diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index bb8a77c261..5d77b50b00 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -138,58 +138,60 @@ global: enabled: false # The Vault role for the Consul server. - # The role must be connected to the Consul server's service account and - # have a policy with read capabilities for the following secrets: - # - gossip encryption key defined by `global.gossipEncryption.secretName` - # - certificate issue path defined by `server.serverCert.secretName` - # - CA certificate defined by `global.tls.caCert.secretName` - # - replication token defined by `global.acls.replicationToken.secretName` if `global.federation.enabled` is `true` + # The role must be connected to the Consul server's service account. + # The role must also have a policy with read capabilities for the following secrets: + # - gossip encryption key defined by the `global.gossipEncryption.secretName` value + # - certificate issue path defined by the `server.serverCert.secretName` value + # - CA certificate defined by the `global.tls.caCert.secretName` value + # - replication token defined by the `global.acls.replicationToken.secretName` value if `global.federation.enabled` is `true` # To discover the service account name of the Consul server, run - # ```shell-session - # $ helm template --show-only templates/server-serviceaccount.yaml hashicorp/consul - # ``` + # ```shell-session + # $ helm template --show-only templates/server-serviceaccount.yaml hashicorp/consul + # ``` # and check the name of `metadata.name`. consulServerRole: "" # The Vault role for the Consul client. - # The role must be connected to the Consul client's service account and - # have a policy with read capabilities for the following secrets: - # - gossip encryption key defined by `global.gossipEncryption.secretName`. + # The role must be connected to the Consul client's service account. + # The role must also have a policy with read capabilities for the gossip encryption + # key defined by the `global.gossipEncryption.secretName` value. # To discover the service account name of the Consul client, run - # ```shell-session - # $ helm template --show-only templates/client-serviceaccount.yaml hashicorp/consul - # ``` + # ```shell-session + # $ helm template --show-only templates/client-serviceaccount.yaml hashicorp/consul + # ``` # and check the name of `metadata.name`. consulClientRole: "" # [Enterprise Only] The Vault role for the Consul client snapshot agent. - # The role must be connected to the Consul client snapshot agent's service account and - # have a policy with read capabilities for the snapshot agent config defined by `client.snapshotAgent.configSecret.secretName`. + # The role must be connected to the Consul client snapshot agent's service account. + # The role must also have a policy with read capabilities for the snapshot agent config + # defined by the `client.snapshotAgent.configSecret.secretName` value. # To discover the service account name of the Consul client, run - # ```shell-session - # $ helm template --show-only templates/client-snapshot-agent-serviceaccount.yaml --set client.snapshotAgent.enabled=true hashicorp/consul - # ``` + # ```shell-session + # $ helm template --show-only templates/client-snapshot-agent-serviceaccount.yaml --set client.snapshotAgent.enabled=true hashicorp/consul + # ``` # and check the name of `metadata.name`. consulSnapshotAgentRole: "" - # A Vault role to allow Kubernetes job that manages ACLs for this Helm chart (`server-acl-init`) - # to read and update Vault secrets for the Consul's bootstrap, replication or partition tokens. - # This role must be bound the `server-acl-init`'s service account. + # A Vault role for the Consul `server-acl-init` job, which manages setting ACLs so that clients and components can obtain ACL tokens. + # The role must be connected to the `server-acl-init` job's service account. + # The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens # To discover the service account name of the `server-acl-init` job, run - # ```shell-session - # $ helm template --show-only templates/server-acl-init-serviceaccount.yaml \ - # --set global.acls.manageSystemACLs=true hashicorp/consul - # ``` + # ```shell-session + # $ helm template --show-only templates/server-acl-init-serviceaccount.yaml \ + # --set global.acls.manageSystemACLs=true hashicorp/consul + # ``` # and check the name of `metadata.name`. manageSystemACLsRole: "" - # [Enterprise Only] A Vault role to allow Kubernetes job that creates a Consul partition for this Helm chart (`partition-init`) - # to read Vault secret for the partition ACL token. - # This role must be bound the `partition-init`'s service account. + # [Enterprise Only] A Vault role that allows the Consul `partition-init` job to read a Vault secret for the partition ACL token. + # The `partition-init` job bootstraps Admin Partitions on Consul servers. + # . + # This role must be bound the `partition-init` job's service account. # To discover the service account name of the `partition-init` job, run with Helm values for the client cluster: - # ```shell-session - # $ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml hashicorp/consul - # ``` + # ```shell-session + # $ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml hashicorp/consul + # ``` # and check the name of `metadata.name`. adminPartitionsRole: "" @@ -215,10 +217,10 @@ global: # Configuration for Vault server CA certificate. This certificate will be mounted # to any pod where Vault agent needs to run. ca: - # secretName is the name of the Kubernetes secret that holds the Vault CA certificate. + # The name of the Kubernetes or Vault secret that holds the Vault CA certificate. # A Kubernetes secret must be in the same namespace that Consul is installed into. secretName: "" - # secretKey is the key within the Kubernetes secret that holds the Vault CA certificate. + # The key within the Kubernetes or Vault secret that holds the Vault CA certificate. secretKey: "" # Configuration for the Vault Connect CA provider. @@ -284,12 +286,12 @@ global: # `gossipEncryption.secretKey="key"` gossipEncryption: - # Automatically generate a gossip encryption key and save it to a Kubernetes secret. + # Automatically generate a gossip encryption key and save it to a Kubernetes or Vault secret. autoGenerate: false - # secretName is the name of the Kubernetes secret or Vault secret path that holds the gossip + # The name of the Kubernetes secret or Vault secret path that holds the gossip # encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into. secretName: "" - # secretKey is the key within the Kubernetes secret or Vault secret key that holds the gossip + # The key within the Kubernetes secret or Vault secret key that holds the gossip # encryption key. secretKey: "" @@ -351,12 +353,14 @@ global: # This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components. # When using Vault the secretKey is not used. caCert: - # The name of the Kubernetes secret. + # The name of the Kubernetes or Vault secret that holds the CA certificate. + # @type: string secretName: null - # The key of the Kubernetes secret. + # The key within the Kubernetes or Vault secret that holds the CA certificate. + # @type: string secretKey: null - # A Kubernetes secret containing the private key of the CA to use for + # A Kubernetes or Vault secret containing the private key of the CA to use for # TLS communication within the Consul cluster. If you have generated the CA yourself # with the consul CLI, you could use the following command to create the secret # in Kubernetes: @@ -371,9 +375,11 @@ global: # as Subject Alternative Names. In the future, we may support bringing your own server # certificates. caKey: - # The name of the Kubernetes secret. + # The name of the Kubernetes or Vault secret that holds the CA key. + # @type: string secretName: null - # The key of the Kubernetes secret. + # The key within the Kubernetes or Vault secret that holds the CA key. + # @type: string secretKey: null # [Enterprise Only] `enableConsulNamespaces` indicates that you are running @@ -392,14 +398,14 @@ global: # This requires Consul >= 1.4. manageSystemACLs: false - # A Kubernetes secret containing the bootstrap token to use for + # A Kubernetes or Vault secret containing the bootstrap token to use for # creating policies and tokens for all Consul and consul-k8s-control-plane components. # If set, we will skip ACL bootstrapping of the servers and will only # initialize ACLs for the Consul clients and consul-k8s-control-plane system components. bootstrapToken: - # The name of the Kubernetes secret. + # The name of the Kubernetes or Vault secret that holds the bootstrap token. secretName: null - # The key of the Kubernetes secret. + # The key within the Kubernetes or Vault secret that holds the bootstrap token. secretKey: null # If true, an ACL token will be created that can be used in secondary @@ -415,34 +421,41 @@ global: # and create ACL tokens and policies. # This value is ignored if `bootstrapToken` is also set. replicationToken: - # The name of the Kubernetes secret or the path of the secret in Vault. + # The name of the Kubernetes or Vault secret that holds the replication token. + # @type: string secretName: null - # The key of the Kubernetes or Vault secret. + # The key within the Kubernetes or Vault secret that holds the replication token. + # @type: string secretKey: null # partitionToken references a Vault secret containing the ACL token to be used in non-default partitions. # This value should only be provided in the default partition and only when setting - # `global.secretsBackend.vault.enabled` to true. - # We will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the + # the `global.secretsBackend.vault.enabled` value to true. + # Consul will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the # secret as the secretID for the token. # In non-default, partitions set this secret as the `bootstrapToken`. partitionToken: - # The name of the path of the secret in Vault. + # The name of the Vault secret that holds the partition token. + # @type: string secretName: null - # The key of the Vault secret. + # The key within the Vault secret that holds the parition token. + # @type: string secretKey: null - # [Enterprise Only] This value refers to a Kubernetes secret that you have created + + # [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created # that contains your enterprise license. It is required if you are using an # enterprise binary. Defining it here applies it to your cluster once a leader # has been elected. If you are not using an enterprise image or if you plan to # introduce the license key via another route, then set these fields to null. # Note: the job to apply license runs on both Helm installs and upgrades. enterpriseLicense: - # secretName is the name of the Kubernetes secret or Vault secret path that holds the enterprise license. + # The name of the Kubernetes or Vault secret that holds the enterprise license. # A Kubernetes secret must be in the same namespace that Consul is installed into. + # @type: string secretName: null - # secretKey is the key within the Kubernetes secret or Vault secret key that holds the enterprise license. + # The key within the Kubernetes or Vault secret that holds the enterprise license. + # @type: string secretKey: null # Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. enableLicenseAutoload: true @@ -617,7 +630,8 @@ server: # Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine # must be provided. serverCert: - # The name of the Kubernetes secret or Vault secret path containing the PEM encoded server certificate. + # The name of the Vault secret that holds the PEM encoded server certificate. + # @type: string secretName: null # Exposes the servers' gossip and RPC ports as hostPorts. To enable a client @@ -1051,7 +1065,7 @@ client: # @type: string annotations: null - # Resource settings for Client agents. + # The resource settings for Client agents. # NOTE: The use of a YAML string is deprecated. Instead, set directly as a # YAML map. # @recurse: false @@ -1284,9 +1298,11 @@ client: # credentials present. Please see Snapshot agent config (https://consul.io/commands/snapshot/agent#config-file-options) # for details. configSecret: - # secretName is the name of the Kubernetes secret or Vault secret path that holds the snapshot agentconfig. + # The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config. + # @type: string secretName: null - # secretKey is the key within the Kubernetes secret or Vault secret key that holds the snapshot agentconfig. + # The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config. + # @type: string secretKey: null serviceAccount: @@ -1302,7 +1318,7 @@ client: # @type: string annotations: null - # Resource settings for snapshot agent pods. + # The resource settings for snapshot agent pods. # @recurse: false # @type: map resources: @@ -1651,9 +1667,11 @@ syncCatalog: # an ACL token for your Consul cluster which allows the sync process the correct # permissions. This is only needed if ACLs are enabled on the Consul cluster. aclSyncToken: - # The name of the Kubernetes secret. + # The name of the Vault secret that holds the acl sync token. + # @type: string secretName: null - # The key of the Kubernetes secret. + # The key within the Vault secret that holds the acl sync. + # @type: string secretKey: null # This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) @@ -1693,7 +1711,7 @@ syncCatalog: # @type: string annotations: null - # Resource settings for sync catalog pods. + # The resource settings for sync catalog pods. # @recurse: false # @type: map resources: @@ -1830,7 +1848,7 @@ connectInject: # @type: string annotations: null - # Resource settings for connect inject pods. + # The resource settings for connect inject pods. # @recurse: false # @type: map resources: @@ -1973,10 +1991,10 @@ connectInject: # This token needs to have `operator = "write"` privileges to be able to # create Consul namespaces. aclInjectToken: - # The name of the Kubernetes secret. + # The name of the Vault secret that holds the ACL inject token. # @type: string secretName: null - # The key of the Kubernetes secret. + # The key within the Vault secret that holds the ACL inject token. # @type: string secretKey: null @@ -2006,7 +2024,7 @@ connectInject: # @type: string cpu: null - # Resource settings for the Connect injected init container. + # The resource settings for the Connect injected init container. # @recurse: false # @type: map initContainer: @@ -2045,7 +2063,7 @@ controller: # @type: string annotations: null - # Resource settings for controller pods. + # The resource settings for controller pods. # @recurse: false # @type: map resources: @@ -2087,10 +2105,10 @@ controller: # ``` # If running Consul Enterprise, talk to your account manager for assistance. aclToken: - # The name of the Kubernetes secret. + # The name of the Vault secret that holds the ACL token. # @type: string secretName: null - # The key of the Kubernetes secret. + # The key within the Vault secret that holds the ACL token. # @type: string secretKey: null @@ -2217,7 +2235,7 @@ meshGateway: # @type: string annotations: null - # Resource settings for mesh gateway pods. + # The resource settings for mesh gateway pods. # NOTE: The use of a YAML string is deprecated. Instead, set directly as a # YAML map. # @recurse: false @@ -2230,7 +2248,7 @@ meshGateway: memory: "100Mi" cpu: "100m" - # Resource settings for the `copy-consul-bin` init container. + # The resource settings for the `copy-consul-bin` init container. # @recurse: false # @type: map initCopyConsulContainer: @@ -2242,7 +2260,7 @@ meshGateway: memory: "150Mi" cpu: "50m" - # Resource settings for the `service-init` init container. + # The resource settings for the `service-init` init container. # @recurse: false # @type: map initServiceInitContainer: @@ -2372,7 +2390,7 @@ ingressGateways: memory: "100Mi" cpu: "100m" - # Resource settings for the `copy-consul-bin` init container. + # The resource settings for the `copy-consul-bin` init container. # @recurse: false # @type: map initCopyConsulContainer: @@ -2485,7 +2503,7 @@ terminatingGateways: memory: "100Mi" cpu: "100m" - # Resource settings for the `copy-consul-bin` init container. + # The resource settings for the `copy-consul-bin` init container. # @recurse: false # @type: map initCopyConsulContainer: @@ -2695,7 +2713,7 @@ apiGateway: # @type: string annotations: null - # Resource settings for api gateway pods. + # The resource settings for api gateway pods. # @recurse: false # @type: map resources: @@ -2706,7 +2724,7 @@ apiGateway: memory: "100Mi" cpu: "100m" - # Resource settings for the `copy-consul-bin` init container. + # The resource settings for the `copy-consul-bin` init container. # @recurse: false # @type: map initCopyConsulContainer: