remove flags

CHANGELOG.md

@@ -9,6 +9,8 @@ IMPROVEMENTS:
 
 BREAKING CHANGES:
 * Minimum Kubernetes versions supported is 1.16+. [[GH-883](https://github.com/hashicorp/consul-helm/pull/883)]
+* Connect: `-enable-health-checks-controller`, `-health-checks-reconcile-period`, `-cleanup-controller-reconcile-period` have been removed
+  and are no longer supported as the controllers have been replaced by the endpoints controller. [[GH-892](https://github.com/hashicorp/consul-helm/pull/899)]
 
 BUG FIXES:
 * Add startup probe to connect-inject deployment to give time for certificates to be available.

templates/client-config-configmap.yaml

@@ -19,7 +19,7 @@ data:
       "enable_central_service_config": true
     }
 
-  {{- if (and .Values.connectInject.enabled .Values.connectInject.healthChecks.enabled) }}
+  {{- if .Values.connectInject.enabled }}
   {{/* We set check_update_interval to 0s so that check output is immediately viewable
        in the UI. */}}
   config.json: |-

templates/server-acl-init-job.yaml

@@ -139,9 +139,6 @@ spec:
                 {{- if and .Values.externalServers.enabled .Values.externalServers.k8sAuthMethodHost }}
                 -inject-auth-method-host={{ .Values.externalServers.k8sAuthMethodHost }} \
                 {{- end }}
-                {{- if .Values.connectInject.healthChecks.enabled }}
-                -enable-health-checks \
-                {{- end }}
                 {{- end }}
 
                 {{- if .Values.meshGateway.enabled }}

test/acceptance/tests/connect/connect_inject_test.go

@@ -93,8 +93,8 @@ func TestConnectInject(t *testing.T) {
 	}
 }
 
-// Test the cleanup controller that cleans up force-killed pods.
-func TestConnectInject_CleanupController(t *testing.T) {
+// Test the endpoints controller cleans up force-killed pods.
+func TestConnectInject_CleanupKilledPods(t *testing.T) {
 	cases := []struct {
 		secure      bool
 		autoEncrypt bool

test/unit/client-config-configmap.bats

@@ -61,24 +61,11 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
-#--------------------------------------------------------------------
-# connectInject.healthChecks
-
-@test "client/ConfigMap: check_update_interval is not set by default" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -s templates/client-config-configmap.yaml  \
-      . | tee /dev/stderr |
-      yq '.data["config.json"] | length > 0' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
-}
-
-@test "client/ConfigMap: check_update_interval is set when health checks enabled" {
+@test "client/ConfigMap: check_update_interval is set when connect is enabled" {
   cd `chart_dir`
   local actual=$(helm template \
       -s templates/client-config-configmap.yaml  \
       --set 'connectInject.enabled=true' \
-      --set 'connectInject.healthChecks.enabled=true' \
       . | tee /dev/stderr |
       yq '.data["config.json"] | contains("check_update_interval")' | tee /dev/stderr)
   [ "${actual}" = "true" ]

test/unit/server-acl-init-job.bats

@@ -1408,42 +1408,6 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
-@test "serverACLInit/Job: health checks flag enabled with ACLs" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -s templates/server-acl-init-job.yaml  \
-      --set 'global.acls.manageSystemACLs=true' \
-      --set 'connectInject.healthChecks.enabled=true' \
-      --set 'connectInject.enabled=true' \
-      . | tee /dev/stderr |
-      yq '.spec.template.spec.containers[0].command | any(contains("-enable-health-checks"))' | tee /dev/stderr)
-  [ "${actual}" = "true" ]
-}
-
-@test "serverACLInit/Job: health checks flag not passed with connectInject disabled" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -s templates/server-acl-init-job.yaml  \
-      --set 'global.acls.manageSystemACLs=true' \
-      --set 'connectInject.enabled=false' \
-      --set 'connectInject.healthChecks.enabled=true' \
-      . | tee /dev/stderr |
-      yq '.spec.template.spec.containers[0].command | any(contains("-enable-health-checks"))' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
-}
-
-@test "serverACLInit/Job: health checks flag not passed with health checks disabled" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -s templates/server-acl-init-job.yaml  \
-      --set 'global.acls.manageSystemACLs=true' \
-      --set 'connectInject.enabled=true' \
-      --set 'connectInject.healthChecks.enabled=false' \
-      . | tee /dev/stderr |
-      yq '.spec.template.spec.containers[0].command | any(contains("-enable-health-checks"))' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
-}
-
 #--------------------------------------------------------------------
 # controller
 

values.yaml

@@ -1293,18 +1293,6 @@ connectInject:
   # to explicitly opt-out of injection.
   default: false
 
-  # Enables synchronization of Kubernetes health probe status with Consul.
-  # NOTE: It is highly recommended to enable TLS with this feature because it requires
-  # making calls to Consul clients across the cluster. Without TLS enabled, these calls
-  # could leak ACL tokens should the cluster network become compromised.
-  healthChecks:
-    # Enables the Consul Health Check controller which syncs the readiness status of
-    # connect-injected pods with Consul.
-    enabled: true
-    # If `healthChecks.enabled` is set to `true`, `reconcilePeriod` defines how often a full state
-    # reconcile is done after the initial reconcile at startup is completed.
-    reconcilePeriod: "1m"
-
   # Configures metrics for Consul Connect services. All values are overridable
   # via annotations on a per-pod basis.
   metrics:
@@ -1343,17 +1331,6 @@ connectInject:
     # `consul.hashicorp.com/service-metrics-path` annotation.
     defaultPrometheusScrapePath: "/metrics"
 
-  # Cleanup controller cleans up Consul service instances that remain registered
-  # despite their pods no longer running. This could happen if the pod's `preStop`
-  # hook failed to execute for some reason.
-  cleanupController:
-    # How often to do a full reconcile where the controller looks at all pods
-    # and service instances and ensure the state is correct.
-    # The controller reacts to each delete event immediately but if it misses
-    # an event due to being down or a network issue, the reconcile loop will
-    # handle cleaning up any missed deleted pods.
-    reconcilePeriod: "5m"
-
   # Used to pass arguments to the injected envoy sidecar.
   # Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli
   # e.g "--log-level debug --disable-hot-restart"