From 7a5fc0789c170cd6917a3707624879f96687c77c Mon Sep 17 00:00:00 2001 From: Ashwin Venkatesh Date: Fri, 11 Nov 2022 09:50:50 -0500 Subject: [PATCH] Set default gateway replicas to 1 and default affinity to `null` --- charts/consul/values.yaml | 164 ++++++++++++++++++++++---------------- 1 file changed, 94 insertions(+), 70 deletions(-) diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 2a0cb238ab..bb2adf53b4 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -77,7 +77,7 @@ global: # - name: pull-secret-name-2 # ``` # @type: array - imagePullSecrets: [] + imagePullSecrets: [ ] # The name (and tag) of the consul-k8s-control-plane Docker # image that is used for functionality such as catalog sync. @@ -250,7 +250,7 @@ global: # webhooks. # @type: string secretName: null - + # Configuration to the Vault Secret that Kubernetes will use on # Kubernetes CRD creation, deletion, and update, to get CA certificates # used issued from vault to send webhooks to the controller. @@ -264,7 +264,7 @@ global: # Configuration to the Vault Secret that Kubernetes will use on # Kubernetes pod creation, deletion, and update, to get CA certificates # used issued from vault to send webhooks to the ConnectInject. - caCert: + caCert: # The Vault secret path that contains the CA certificate for # Connect Inject webhooks. # @type: string @@ -316,7 +316,7 @@ global: # See https://www.consul.io/docs/agent/config/cli-flags#_recursor for more details. # If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). # @type: array - recursors: [] + recursors: [ ] # Enables TLS (https://learn.hashicorp.com/tutorials/consul/tls-encryption-secure) # across the cluster to verify authenticity of the Consul servers and clients. @@ -336,13 +336,13 @@ global: # in the server certificate. This is useful when you need to access the # Consul server(s) externally, for example, if you're using the UI. # @type: array - serverAdditionalDNSSANs: [] + serverAdditionalDNSSANs: [ ] # A list of additional IP addresses to set as Subject Alternative Names (SANs) # in the server certificate. This is useful when you need to access the # Consul server(s) externally, for example, if you're using the UI. # @type: array - serverAdditionalIPSANs: [] + serverAdditionalIPSANs: [ ] # If true, `verify_outgoing`, `verify_server_hostname`, # and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients. @@ -518,7 +518,7 @@ global: # A list of addresses of the primary mesh gateways in the form `:`. # (e.g. ["1.1.1.1:443", "2.3.4.5:443"] # @type: array - primaryGateways: [] + primaryGateways: [ ] # If you are setting `global.federation.enabled` to true and are in a secondary datacenter, # set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter. @@ -910,7 +910,7 @@ server: # with `-config-dir`. This defaults to false. # # @type: array - extraVolumes: [] + extraVolumes: [ ] # A list of sidecar containers. # Example: @@ -923,7 +923,7 @@ server: # - ... # ``` # @type: array - extraContainers: [] + extraContainers: [ ] # This value defines the affinity (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) # for server pods. It defaults to allowing only a single server pod on each node, which @@ -1077,7 +1077,7 @@ server: # feature, in case kubernetes cluster is behind egress http proxies. Additionally, # it could be used to configure custom consul parameters. # @type: map - extraEnvironmentVars: {} + extraEnvironmentVars: { } # [Enterprise Only] Values for setting up and running snapshot agents # (https://consul.io/commands/snapshot/agent) @@ -1147,7 +1147,7 @@ externalServers: # should be the same, however, they may be different if you # wish to use separate hosts for the HTTPS connections. # @type: array - hosts: [] + hosts: [ ] # The HTTPS port of the Consul servers. httpsPort: 8501 @@ -1345,7 +1345,7 @@ client: # with `-config-dir`. This defaults to false. # # @type: array - extraVolumes: [] + extraVolumes: [ ] # A list of sidecar containers. # Example: @@ -1358,7 +1358,7 @@ client: # - ... # ``` # @type: array - extraContainers: [] + extraContainers: [ ] # Toleration Settings for Client pods # This should be a multi-line string matching the Toleration array @@ -1436,7 +1436,7 @@ client: # feature, in case kubernetes cluster is behind egress http proxies. Additionally, # it could be used to configure custom consul parameters. # @type: map - extraEnvironmentVars: {} + extraEnvironmentVars: { } # This value defines the Pod DNS policy (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) # for client pods to use. @@ -1593,7 +1593,7 @@ ui: # ``` # # @type: array - hosts: [] + hosts: [ ] # tls is a list of hosts and secret name in an Ingress # which tells the Ingress controller to secure the channel. @@ -1605,7 +1605,7 @@ ui: # secretName: testsecret-tls # ``` # @type: array - tls: [] + tls: [ ] # Annotations to apply to the UI ingress. # @@ -1695,7 +1695,7 @@ syncCatalog: # # Note: `k8sDenyNamespaces` takes precedence over values defined here. # @type: array - k8sAllowNamespaces: ["*"] + k8sAllowNamespaces: [ "*" ] # List of k8s namespaces that should not have their # services synced. This list takes precedence over `k8sAllowNamespaces`. @@ -1705,7 +1705,7 @@ syncCatalog: # `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` # and `namespace2` will be synced. # @type: array - k8sDenyNamespaces: ["kube-system", "kube-public"] + k8sDenyNamespaces: [ "kube-system", "kube-public" ] # [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For # backwards compatibility, if both this and the allow/deny lists are set, @@ -1880,7 +1880,7 @@ syncCatalog: # # @type: string annotations: null - + # Configures the automatic Connect sidecar injector. connectInject: # True if you want to enable connect injection. Set to "-" to inherit from @@ -1919,7 +1919,7 @@ connectInject: # This configures the PodDisruptionBudget (https://kubernetes.io/docs/tasks/run-application/configure-pdb/) # for the service mesh sidecar injector. - disruptionBudget: + disruptionBudget: # This will enable/disable registering a PodDisruptionBudget for the # service mesh sidecar injector. If this is enabled, it will only register the budget so long as # the service mesh is enabled. @@ -1947,7 +1947,7 @@ connectInject: # Log level for the installer and plugin. Overrides global.logLevel # @type: string - logLevel: null + logLevel: null # Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/' # Example on GKE: @@ -1973,7 +1973,7 @@ connectInject: # Please refer to the [Multus Quickstart Guide](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md) # for more information about using multus. # @type: string - multus: false + multus: false # The resource settings for CNI installer daemonset. # @recurse: false @@ -2158,7 +2158,7 @@ connectInject: # `namespaceSelector` takes precedence over both since it is applied first. # `kube-system` and `kube-public` are never injected, even if included here. # @type: array - k8sAllowNamespaces: ["*"] + k8sAllowNamespaces: [ "*" ] # List of k8s namespaces that should not allow Connect # sidecar injection. This list takes precedence over `k8sAllowNamespaces`. @@ -2171,7 +2171,7 @@ connectInject: # Note: `namespaceSelector` takes precedence over this since it is applied first. # `kube-system` and `kube-public` are never injected. # @type: array - k8sDenyNamespaces: [] + k8sDenyNamespaces: [ ] # [Enterprise Only] These settings manage the connect injector's interaction with # Consul namespaces (requires consul-ent v1.7+). @@ -2312,7 +2312,7 @@ meshGateway: enabled: false # Number of replicas for the Deployment. - replicas: 2 + replicas: 1 # What gets registered as WAN address for the gateway. wanAddress: @@ -2447,18 +2447,26 @@ meshGateway: memory: "50Mi" cpu: "50m" - # By default, we set an anti-affinity so that two gateway pods won't be - # on the same node. NOTE: Gateways require that Consul client agents are - # also running on the nodes alongside each gateway pod. - affinity: | - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app: {{ template "consul.name" . }} - release: "{{ .Release.Name }}" - component: mesh-gateway - topologyKey: kubernetes.io/hostname + # This value defines the affinity (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for mesh gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null # Optional YAML string to specify tolerations. # @type: string @@ -2522,7 +2530,7 @@ ingressGateways: # for a specific gateway. defaults: # Number of replicas for each ingress gateway defined. - replicas: 2 + replicas: 1 # The service options configure the Service that fronts the gateway Deployment. service: @@ -2540,10 +2548,10 @@ ingressGateways: # @default: [{port: 8080, port: 8443}] # @recurse: false ports: - - port: 8080 - nodePort: null - - port: 8443 - nodePort: null + - port: 8080 + nodePort: null + - port: 8443 + nodePort: null # Annotations to apply to the ingress gateway service. Annotations defined # here will be applied to all ingress gateway services in addition to any @@ -2586,18 +2594,26 @@ ingressGateways: memory: "100Mi" cpu: "100m" - # By default, we set an anti-affinity so that two of the same gateway pods - # won't be on the same node. NOTE: Gateways require that Consul client agents are - # also running on the nodes alongside each gateway pod. - affinity: | - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app: {{ template "consul.name" . }} - release: "{{ .Release.Name }}" - component: ingress-gateway - topologyKey: kubernetes.io/hostname + # This value defines the affinity (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for ingress gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null # Optional YAML string to specify tolerations. # @type: string @@ -2659,7 +2675,7 @@ ingressGateways: # case of annotations where both will be applied. # @type: array gateways: - - name: ingress-gateway + - name: ingress-gateway # Configuration options for terminating gateways. Default values for all # terminating gateways are defined in `terminatingGateways.defaults`. Any of @@ -2680,7 +2696,7 @@ terminatingGateways: # for a specific gateway. defaults: # Number of replicas for each terminating gateway defined. - replicas: 2 + replicas: 1 # A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig//`. # @@ -2695,7 +2711,7 @@ terminatingGateways: # path: path # secret will now mount to /consul/userconfig/my-secret/path # ``` # @type: array - extraVolumes: [] + extraVolumes: [ ] # Resource limits for all terminating gateway pods # @recurse: false @@ -2708,18 +2724,26 @@ terminatingGateways: memory: "100Mi" cpu: "100m" - # By default, we set an anti-affinity so that two of the same gateway pods - # won't be on the same node. NOTE: Gateways require that Consul client agents are - # also running on the nodes alongside each gateway pod. - affinity: | - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app: {{ template "consul.name" . }} - release: "{{ .Release.Name }}" - component: terminating-gateway - topologyKey: kubernetes.io/hostname + # This value defines the affinity (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for terminating gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null # Optional YAML string to specify tolerations. # @type: string @@ -2792,7 +2816,7 @@ terminatingGateways: # case of annotations where both will be applied. # @type: array gateways: - - name: terminating-gateway + - name: terminating-gateway # Configuration settings for the Consul API Gateway integration apiGateway: