we would expect.
Each test defines the files that should be rendered using the `-x` flag, then it might adjust chart values by adding `--set` flags as well.
The output from this `helm template` command is then piped to [yq](https://pypi.org/project/yq/).
`yq` allows us to pull out just the information we're interested in, either by referencing its position in the yaml file directly or giving information about it (like its length).
The `-r` flag can be used with `yq` to return a raw string instead of a quoted one which is especially useful when looking for an exact match.
The test passes or fails based on the conditional at the end that is in square brackets, which is a comparison of our expected value and the output of `helm template` piped to `yq`.
The `| tee /dev/stderr ` pieces direct any terminal output of the `helm template` and `yq` commands to stderr so that it doesn't interfere with `bats`.
#### Test Examples
Here are some examples of common test patterns:
- Check that a value is disabled by default
```
@test "ui/Service: no type by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
. | tee /dev/stderr |
yq -r '.spec.type' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
```
In this example, nothing is changed from the default templates (no `--set` flags), then we use `yq` to retrieve the value we're checking, `.spec.type`.
This output is then compared against our expected value (`null` in this case) in the assertion `[ "${actual}" = "null" ]`.
- Check that a template value is rendered to a specific value
```
@test "ui/Service: specified type" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
--set 'ui.service.type=LoadBalancer' \
. | tee /dev/stderr |
yq -r '.spec.type' | tee /dev/stderr)
[ "${actual}" = "LoadBalancer" ]
}
```
This is very similar to the last example, except we've changed a default value with the `--set` flag and correspondingly changed the expected value.
- Check that a template value contains several values
```
@test "syncCatalog/Deployment: to-k8s only" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.toConsul=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-to-consul=false"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.toConsul=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-to-k8s"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
```
In this case, the same command is run twice in the same test.
This can be used to look for several things in the same field, or to check that something is not present that shouldn't be.
*Note:* If testing more than two conditions, it would be good to separate the `helm template` part of the command from the `yq` sections to reduce redundant work.
- Check that an entire template file is not rendered
```
@test "syncCatalog/Deployment: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
```
Here we are check the length of the command output to see if the anything is rendered.
This style can easily be switched to check that a file is rendered instead.
Thank you for installing HashiCorp Consul!
Now that you have deployed Consul, you should look over the docs on using
Consul with Kubernetes available here:
https://www.consul.io/docs/platform/k8s/index.html
Your release is named {{ .Release.Name }}. To learn more about the release, try:
$ helm status {{ .Release.Name }}
$ helm get {{ .Release.Name }}
{{- if (and .Values.global.bootstrapACLs (gt (len .Values.server.extraConfig) 3)) }}
Warning: Defining server extraConfig potentially disrupts the automatic ACL
bootstrapping required settings. This may cause future issues if
there are conflicts.
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to
this (by the DNS naming spec). If release name contains chart name it will
be used as a full name.
*/}}
{{- define "consul.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "consul.chart" -}}
{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Expand the name of the chart.
*/}}
{{- define "consul.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Compute the maximum number of unavailable replicas for the PodDisruptionBudget.
This defaults to (n/2)-1 where n is the number of members of the server cluster.
Special case of replica equaling 3 and allowing a minor disruption of 1 otherwise
use the integer value
Add a special case for replicas=1, where it should default to 0 as well.
*/}}
{{- define "consul.pdb.maxUnavailable" -}}
{{- if eq (int .Values.server.replicas) 1 -}}
{{ 0 }}
{{- else if .Values.server.disruptionBudget.maxUnavailable -}}
{{ .Values.server.disruptionBudget.maxUnavailable -}}
{{- else -}}
{{- if eq (int .Values.server.replicas) 3 -}}
{{- 1 -}}
{{- else -}}
{{- sub (div (int .Values.server.replicas) 2) 1 -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Inject extra environment vars in the format key:value, if populated
*/}}
{{- define "consul.extraEnvironmentVars" -}}
{{- if .extraEnvironmentVars -}}
{{- range $key, $value := .extraEnvironmentVars }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-client
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if (or .Values.global.enablePodSecurityPolicies .Values.global.bootstrapACLs) }}
rules:
{{- end }}
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
resourceNames:
- {{ template "consul.fullname" . }}-client
verbs:
- use
{{- end }}
{{- if .Values.global.bootstrapACLs }}
- apiGroups: [""]
resources:
- secrets
resourceNames:
- {{ .Release.Name }}-consul-client-acl-token
verbs:
- get
{{- end }}
{{- end }}
{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-client
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "consul.fullname" . }}-client
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-client
namespace: {{ .Release.Namespace }}
{{- end }}
# ConfigMap with extra configuration specified directly to the chart
# for client agents only.
{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "consul.fullname" . }}-client-config
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
extra-from-values.json: |-
{{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }}
{{- if (and .Values.connectInject.enabled .Values.connectInject.centralConfig.enabled) }}
central-config.json: |-
{
"enable_central_service_config": true
}
{{- end }}
{{- end }}
# DaemonSet to run the Consul clients on every node.
{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "consul.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
selector:
matchLabels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: client
hasDNS: "true"
template:
metadata:
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: client
hasDNS: "true"
annotations:
"consul.hashicorp.com/connect-inject": "false"
{{- if .Values.client.annotations }}
{{- tpl .Values.client.annotations . | nindent 8 }}
{{- end }}
spec:
{{- if .Values.client.tolerations }}
tolerations:
{{ tpl .Values.client.tolerations . | nindent 8 | trim }}
{{- end }}
terminationGracePeriodSeconds: 10
serviceAccountName: {{ template "consul.fullname" . }}-client
{{- if .Values.client.priorityClassName }}
priorityClassName: {{ .Values.client.priorityClassName | quote }}
{{- end }}
# Consul agents require a directory for data, even clients. The data
# is okay to be wiped though if the Pod is removed, so just use an
# emptyDir volume.
volumes:
- name: data
emptyDir: {}
- name: config
configMap:
name: {{ template "consul.fullname" . }}-client-config
{{- range .Values.client.extraVolumes }}
- name: userconfig-{{ .name }}
{{ .type }}:
{{- if (eq .type "configMap") }}
name: {{ .name }}
{{- else if (eq .type "secret") }}
secretName: {{ .name }}
{{- end }}
{{- end }}
{{- if .Values.global.bootstrapACLs }}
- name: aclconfig
emptyDir: {}
{{- end }}
containers:
- name: consul
image: "{{ default .Values.global.image .Values.client.image }}"
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE
valueFrom:
fieldRef:
fieldPath: spec.nodeName
{{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
- name: GOSSIP_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.global.gossipEncryption.secretName }}
key: {{ .Values.global.gossipEncryption.secretKey }}
{{- end }}
{{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }}
command:
- "/bin/sh"
- "-ec"
- |
CONSUL_FULLNAME="{{template "consul.fullname" . }}"
exec /bin/consul agent \
-node="${NODE}" \
-advertise="${POD_IP}" \
-bind=0.0.0.0 \
-client=0.0.0.0 \
{{- if .Values.client.grpc }}
-hcl="ports { grpc = 8502 }" \
{{- end }}
-config-dir=/consul/config \
{{- range .Values.client.extraVolumes }}
{{- if .load }}
-config-dir=/consul/userconfig/{{ .name }} \
{{- end }}
{{- end }}
{{- if .Values.global.bootstrapACLs}}
-config-dir=/consul/aclconfig \
{{- end }}
-datacenter={{ .Values.global.datacenter }} \
-data-dir=/consul/data \
{{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
-encrypt="${GOSSIP_KEY}" \
{{- end }}
{{- if (.Values.client.join) and (gt (len .Values.client.join) 0) }}
{{- range $value := .Values.client.join }}
-retry-join="{{ $value }}" \
{{- end }}
{{- else }}
{{- if .Values.server.enabled }}
{{- range $index := until (.Values.server.replicas | int) }}
-retry-join=${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc \
{{- end }}
{{- end }}
{{- end }}
-domain={{ .Values.global.domain }}
volumeMounts:
- name: data
mountPath: /consul/data
- name: config
mountPath: /consul/config
{{- range .Values.client.extraVolumes }}
- name: userconfig-{{ .name }}
readOnly: true
mountPath: /consul/userconfig/{{ .name }}
{{- end }}
{{- if .Values.global.bootstrapACLs}}
- name: aclconfig
mountPath: /consul/aclconfig
{{- end }}
lifecycle:
preStop:
exec:
command:
- /bin/sh
- -c
- consul leave
ports:
- containerPort: 8500
hostPort: 8500
name: http
- containerPort: 8502
hostPort: 8502
name: grpc
- containerPort: 8301
name: serflan
- containerPort: 8302
name: serfwan
- containerPort: 8300
name: server
- containerPort: 8600
name: dns-tcp
protocol: "TCP"
- containerPort: 8600
name: dns-udp
protocol: "UDP"
readinessProbe:
# NOTE(mitchellh): when our HTTP status endpoints support the
# proper status codes, we should switch to that. This is temporary.
exec:
command:
- "/bin/sh"
- "-ec"
- |
curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \
grep -E '".+"'
{{- if .Values.client.resources }}
resources:
{{ tpl .Values.client.resources . | nindent 12 | trim }}
{{- end }}
{{- if .Values.global.bootstrapACLs }}
initContainers:
- name: client-acl-init
image: {{ .Values.global.imageK8S }}
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s acl-init \
-secret-name="{{ .Release.Name }}-consul-client-acl-token" \
-k8s-namespace={{ .Release.Namespace }} \
-init-type="client"
volumeMounts:
- name: aclconfig
mountPath: /consul/aclconfig
{{- end }}
{{- if .Values.client.nodeSelector }}
nodeSelector:
{{ tpl .Values.client.nodeSelector . | indent 8 | trim }}
{{- end }}
{{- end }}
{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "consul.fullname" . }}-client
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostPorts:
- min: 8500
max: 8502
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
{{- end }}
{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "consul.fullname" . }}-client
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- end }}
{{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
{{- if .Values.global.bootstrapACLs }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-connect-injector-authmethod-role
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources:
- serviceaccounts
verbs:
- get
{{- end }}
{{- end }}
{{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
{{- if .Values.global.bootstrapACLs }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-connect-injector-authmethod-authdelegator-role-binding
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "system:auth-delegator"
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-connect-injector-authmethod-svc-account
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-connect-injector-authmethod-serviceaccount-role-binding
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "consul.fullname" . }}-connect-injector-authmethod-role
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-connect-injector-authmethod-svc-account
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}
{{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
{{- if .Values.global.bootstrapACLs }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "consul.fullname" . }}-connect-injector-authmethod-svc-account
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- end }}
{{- end }}
# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration.
{{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-connect-injector-webhook
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs:
- "get"
- "list"
- "watch"
- "patch"
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
resourcesName:
- {{ template "consul.fullname" . }}-connect-injector-webhook
verbs:
- use
{{- end }}
{{- end }}
{{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-connect-injector-webhook-admin-role-binding
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "consul.fullname" . }}-connect-injector-webhook
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account
namespace: {{ .Release.Namespace }}
{{- end }}
# The deployment for running the Connect sidecar injector
{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "consul.fullname" . }}-connect-injector-webhook-deployment
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
replicas: 1
selector:
matchLabels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: connect-injector
template:
metadata:
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: connect-injector
annotations:
"consul.hashicorp.com/connect-inject": "false"
spec:
{{- if not .Values.connectInject.certs.secretName }}
serviceAccountName: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account
{{- end }}
containers:
- name: sidecar-injector
image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}"
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
command:
- "/bin/sh"
- "-ec"
- |
CONSUL_FULLNAME="{{template "consul.fullname" . }}"
consul-k8s inject-connect \
-default-inject={{ .Values.connectInject.default }} \
-consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \
{{ if .Values.connectInject.imageEnvoy -}}
-envoy-image="{{ .Values.connectInject.imageEnvoy }}" \
{{ end -}}
-listen=:8080 \
{{- if .Values.global.bootstrapACLs }}
-acl-auth-method="{{ .Release.Name }}-consul-k8s-auth-method" \
{{- end }}
{{- if .Values.connectInject.centralConfig.enabled }}
-enable-central-config=true \
{{- end }}
{{- if (and .Values.connectInject.centralConfig.enabled .Values.connectInject.centralConfig.defaultProtocol) }}
-default-protocol="{{ .Values.connectInject.centralConfig.defaultProtocol }}" \
{{- end }}
{{- if .Values.connectInject.certs.secretName }}
-tls-cert-file=/etc/connect-injector/certs/{{ .Values.connectInject.certs.certName }} \
-tls-key-file=/etc/connect-injector/certs/{{ .Values.connectInject.certs.keyName }}
{{- else }}
-tls-auto=${CONSUL_FULLNAME}-connect-injector-cfg \
-tls-auto-hosts=${CONSUL_FULLNAME}-connect-injector-svc,${CONSUL_FULLNAME}-connect-injector-svc.${NAMESPACE},${CONSUL_FULLNAME}-connect-injector-svc.${NAMESPACE}.svc
{{- end }}
livenessProbe:
httpGet:
path: /health/ready
port: 8080
scheme: HTTPS
failureThreshold: 2
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /health/ready
port: 8080
scheme: HTTPS
failureThreshold: 2
initialDelaySeconds: 2
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 5
{{- if .Values.connectInject.certs.secretName }}
volumeMounts:
- name: certs
mountPath: /etc/connect-injector/certs
readOnly: true
volumes:
- name: certs
secret:
secretName: {{ .Values.connectInject.certs.secretName }}
{{- end }}
{{- if .Values.connectInject.nodeSelector }}
nodeSelector:
{{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }}
{{- end }}
{{- end }}
# The MutatingWebhookConfiguration to enable the Connect injector.
{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: {{ template "consul.fullname" . }}-connect-injector-cfg
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
webhooks:
- name: {{ template "consul.fullname" . }}-connect-injector.consul.hashicorp.com
clientConfig:
service:
name: {{ template "consul.fullname" . }}-connect-injector-svc
namespace: {{ .Release.Namespace }}
path: "/mutate"
caBundle: {{ .Values.connectInject.certs.caBundle }}
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
{{- if .Values.connectInject.namespaceSelector }}
namespaceSelector:
{{ tpl .Values.connectInject.namespaceSelector . | indent 6 }}
{{- end }}
{{- end }}
{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "consul.fullname" . }}-connect-injector-webhook
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
{{- end }}
# The service for the Connect sidecar injector
{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "consul.fullname" . }}-connect-injector-svc
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
ports:
- port: 443
targetPort: 8080
selector:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
component: connect-injector
{{- end }}
{{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- end }}
# Service for Consul DNS.
{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "consul.fullname" . }}-dns
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
ports:
- name: dns-tcp
port: 53
protocol: "TCP"
targetPort: dns-tcp
- name: dns-udp
port: 53
protocol: "UDP"
targetPort: dns-udp
selector:
app: {{ template "consul.name" . }}
release: "{{ .Release.Name }}"
hasDNS: "true"
{{- end }}
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
{{- if .Values.global.bootstrapACLs }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-enterprise-license
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources:
- secrets
resourceNames:
- {{ .Release.Name }}-consul-enterprise-license-acl-token
verbs:
- get
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
{{- if .Values.global.bootstrapACLs }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-enterprise-license
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "consul.fullname" . }}-enterprise-license
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-enterprise-license
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
{{- if .Values.global.bootstrapACLs }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "consul.fullname" . }}-enterprise-license
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "consul.fullname" . }}-license
labels:
app.kubernetes.io/managed-by: {{.Release.Service | quote }}
app.kubernetes.io/instance: {{.Release.Name | quote }}
helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}"
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "100"
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
name: {{ template "consul.fullname" . }}-license
labels:
app.kubernetes.io/managed-by: {{.Release.Service | quote }}
app.kubernetes.io/instance: {{.Release.Name | quote }}
helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}"
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: license
spec:
restartPolicy: Never
serviceAccountName: {{ template "consul.fullname" . }}-enterprise-license
containers:
- name: apply-enterprise-license
image: "{{ default .Values.global.image .Values.server.image }}"
env:
- name: ENTERPRISE_LICENSE
valueFrom:
secretKeyRef:
name: {{ .Values.server.enterpriseLicense.secretName }}
key: {{ .Values.server.enterpriseLicense.secretKey }}
- name: CONSUL_HTTP_ADDR
value: http://{{ template "consul.fullname" . }}-server:8500
{{- if .Values.global.bootstrapACLs }}
- name: CONSUL_HTTP_TOKEN
valueFrom:
secretKeyRef:
name: "{{ .Release.Name }}-consul-enterprise-license-acl-token"
key: "token"
{{- end}}
command:
- "/bin/sh"
- "-ec"
- |
consul license put "${ENTERPRISE_LICENSE}"
{{- if .Values.global.bootstrapACLs }}
initContainers:
- name: ent-license-acl-init
image: {{ .Values.global.imageK8S }}
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s acl-init \
-secret-name="{{ .Release.Name }}-consul-enterprise-license-acl-token" \
-k8s-namespace={{ .Release.Namespace }} \
-init-type="sync"
{{- end }}
{{- end }}
{{- end }}
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
{{- if .Values.global.bootstrapACLs }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-server-acl-init
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources:
- pods
verbs:
- list
- apiGroups: [""]
resources:
- secrets
verbs:
- create
- get
{{- if .Values.connectInject.enabled }}
- apiGroups: [""]
resources:
- serviceaccounts
verbs:
- get
- apiGroups: [""]
resources:
- services
verbs:
- get
{{- end }}
{{- end }}
{{- end }}
{{- end }}
\ No newline at end of file
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
{{- if .Values.global.bootstrapACLs }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-server-acl-init
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "consul.fullname" . }}-server-acl-init
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-server-acl-init
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}
{{- end }}
\ No newline at end of file
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
{{- if .Values.global.bootstrapACLs }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "consul.fullname" . }}-server-acl-init
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "0"
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
name: {{ template "consul.fullname" . }}-server-acl-init
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: server-acl-init
annotations:
"consul.hashicorp.com/connect-inject": "false"
spec:
restartPolicy: Never
serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init
containers:
- name: post-install-job
image: {{ .Values.global.imageK8S }}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s server-acl-init \
-release-name={{ .Release.Name }} \
-k8s-namespace={{ .Release.Namespace }} \
{{- if .Values.syncCatalog.enabled }}
-create-sync-token=true \
{{- end }}
{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.global.enabled)) }}
-allow-dns=true \
{{- end }}
{{- if .Values.connectInject.enabled }}
-create-inject-token=true \
{{- end }}
{{- if .Values.connectInject.aclBindingRuleSelector }}
-acl-binding-rule-selector={{ .Values.connectInject.aclBindingRuleSelector }} \
{{- end }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
-create-enterprise-license-token=true \
{{- end }}
-expected-replicas={{ .Values.server.replicas }}
{{- end }}
{{- end }}
{{- end }}