Skip to content

Commit

Permalink
Merge pull request hashicorp#1127 from hashicorp/ishustava/refactor-t…
Browse files Browse the repository at this point in the history 
…ls-config

refactor: move server config from command flags to configmap
  • Loading branch information
@ishustava
ishustava authored Apr 11, 2022
2 parents 4025eb5 + 69995ea commit 857a6b5
Show file tree
Hide file tree
Showing 4 changed files with 377 additions and 315 deletions.
74 changes: 70 additions & 4 deletions charts/consul/templates/server-config-configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,24 @@ metadata:
release: {{ .Release.Name }}
component: server
data:
server.json: |
{
"bind_addr": "0.0.0.0",
"bootstrap_expect": {{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }},
"client_addr": "0.0.0.0",
"connect": {
"enabled": {{ .Values.server.connect }}
},
"datacenter": "{{ .Values.global.datacenter }}",
"data_dir": "/consul/data",
"domain": "{{ .Values.global.domain }}",
"ports": {
"serf_lan": {{ .Values.server.ports.serflan.port }}
},
"recursors": {{ .Values.global.recursors | toJson }},
"retry_join": ["{{template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:{{ .Values.server.ports.serflan.port }}"],
"server": true
}
{{- $vaultConnectCAEnabled := and .Values.global.secretsBackend.vault.connectCA.address .Values.global.secretsBackend.vault.connectCA.rootPKIPath .Values.global.secretsBackend.vault.connectCA.intermediatePKIPath -}}
{{- if and .Values.global.secretsBackend.vault.enabled $vaultConnectCAEnabled }}
{{- with .Values.global.secretsBackend.vault }}
Expand Down Expand Up @@ -62,15 +80,52 @@ data:
}
}
{{- end }}
{{- if (and .Values.ui.enabled (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString))))) }}
{{- if .Values.global.tls.enabled }}
tls-config.json: |-
{
{{- if .Values.global.secretsBackend.vault.enabled }}
"ca_file": "/vault/secrets/serverca.crt",
"cert_file": "/vault/secrets/servercert.crt",
"key_file": "/vault/secrets/servercert.key",
{{- else }}
"ca_file": "/consul/tls/ca/tls.crt",
"cert_file": "/consul/tls/server/tls.crt",
"key_file": "/consul/tls/server/tls.key",
{{- end }}
{{- if .Values.global.tls.enableAutoEncrypt }}
"auto_encrypt": {
"allow_tls": true
},
{{- end }}
{{- if .Values.global.tls.verify }}
"verify_incoming_rpc": true,
"verify_outgoing": true,
"verify_server_hostname": true,
{{- end }}
"ports": {
{{- if .Values.global.tls.httpsOnly }}
"http": -1,
{{- end }}
"https": 8501
}
}
{{- end }}
{{- if .Values.ui.enabled }}
ui-config.json: |-
{
"ui_config": {
"enabled": true,
{{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }}
"metrics_provider": "{{ .Values.ui.metrics.provider }}",
"metrics_proxy": {
"base_url": "{{ .Values.ui.metrics.baseURL }}"
}
},
{{- end }}
{{- if .Values.ui.dashboardURLTemplates.service }}
"dashboard_url_templates": {
"service": "{{ .Values.ui.dashboardURLTemplates.service }}"
},
{{- end }}
"enabled": true
}
}
{{- end }}
Expand All @@ -82,7 +137,18 @@ data:
federation-config.json: |-
{
"primary_datacenter": "{{ .Values.global.federation.primaryDatacenter }}",
"primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }}
"primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }},
"connect": {
"enable_mesh_gateway_wan_federation": true
}
}
{{- end }}
{{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }}
telemetry-config.json: |-
{
"telemetry": {
"prometheus_retention_time": "{{ .Values.global.metrics.agentMetricsRetentionTime }}"
}
}
{{- end }}
{{- end }}
61 changes: 1 addition & 60 deletions charts/consul/templates/server-statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -205,10 +205,6 @@ spec:
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONSUL_DISABLE_PERM_MGMT
value: "true"
{{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
Expand Down Expand Up @@ -262,8 +258,6 @@ spec:
- "/bin/sh"
- "-ec"
- |
CONSUL_FULLNAME="{{template "consul.fullname" . }}"
{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }}
GOSSIP_KEY=`cat /vault/secrets/gossip.txt`
{{- end }}
Expand All @@ -276,69 +270,17 @@ spec:
exec /usr/local/bin/docker-entrypoint.sh consul agent \
-advertise="${ADVERTISE_IP}" \
-bind=0.0.0.0 \
-bootstrap-expect={{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }} \
{{- if .Values.global.tls.enabled }}
{{- if .Values.global.secretsBackend.vault.enabled }}
-hcl='ca_file = "/vault/secrets/serverca.crt"' \
-hcl='cert_file = "/vault/secrets/servercert.crt"' \
-hcl='key_file = "/vault/secrets/servercert.key"' \
{{- else }}
-hcl='ca_file = "/consul/tls/ca/tls.crt"' \
-hcl='cert_file = "/consul/tls/server/tls.crt"' \
-hcl='key_file = "/consul/tls/server/tls.key"' \
{{- end }}
{{- if .Values.global.tls.enableAutoEncrypt }}
-hcl='auto_encrypt = {allow_tls = true}' \
{{- end }}
{{- if .Values.global.tls.verify }}
-hcl='verify_incoming_rpc = true' \
-hcl='verify_outgoing = true' \
-hcl='verify_server_hostname = true' \
{{- end }}
-hcl='ports { https = 8501 }' \
{{- if .Values.global.tls.httpsOnly }}
-hcl='ports { http = -1 }' \
{{- end }}
{{- end }}
-client=0.0.0.0 \
-config-dir=/consul/config \
-datacenter={{ .Values.global.datacenter }} \
-data-dir=/consul/data \
-domain={{ .Values.global.domain }} \
{{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
-encrypt="${GOSSIP_KEY}" \
{{- end }}
{{- if .Values.server.connect }}
-hcl="connect { enabled = true }" \
{{- end }}
{{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }}
-hcl='telemetry { prometheus_retention_time = "{{ .Values.global.metrics.agentMetricsRetentionTime }}" }' \
{{- end }}
{{- if .Values.global.federation.enabled }}
-hcl="connect { enable_mesh_gateway_wan_federation = true }" \
{{- end }}
{{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }}
{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.acls.createReplicationToken)) }}
-config-file=/vault/secrets/replication-token-config.hcl \
{{- else }}
-hcl="acl { tokens { agent = \"${ACL_REPLICATION_TOKEN}\", replication = \"${ACL_REPLICATION_TOKEN}\" } }" \
{{- end }}
{{- end }}
{{- if .Values.ui.enabled }}
-ui \
{{- if .Values.ui.dashboardURLTemplates.service }}
-hcl='ui_config { dashboard_url_templates { service = "{{ .Values.ui.dashboardURLTemplates.service }}" } }' \
{{- end }}
{{- end }}
{{- $serverSerfLANPort := .Values.server.ports.serflan.port -}}
{{- range $index := until (.Values.server.replicas | int) }}
-retry-join="${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:{{ $serverSerfLANPort }}" \
{{- end }}
-serf-lan-port={{ .Values.server.ports.serflan.port }} \
{{- range $value := .Values.global.recursors }}
-recursor={{ quote $value }} \
{{- end }}
{{- if (and .Values.dns.enabled .Values.dns.enableRedirection) }}
$recursor_flags \
{{- end }}
Expand All @@ -355,8 +297,7 @@ spec:
-config-dir=/consul/userconfig/{{ .name }} \
{{- end }}
{{- end }}
-config-file=/consul/extra-config/extra-from-values.json \
-server
-config-file=/consul/extra-config/extra-from-values.json
volumeMounts:
- name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }}
mountPath: /consul/data
Expand Down
Loading

0 comments on commit 857a6b5

Please sign in to comment.