Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/master' into wan-federation
Browse files Browse the repository at this point in the history
  • Loading branch information
@lkysow
lkysow committed Mar 30, 2020
2 parents a1770b2 + e892588 commit 0e5a0da
Show file tree
Hide file tree
Showing 21 changed files with 843 additions and 63 deletions.
34 changes: 34 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,39 @@
## Unreleased

## 0.18.0 (Mar 18, 2020)

IMPROVEMENTS:

* Allow setting your own certificate authority for Consul to Consul communication
(i.e. not Connect service to service communication) [[GH-346](https://github.com/hashicorp/consul-helm/pull/346)].
To use, set:
```yaml
global:
tls:
caCert:
secretName: null
secretKey: null
caKey:
secretName: null
secretKey: null
```
See `values.yaml` for more details.
* Allow setting custom annotations for Consul server service [[GH-376](https://github.com/hashicorp/consul-helm/pull/376)]
To use, set:
```yaml
server:
service:
annotations: |
"annotation-key": "annotation-value"
```

BUG FIXES:

* Fix incompatibility with Helm 3.1.2. [[GH-390](https://github.com/hashicorp/consul-helm/issues/390)]
* Ensure the Consul Enterprise license gets applied, even if servers take a long time to come up. [[GH-348](https://github.com/hashicorp/consul-helm/pull/348))

## 0.17.0 (Feb 21, 2020)

BREAKING CHANGES:

* `consul-k8s` `v0.12.0`+ is now required. The chart is passing new flags that are only available in this version.
Expand Down
2 changes: 1 addition & 1 deletion Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v1
name: consul
version: 0.17.0
version: 0.18.0
description: Install and configure Consul on Kubernetes.
home: https://www.consul.io
sources:
Expand Down
9 changes: 8 additions & 1 deletion templates/NOTES.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,18 @@ Consul with Kubernetes available here:
https://www.consul.io/docs/platform/k8s/index.html


Your release is named {{ .Release.Name }}. To learn more about the release, try:
Your release is named {{ .Release.Name }}.

To learn more about the release if you are using Helm 2, run:

$ helm status {{ .Release.Name }}
$ helm get {{ .Release.Name }}

To learn more about the release if you are using Helm 3, run:

$ helm status {{ .Release.Name }}
$ helm get all {{ .Release.Name }}


{{- if (and .Values.global.bootstrapACLs (gt (len .Values.server.extraConfig) 3)) }}
Warning: Defining server extraConfig potentially disrupts the automatic ACL
Expand Down
41 changes: 41 additions & 0 deletions templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,3 +61,44 @@ Inject extra environment vars in the format key:value, if populated
{{- end -}}
{{- end -}}
{{- end -}}

{{/*
Get Consul client CA to use when auto-encrypt is enabled.
This template is for an init container.
*/}}
{{- define "consul.getAutoEncryptClientCA" -}}
- name: get-auto-encrypt-client-ca
image: {{ .Values.global.imageK8S }}
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s get-consul-client-ca \
-output-file=/consul/tls/client/ca/tls.crt \
{{- if .Values.externalServers.enabled }}
{{- if not (or .Values.externalServers.https.address .Values.client.join)}}{{ fail "either client.join or externalServers.https.address must be set if externalServers.enabled is true" }}{{ end -}}
{{- if .Values.externalServers.https.address }}
-server-addr={{ .Values.externalServers.https.address }} \
{{- else }}
-server-addr={{ quote (first .Values.client.join) }} \
{{- end }}
-server-port={{ .Values.externalServers.https.port }} \
{{- if .Values.externalServers.https.tlsServerName }}
-tls-server-name={{ .Values.externalServers.https.tlsServerName }} \
{{- end }}
{{- if not .Values.externalServers.https.useSystemRoots }}
-ca-file=/consul/tls/ca/tls.crt
{{- end }}
{{- else }}
-server-addr={{ template "consul.fullname" . }}-server \
-server-port=8501 \
-ca-file=/consul/tls/ca/tls.crt
{{- end }}
volumeMounts:
{{- if not (and .Values.externalServers.enabled .Values.externalServers.https.useSystemRoots) }}
- name: consul-ca-cert
mountPath: /consul/tls/ca
{{- end }}
- name: consul-auto-encrypt-ca-cert
mountPath: /consul/tls/client/ca
{{- end -}}
38 changes: 29 additions & 9 deletions templates/client-daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ spec:
items:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
{{ if not .Values.global.tls.enableAutoEncrypt }}
- name: consul-ca-key
secret:
{{- if .Values.global.tls.caKey.secretName }}
Expand All @@ -88,12 +89,13 @@ spec:
items:
- key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }}
path: tls.key
- name: tls-client-cert
- name: consul-client-cert
emptyDir:
# We're using tmpfs here so that
# client certs are not written to disk
medium: "Memory"
{{- end }}
{{- end }}
{{- range .Values.client.extraVolumes }}
- name: userconfig-{{ .name }}
{{ .type }}:
Expand Down Expand Up @@ -129,6 +131,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
- name: GOSSIP_KEY
valueFrom:
Expand All @@ -139,9 +145,14 @@ spec:
{{- if .Values.global.tls.enabled }}
- name: CONSUL_HTTP_ADDR
value: https://localhost:8501
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: CONSUL_HTTP_SSL_VERIFY
value: false
{{- else }}
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
{{- end }}
{{- end }}
{{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }}
command:
- "/bin/sh"
Expand All @@ -158,13 +169,20 @@ spec:
-hcl='leave_on_terminate = true' \
{{- if .Values.global.tls.enabled }}
-hcl='ca_file = "/consul/tls/ca/tls.crt"' \
{{- if .Values.global.tls.enableAutoEncrypt }}
-hcl='auto_encrypt = {tls = true}' \
-hcl="auto_encrypt = {ip_san = [\"$HOST_IP\"]}" \
{{- else }}
-hcl='cert_file = "/consul/tls/client/tls.crt"' \
-hcl='key_file = "/consul/tls/client/tls.key"' \
{{- end }}
{{- if .Values.global.tls.verify }}
-hcl='verify_incoming_rpc = true' \
-hcl='verify_outgoing = true' \
{{- if not .Values.global.tls.enableAutoEncrypt }}
-hcl='verify_incoming_rpc = true' \
-hcl='verify_server_hostname = true' \
{{- end }}
{{- end }}
-hcl='ports { https = 8501 }' \
{{- if .Values.global.tls.httpsOnly }}
-hcl='ports { http = -1 }' \
Expand All @@ -187,9 +205,9 @@ spec:
{{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
-encrypt="${GOSSIP_KEY}" \
{{- end }}
{{- if (.Values.client.join) and (gt (len .Values.client.join) 0) }}
{{- if .Values.client.join }}
{{- range $value := .Values.client.join }}
-retry-join="{{ $value }}" \
-retry-join={{ quote $value }} \
{{- end }}
{{- else }}
{{- if .Values.server.enabled }}
Expand All @@ -208,10 +226,12 @@ spec:
- name: consul-ca-cert
mountPath: /consul/tls/ca
readOnly: true
- name: tls-client-cert
{{- if not .Values.global.tls.enableAutoEncrypt }}
- name: consul-client-cert
mountPath: /consul/tls/client
readOnly: true
{{- end }}
{{- end }}
{{- range .Values.client.extraVolumes }}
- name: userconfig-{{ .name }}
readOnly: true
Expand Down Expand Up @@ -267,7 +287,7 @@ spec:
- |
{{- if .Values.global.tls.enabled }}
curl \
--cacert /consul/tls/ca/tls.crt \
-k \
https://127.0.0.1:8501/v1/status/leader \
{{- else }}
curl http://127.0.0.1:8500/v1/status/leader \
Expand All @@ -277,7 +297,7 @@ spec:
resources:
{{ tpl .Values.client.resources . | nindent 12 | trim }}
{{- end }}
{{- if (or .Values.global.bootstrapACLs .Values.global.tls.enabled) }}
{{- if (or .Values.global.bootstrapACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }}
initContainers:
{{- if .Values.global.bootstrapACLs }}
- name: client-acl-init
Expand All @@ -294,7 +314,7 @@ spec:
- name: aclconfig
mountPath: /consul/aclconfig
{{- end }}
{{- if .Values.global.tls.enabled }}
{{- if and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt) }}
- name: client-tls-init
image: "{{ default .Values.global.image .Values.client.image }}"
env:
Expand All @@ -316,7 +336,7 @@ spec:
mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0.pem tls.crt
mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0-key.pem tls.key
volumeMounts:
- name: tls-client-cert
- name: consul-client-cert
mountPath: /consul/tls/client
- name: consul-ca-cert
mountPath: /consul/tls/ca/cert
Expand Down
20 changes: 18 additions & 2 deletions templates/client-snapshot-agent-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ spec:
emptyDir: {}
{{- end }}
{{- if .Values.global.tls.enabled }}
{{- if not (and .Values.externalServers.enabled .Values.externalServers.https.useSystemRoots) }}
- name: consul-ca-cert
secret:
{{- if .Values.global.tls.caCert.secretName }}
Expand All @@ -63,6 +64,12 @@ spec:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
{{- end }}
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-auto-encrypt-ca-cert
emptyDir:
medium: "Memory"
{{- end }}
{{- end }}
{{- end }}
containers:
- name: consul-snapshot-agent
Expand Down Expand Up @@ -111,13 +118,18 @@ spec:
mountPath: /consul/aclconfig
{{- end }}
{{- if .Values.global.tls.enabled }}
{{- if .Values.global.tls.enableAutoEncrypt}}
- name: consul-auto-encrypt-ca-cert
{{- else }}
- name: consul-ca-cert
{{- end }}
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
{{- end }}
{{- if .Values.global.bootstrapACLs }}
{{- end }}
{{- if (or .Values.global.bootstrapACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt)) }}
initContainers:
{{- if .Values.global.bootstrapACLs }}
- name: client-snapshot-agent-acl-init
image: {{ .Values.global.imageK8S }}
command:
Expand All @@ -131,6 +143,10 @@ spec:
- name: aclconfig
mountPath: /consul/aclconfig
{{- end }}
{{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
{{- include "consul.getAutoEncryptClientCA" . | nindent 6 }}
{{- end }}
{{- end }}
{{- if .Values.client.nodeSelector }}
nodeSelector:
{{ tpl .Values.client.nodeSelector . | indent 8 | trim }}
Expand Down
35 changes: 24 additions & 11 deletions templates/connect-inject-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.global.tls.enabled }}
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
{{- end }}
{{- /* A Consul client and ACL token is only necessary for the connect injector if namespaces are enabled */}}
{{- if .Values.global.enableConsulNamespaces }}
- name: HOST_IP
Expand All @@ -60,15 +64,12 @@ spec:
name: "{{ template "consul.fullname" . }}-connect-inject-acl-token"
key: "token"
{{- end }}
{{- if .Values.global.tls.enabled }}
- name: CONSUL_HTTP_ADDR
{{- if .Values.global.tls.enabled }}
value: https://$(HOST_IP):8501
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
{{- else }}
- name: CONSUL_HTTP_ADDR
{{- else }}
value: http://$(HOST_IP):8500
{{- end }}
{{- end }}
{{- end }}
command:
- "/bin/sh"
Expand All @@ -89,10 +90,6 @@ spec:
{{- else if .Values.global.bootstrapACLs }}
-acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \
{{- end }}
{{- if .Values.global.tls.enabled }}
-consul-ca-cert=/consul/tls/ca/tls.crt \
{{- end }}
{{- if .Values.connectInject.centralConfig.enabled }}
-enable-central-config=true \
{{- end }}
Expand Down Expand Up @@ -155,7 +152,11 @@ spec:
readOnly: true
{{- end }}
{{- if .Values.global.tls.enabled }}
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-auto-encrypt-ca-cert
{{- else }}
- name: consul-ca-cert
{{- end }}
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
Expand All @@ -168,6 +169,7 @@ spec:
secretName: {{ .Values.connectInject.certs.secretName }}
{{- end }}
{{- if .Values.global.tls.enabled }}
{{- if not (and .Values.externalServers.enabled .Values.externalServers.https.useSystemRoots) }}
- name: consul-ca-cert
secret:
{{- if .Values.global.tls.caCert.secretName }}
Expand All @@ -179,9 +181,16 @@ spec:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
{{- end }}
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-auto-encrypt-ca-cert
emptyDir:
medium: "Memory"
{{- end }}
{{- end }}
{{- end }}
{{- if and .Values.global.bootstrapACLs .Values.global.enableConsulNamespaces }}
{{- if or (and .Values.global.bootstrapACLs .Values.global.enableConsulNamespaces) (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
initContainers:
{{- if and .Values.global.bootstrapACLs .Values.global.enableConsulNamespaces }}
- name: injector-acl-init
image: {{ .Values.global.imageK8S }}
command:
Expand All @@ -192,6 +201,10 @@ spec:
-secret-name="{{ template "consul.fullname" . }}-connect-inject-acl-token" \
-k8s-namespace={{ .Release.Namespace }}
{{- end }}
{{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
{{- include "consul.getAutoEncryptClientCA" . | nindent 6 }}
{{- end }}
{{- end }}
{{- if .Values.connectInject.nodeSelector }}
nodeSelector:
{{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }}
Expand Down
Loading

0 comments on commit 0e5a0da

Please sign in to comment.