Skip to content
This repository has been archived by the owner on Aug 25, 2021. It is now read-only.

Releases: hashicorp/consul-helm

v0.20.0

25 Apr 00:04
@ishustava ishustava
v0.20.0
2edbe56
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.20.0

BREAKING CHANGES:

  • External Servers [GH-430]:

    • externalServers.https.address moved to externalServers.hosts
      and changed its type from string to array.
    • externalServers.https.port moved to externalServers.httpsPort
      and its default value changed from 443 to 8501.
    • externalServers.https.tlsServerName moved to externalServers.tlsServerName.
    • externalServers.https.useSystemRoots moved to externalServers.useSystemRoots.

    For example, if previously setting externalServers like so:

    externalServers:
  enabled: true
  https:
    address: "example.com"
    port: 443
    tlsServerName: null
    useSystemRoots: false

    Now you need to change it to the following:

    externalServers:
  enabled: true
  hosts: ["example.com"]
  httpsPort: 443
  tlsServerName: null
  useSystemRoots: false

  • Auto-encrypt: You can no longer re-use client.join property if using auto-encrypt
    with externalServers.enabled set to true. You must provide Consul server HTTPS address
    via externalServers.hosts and externalServers.httpsPort.

    For example, if previously setting:

    tls:
  enabled: true
  enabledAutoEncrypt: true
externalServers:
  enabled: true
client:
  join: ["consul.example.com"]

    Now you need to change it to:

      tls:
    enabled: true
    enabledAutoEncrypt: true
  externalServers:
    enabled: true
    hosts: ["consul.example.com"]
  client:
    join: ["consul.example.com"]

FEATURES:

  • Support managing ACLs when running Consul servers externally to Kubernetes:

    • ACLs: Support providing your own bootstrap token [GH-420].
      If provided, the server-acl-init job will skip server ACL bootstrapping.

      Example:

      global:
  acls:
    manageSystemACLs: true
    bootstrapToken:
      secretName: bootstrap-token
      secretKey: token

    • External Servers: Add externalServers.k8sAuthMethodHost to allow configuring a custom location
      of the Kubernetes API server for the auth method created in Consul [GH-420].
      The Kubernetes API server provided here must be reachable from the external Consul servers.

      Example:

      externalServers:
  enabled: true
  k8sAuthMethodHost: https://kubernetes-api.example.com:443

IMPROVEMENTS:

  • Default to the latest version of consul-k8s: hashicorp/consul-k8s:0.14.0

BUG FIXES:

  • tls-init-cleanup can run even if pre-install fails [GH-419].
Assets 2
Loading

v0.19.0

07 Apr 21:00
@lkysow lkysow
v0.19.0
524f4ff
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.19.0

BREAKING CHANGES:

  • Mesh Gateways:

    • meshGateway.wanAddress - The following values are no longer supported:

      meshGateway:
  wanAddress:
    useNodeIP: true
    useNodeName: false
    host: ""

      Instead, if previously setting useNodeIP: true, now you must set:

      meshGateway:
  wanAddress:
    source: "NodeIP"

      If previously setting useNodeName: true, now you must set:

      meshGateway:
  wanAddress:
    source: "NodeName"

      If previously setting host: "example.com", now you must set:

      meshGateway:
  wanAddress:
    source: "Static"
    static: "example.com"

      where meshGateway.wanAddress.static is set to the previous host value.

    • meshGateway.service.enabled now defaults to true. If
      previously you were enabling mesh gateways but not enabling the service,
      you must now explicitly set this to false:

      Previously:

      meshGateway:
  enabled: true

      Now:

      meshGateway:
  enabled: true
  service:
    enabled: false

    • meshGateway.service.type now defaults to LoadBalancer instead of ClusterIP.
      To set to ClusterIP use:

      meshGateway:
  service:
    type: ClusterIP

    • meshGateway.containerPort now defaults to 8443 instead of 443. This is
      to support running in Google Kubernetes Engine by default. This change should
      have no effect because the service's targetPort will change accordingly so
      you will still be able to route to the mesh gateway as before.
      If you wish to keep the port as 443 you must set:

      meshGateway:
  containerPort: 443

FEATURES:

  • Add externalServers configuration to support configuring the Helm chart with Consul servers
    running outside of a Kubernetes cluster [GH-375]. At the moment, this configuration is only used together
    with auto-encrypt, but might be extended later for other use-cases.

    To use auto-encrypt with external servers, you can set:

    externalServers:
  enabled: true

    This will tell all consul-k8s components to talk to the external servers to retrieve
    the clients' CA. Take a look at other properties you can set for externalServers
    here.

  • ACLs: Support ACL replication. ACL replication allows two or more Consul clusters
    to be federated when ACLs are enabled. One cluster is designated the primary
    and the rest are secondaries. The primary cluster replicates its ACLs to
    the secondaries. [GH-368]

    NOTE: This feature requires that the clusters are federated.

    Primary cluster:

    global:
  acls:
    manageSystemACLs: true
    createReplicationToken: true

    The replication acl token Kubernetes secret is exported from the primary cluster
    into the secondaries and then referenced in their Helm config:

    global:
  acls:
    manageSystemACLs: true
    replicationToken:
      secretName: name
      secretKey: key

  • Mesh Gateways: Automatically set mesh gateway addresses when using a Kubernetes
    Load Balancer service.
    To use, set:

    meshGateway:
  enabled: true
  service:
    enabled: true
    type: "LoadBalancer"
  wanAddress:
    source: "Service"

    [GH-388]

  • Support setting image pull secrets via service accounts [GH-411].

IMPROVEMENTS:

  • Default to the latest version of consul-k8s: hashicorp/consul-k8s:0.13.0
  • Default to the latest version of Consul: consul:1.7.2
  • Allow setting specific secret keys in server.extraVolumes [GH-395]
  • Support auto-encrypt [GH-375].
    Auto-encrypt is the feature of Consul that allows clients to bootstrap their own certs
    at startup. To enable it through the Helm Chart, set: 
    global:
  tls:
    enabled: true
    enableAutoEncrypt: true
  • Run the enterprise license job on Helm upgrades, as well as installs [GH-407].

BUGFIXES:

  • Mesh Gateways: Mesh gateways are no longer de-registered when their node's Consul
    client restarts. [GH-380]

DEPRECATIONS:

  • global.bootstrapACLs is deprecated. Instead, set global.acls.manageSystemACLs.
    global.bootstrapACLs will be supported for the next three releases.

    Previously:

    global:
  bootstrapACLs: true

    Now:

    global:
  acls:
    manageSystemACLs: true
Assets 2
Loading

v0.18.0

18 Mar 17:00
@lkysow lkysow
v0.18.0
21ded2e
This commit was signed with the committer’s verified signature.
lkysow Luke Kysow
GPG key ID: FA168D4DC3F04307
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.18.0

IMPROVEMENTS:

  • Allow setting your own certificate authority for Consul to Consul communication
    (i.e. not Connect service to service communication) [GH-346].
    To use, set: 
    global:
  tls:
    caCert:
      secretName: null
      secretKey: null
    caKey:
      secretName: null
      secretKey: null
    See values.yaml for more details.
  • Allow setting custom annotations for Consul server service [GH-376]
    To use, set: 
    server:
  service:
    annotations: |
      "annotation-key": "annotation-value"

BUG FIXES:

  • Fix incompatibility with Helm 3.1.2. [GH-390]
  • Ensure the Consul Enterprise license gets applied, even if servers take a long time to come up. [GH-348)
Assets 2
Loading

v0.17.0

21 Feb 20:44
@adilyse adilyse
v0.17.0
cb8dc5e
Compare
Choose a tag to compare
v0.17.0

BREAKING CHANGES:

consul-k8s v0.12.0+ is now required. The chart is passing new flags that are only available in this version. To use this version if not using the chart defaults, set

global:
  imageK8S: hashicorp/consul-k8s:0.12.0

IMPROVEMENTS:

Catalog Sync

    New Helm values have been added to configure which Kubernetes namespaces we will sync from. The defaults are shown below:

    syncCatalog:
      toConsul: true
      k8sAllowNamespaces: ["*"]
      k8sDenyNamespaces: ["kube-system", "kube-public"]

    If running Consul Enterprise 1.7.0+, Consul namespaces are supported. New Helm values have been added to allow configuring which Consul namespaces Kubernetes services are synced to. See https://www.consul.io/docs/platform/k8s/service-sync.html#consul-enterprise-namespaces for more details.

    global:
      enableConsulNamespaces: true
    syncCatalog:
      consulNamespaces:
        # consulDestinationNamespace is the name of the Consul namespace to register all
        # k8s services into. If the Consul namespace does not already exist,
        # it will be created. This will be ignored if `mirroringK8S` is true.
        consulDestinationNamespace: "default"

        # mirroringK8S causes k8s services to be registered into a Consul namespace
        # of the same name as their k8s namespace, optionally prefixed if
        # `mirroringK8SPrefix` is set below. If the Consul namespace does not
        # already exist, it will be created. Turning this on overrides the
        # `consulDestinationNamespace` setting.
        # `addK8SNamespaceSuffix` may no longer be needed if enabling this option.
        mirroringK8S: false

        # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace
        # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a
        # service in the k8s `staging` namespace will be registered into the
        # `k8s-staging` Consul namespace.
        mirroringK8SPrefix: ""

Connect Inject
    New Helm values have been added to configure which Kubernetes namespaces we will inject pods in. The defaults are shown below:

    connectInject:
      k8sAllowNamespaces: ["*"]
      k8sDenyNamespaces: []

    If running Consul Enterprise 1.7.0+, Consul namespaces are supported. New Helm values have been added to allow configuring which Consul namespaces Kubernetes pods are registered into. See https://www.consul.io/docs/platform/k8s/connect.html#consul-enterprise-namespaces for more details.

    global:
      enableConsulNamespaces: true

    connectInject:
      consulNamespaces:
        # consulDestinationNamespace is the name of the Consul namespace to register all
        # k8s pods into. If the Consul namespace does not already exist,
        # it will be created. This will be ignored if `mirroringK8S` is true.
        consulDestinationNamespace: "default"

        # mirroringK8S causes k8s pods to be registered into a Consul namespace
        # of the same name as their k8s namespace, optionally prefixed if
        # `mirroringK8SPrefix` is set below. If the Consul namespace does not
        # already exist, it will be created. Turning this on overrides the
        # `consulDestinationNamespace` setting.
        mirroringK8S: false

        # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace
        # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a
        # pod in the k8s `staging` namespace will be registered into the
        # `k8s-staging` Consul namespace.
        mirroringK8SPrefix: ""

BUG FIXES:

Fix template rendering bug when setting connectInject.overrideAuthMethodName [GH-342]
Set "consul.hashicorp.com/connect-inject": "false" annotation on enterprise license job so it is not connect injected [GH-343]

DEPRECATIONS:

.syncCatalog.k8sSourceNamespace should no longer be used. Instead, use the new .syncCatalog.k8sAllowNamespaces and .syncCatalog.k8sDenyNamespaces features. For backward compatibility, if both this and the allow/deny lists are set, the allow/deny lists will be ignored.

NOTES:

Bootstrap ACLs: Previously, ACL policies were not updated after creation. Now, if namespaces are enabled, they are updated every time the ACL bootstrapper is run so that any namespace config changes can be adjusted. This change is only an issue if you are updating ACL policies after creation.
Assets 2
Loading

v0.16.2

15 Jan 18:50
@ishustava ishustava
v0.16.2
c3373f8
This commit was signed with the committer’s verified signature.
ishustava Iryna Shustava
GPG key ID: 5971648779A5A8A4
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.16.2

BUG FIXES:

  • Fix Helm Chart version.
Assets 2
Loading

v0.16.1

14 Jan 18:57
@ishustava ishustava
v0.16.1
85093b6
This commit was signed with the committer’s verified signature.
ishustava Iryna Shustava
GPG key ID: 5971648779A5A8A4
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.16.1

BUG FIXES:

  • Fix a bug with the tls-init job, in which it could not correctly detect CA file if Consul domain is provided [GH-329].
Assets 2
Loading

v0.16.0

10 Jan 23:39
@ishustava ishustava
v0.16.0
6275fea
This commit was signed with the committer’s verified signature.
ishustava Iryna Shustava
GPG key ID: 5971648779A5A8A4
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.16.0

IMPROVEMENTS:

  • Optionally allow enabling TLS for Consul communication [GH-313].
    If global.tls.enabled is set to true, the Helm chart will generate a CA and necessary certificates and enable TLS for servers, clients, Connect injector, Mesh gateways, catalog sync, ACL bootstrapping, and snapshot agents.

    Note that this feature is only supported if both servers and clients are running on Kubernetes. We will have better support for other deployment architectures, as well as bringing your own CA, in the future.

    Also, note that simply turning on this feature and running helm upgrade will result in downtime if you are using Consul Connect or Sync Catalog features. We will be adding instructions on how to do this upgrade without downtime soon. Additionally, if you do decide to proceed with an upgrade despite downtime and you're using Consul Connect, all application pods need to be recreated after the upgrade, so that the Connect injector can re-inject Envoy sidecars with TLS enabled.

  • Use the latest version of consul-k8s (0.11.0).

  • Add pod name as metadata to client nodes to help users map nodes in Consul to underlying client pods [GH-315].

  • Rename enterprise-licence.yaml template to enterprise-license-job.yaml [GH-321].

BUG FIXES:

  • Fix graceful termination for servers [GH-313].
    The terminationGracePeriod is now set to 30 seconds for the servers. The previous setting of 10 seconds wasn't always enough time for a graceful leave, and in those cases, servers leave the cluster in a "failed" state. Additionally, clients always set leave_on_terminate to true.
    This replaces the preStop hook that was calling consul leave. Note that leave_on_terminate defaults to true for clients as of Consul 0.7, so this change only affects earlier versions.

  • Helm test runner now respects the provided namespace [GH-320].

  • Add pod security policies for the enterprise-license [GH-325]
    and the server-acl-init jobs [GH-326].

Assets 2
Loading

v0.15.0

17 Dec 23:43
@lkysow lkysow
v0.15.0
c9d1bc5
This commit was signed with the committer’s verified signature.
lkysow Luke Kysow
GPG key ID: FA168D4DC3F04307
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.15.0

BREAKING CHANGES:

  • connectInject.centralConfig defaults to true now instead of false. This is to make it
    easier to configure Connect via service-defaults and other routing
    config [GH-302].
    See https://www.consul.io/docs/agent/options.html#enable_central_service_config.

    If you wish to disable central config, set connectInject.centralConfig to
    false in your local values file. NOTE: If connectInject.enabled is false,
    then central config is not enabled so this change will not affect you.

  • Connect Inject: If using Connect Inject, you must also upgrade your consul-k8s version
    to a version >= 0.10.1. A new flag is being passed in to consul-k8s which is not
    supported in earlier versions.

BUG FIXES:

  • Fix bug with fullnameOverride and add new global.name setting for changing
    the default prefix for resources. [GH-286]

  • Connect Inject: Fix critical bug where Connect-registered services instances would be de-registered
    when the Consul client on the same node was restarted. This fix adds a new
    sidecar that ensures the service instance is always registered. [GH-314]

Assets 2
Loading

v0.14.0

10 Dec 19:23
@lkysow lkysow
v0.14.0
e7ee3c3
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.14.0

IMPROVEMENTS:

  • Consul client DaemonSet can now use a hostPath mount
    for its data directory by setting the client.dataDirectoryHostPath value.
    This setting is currently necessary to ensure that when a Consul client Pod is deleted,
    e.g. during a Consul version upgrade, it does not lose its Connect service
    registrations. In the next version, we plan to have services automatically
    re-register which will remove the need for this. [GH-298]

    Security Warning: If using this setting, Pod Security Policies must be enabled on your cluster
    and in this Helm chart (via the global.enablePodSecurityPolicies setting)
    to prevent other Pods from mounting the same host path and gaining
    access to all of Consul's data. Consul's data is not encrypted at rest.

  • New configuration option client.updateStrategy allows setting the update
    strategy for the Client DaemonSet. [GH-298]

  • New configuration option client.dnsPolicy allows setting the DNS
    policy for the Client DaemonSet. [GH-298]

Assets 2
Loading

v0.13.0

06 Dec 02:35
@ishustava ishustava
v0.13.0
be89ea9
This commit was signed with the committer’s verified signature.
ishustava Iryna Shustava
GPG key ID: 5971648779A5A8A4
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.13.0

BREAKING CHANGES:

  • client.grpc defaults to true now instead of false. This is to make it
    harder to misconfigure Connect. [GH-282]

    If you do not wish to enable gRPC for clients, set client.grpc to
    false in your local values file.

  • Add syncCatalog.addK8SNamespaceSuffix and default it to true. [GH-280
    Note: upgrading an existing installation will result in deregistering
    of existing synced services in Consul and registering them with a new name.
    If you would like to avoid this behavior set syncCatalog.addK8SNamespaceSuffix
    to false.

IMPROVEMENTS:

  • Use the latest version of consul (1.6.2)
  • Use the latest version of consul-k8s (0.9.5)
  • Add connectInject.overrideAuthMethodName to allow setting the -acl-auth-method flag [GH-278]
  • Support external to k8s Consul servers [GH-289]

BUG FIXES:

  • Add connectInject.overrideAuthMethodName to allow setting the -acl-auth-method flag [GH-278]
  • Do not run server-acl-init during server rollout [GH-292]
Assets 2
Loading