Please provide an example of extraConfig so TLS can work #74
Comments
|
Can you provide an example of the whole helm --set command? It should be sufficient to set that value as a json string wrapped in single quotes. |
|
Hi Jeff, Sure. There's a couple challenges with this consul-helm chart.
Example helm install:
` git clone https://github.com/hashicorp/consul-helm.git && cd consul-helm helm install --name consul . Helm fails with: This is probably because Helm (go) insists this value in "--set" parameters must be a raw string (albeit JSON). Single quoting it does not protect Helm from choking on the string. I've tried various quoting and escaping methods to no avail. Bottom line: There seems to be no way to configure TLS or anything else in extraConfig w/o doing a bunch of smelly manual operations (clone, edit, check, install?) Could you provide an example where this works via helm install w/o unsightly values.yaml edits? Thanks, |
|
You might try --set-string or --set-file for client.extraConfig instead of --set. |
|
--set-string fails with the same error: --set-file requires more custom file operations instead of just tuning --set params |
|
Hi @vanderhoofen, I've just merged a fix for how we interpret This enables users to specify extraConfig values using Helm's --set CLI Please feel free to open a new issue if this doesn't solve the issue for you. |
|
Well, I solved this in a easier way. Just change the key my-values.yml: ---
client:
enabled: "true"
extraVolumes:
- name: "consul-secret"
load: "false"
type: "secret"
join:
- "xxx.com"
- "yyy.com"
dns:
enabled: "true"
global:
datacenter: "datacenter1"
domain: "mydomain"
enabled: "false"config map {
"verify_outgoing": true,
"verify_incoming": true,
"verify_server_hostname": true,
"ca_file": "/consul/userconfig/consul-secret/ca",
"key_file": "/consul/userconfig/consul-secret/key",
"cert_file": "/consul/userconfig/consul-secret/cert",
"primary_datacenter": "datacenter1",
"acl_down_policy": "extend-cache",
"acl_default_policy": "allow",
"acl_agent_token": "14253987253985329853298",
"acl_agent_master_token": "14267473457345738"
}
--
|
This is great. Thanks |
|
There is a bit more needed than just providing the
and the
NB: the affinity rules are not essential here, I have had them in place due to multi-zone cluster setup. Keep in mind that this configuration is running HTTPS on the same 8500 port, instead of HTTP. Normally, in production you would want to use HTTPS, so this adjustment is fine. If for some reason you need to keep the both HTTP and HTTPS ports available, you can use 8501 for HTTPS and uncomment CONSUL_HTTP_ADDR env variable to point all the tools to the proper API endpoint. |
|
I know this thread is old and has been closed but this is the only thread in here that deals with TLS for this chart. It seems as if the consul syncCatalog is designed to work without tls. Once tls is enabled on consul server and client (Agent), syncCatalog seems to stop working. Has anyone been able to get it to work correctly? |
|
Is this still the prefered way for consul/vault on k8s with tls? |
|
@HofmannZ this ticket is super old so perhaps opening a new one with your specific use-case would be better. Quickly, turning on TLS can be done with: global:
tls:
enabled: true |
consul-helm/values.yaml
Lines 70 to 73 in ec0de41
How exactly should client.extraConfig and client.extraVolumes be set so that we can have TLS enabled from Consul client to a Consul cluster outside of kubernetes?
Could you provide examples?
Trial and error formatting this 'raw JSON payload' via "helm --set client.extraConfig" isn't working out
We want to not have to customize values.yaml by hand but rather just use the chart
The text was updated successfully, but these errors were encountered: