Deploys a Consul cluster on Kubernetes cluster running on any cloud provider. This module makes use of the official Hashicorp Helm Chart.
For more information regarding Consul's integration with Kubernetes, see the documentation.
This module is published on Terraform Registry.
You will need to have the following resources available:
- A Kubernetes cluster, managed by your cloud provider, or not
- Helm with Tiller running on the Cluster or you can opt to run Tiller locally
You will need to have the following configured on your machine:
- Credentials for your Cloud Provider
- Credentials for Kubernetes configured for
kubectl
The Consul servers are deployed with
persistent volumes in a
StatefulSet.
If you are running your own cluster in your cloud provider, you will have to define your own set of storage classes.
If you are using your cloud provider's managed Kubernetes service such as GKE or EKS, they would have defined their own set of default storage class.
You can use the
kubernetes_storage_class
Terraform resource to create a new StorageClass.
You might want to refer to HashiCorp's guide and summary on considering the resources needed for your Consul servers.
You can configure Consul to act as the
DNS resolver for .consul domains. By default,
this module does not attempt to do so manually because there is no good way to append to any
existing kube-dns or CoreDNS configuration. If you would like to do so, you can set the
configure_kube_dns to true to overwrite any existing kube-dns configuration.
If you get the error:
1 error(s) occurred:
* module.consul.kubernetes_config_map.consul_dns: 1 error(s) occurred:
* kubernetes_config_map.consul_dns: configmaps "kube-dns" already exists
You have an existing kube-dns configuration. Use
kubectl describe configMap -n kube-system kube-dns to see the existing configuration. You can
append to it using the documentation here.
Alternatively, if the configuration is empty, you can delete it with
kubectl delete configMap -n kube-system kube-dns, set variable configure_kube_dns to true
and let this module manage the configuration.
You can configure Consul to act as the
DNS resolver for .consul domains. By default,
this module does not attempt to do so manually because there is no good way to append to any
existing kube-dns or CoreDNS configuration. If you would like to do so, you can set the
configure_kube_dns to true to overwrite any existing CoreDNS configuration.
However, you should probably get any existing CoreDNS settings and set it to the core_dns_base variable.
You can do so by running kubectl get configmap/coredns -n kube-system -o yaml.
| Name | Version |
|---|---|
| terraform | >= 0.15 |
| helm | >= 2.0 |
| Name | Version |
|---|---|
| helm | >= 2.0 |
| kubernetes | n/a |
| null | n/a |
| template | n/a |
| Name | Source | Version |
|---|---|---|
| esm | ./modules/esm | |
| prometheus_exporter | ./modules/prometheus_exporter |
| Name | Type |
|---|---|
| helm_release.consul | resource |
| kubernetes_config_map.consul_core_dns | resource |
| kubernetes_config_map.consul_kube_dns | resource |
| kubernetes_secret.secrets | resource |
| null_resource.consul_values | resource |
| kubernetes_service.consul_dns | data source |
| template_file.consul_core_dns | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| acl_bootstrap_token | Use an existing bootstrap token and the consul-k8s will not bootstrap anything | object({ |
{ |
no |
| additional_chart_values | Additional values for the Consul Helm Chart in YAML | list(string) |
[] |
no |
| agent_metrics_retention_time | Configures the retention time for metrics in Consul clients and servers. This must be greater than 0 for Consul clients and servers to expose any metrics at all. | string |
"1m" |
no |
| chart_name | Helm chart name to provision | string |
"consul" |
no |
| chart_namespace | Namespace to install the chart into | string |
"default" |
no |
| chart_repository | Helm repository for the chart | string |
"https://helm.releases.hashicorp.com" |
no |
| chart_timeout | Timeout to wait for the Chart to be deployed. The chart waits for all Daemonset pods to be healthy before ending. Increase this for larger clusers to avoid timeout | number |
1800 |
no |
| chart_version | Version of Chart to install. Set to empty to install the latest version | string |
"0.36.0" |
no |
| client_affinity | affinity Settings for Client pods, formatted as a multi-line YAML string. | any |
null |
no |
| client_annotations | A YAML string for client pods | string |
"" |
no |
| client_enabled | Enable running Consul client agents on every Kubernetes node | string |
"-" |
no |
| client_extra_config | Additional configuration to include for client agents | map |
{} |
no |
| client_extra_volumes | List of map of extra volumes specification. See https://www.consul.io/docs/platform/k8s/helm.html#v-client-extravolumes for the keys | list |
[] |
no |
| client_grpc | Enable GRPC port for clients. Required for Connect Inject | bool |
true |
no |
| client_labels | Additional labels for client pods | map |
{} |
no |
| client_priority_class | Priority class for clients | string |
"" |
no |
| client_resources | Resources for clients | map |
{ |
no |
| client_security_context | Pod security context for client pods | map |
{ |
no |
| client_service_account_annotations | YAML string for annotations for client service account | string |
"" |
no |
| client_tolerations | A YAML string that can be templated via helm specifying the tolerations for client pods | string |
"" |
no |
| configure_core_dns | Configure core-dns and OVERWRITE it to resolve .consul domains with Consul DNS | bool |
false |
no |
| configure_kube_dns | Configure kube-dns and OVERWRITE it to resolve .consul domains with Consul DNS | bool |
false |
no |
| connect_enable | Enable consul connect. When enabled, the bootstrap will configure a default CA which can be tweaked using the Consul API later | bool |
false |
no |
| connect_inject_acl_binding_rule_selector | Query that defines which Service Accounts can authenticate to Consul and receive an ACL token during Connect injection. The default setting, i.e. serviceaccount.name!=default, prevents the 'default' Service Account from logging in. If set to an empty string all service accounts can log in. This only has effect if ACLs are enabled. See https://www.consul.io/docs/acl/acl-auth-methods.html#binding-rules and https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes for more details. |
string |
"serviceaccount.name!=default" |
no |
| connect_inject_acl_token | Secret containing ACL token if ACL is enabled and manage_system_acls is not enabled | object({ |
{ |
no |
| connect_inject_affinity | Template string for Connect Inject Affinity | string |
"" |
no |
| connect_inject_allowed_namespaces | List of allowed namespaces to inject. | list |
[ |
no |
| connect_inject_by_default | If true, the injector will inject the Connect sidecar into all pods by default. Otherwise, pods must specify the injection annotation to opt-in to Connect injection. If this is true, pods can use the same annotation to explicitly opt-out of injection. | bool |
false |
no |
| connect_inject_default_enable_merging | Configures the Consul sidecar to run a merged metrics server to combine and serve both Envoy and Connect service metrics. This feature is available only in Consul v1.10-alpha or greater. | bool |
false |
no |
| connect_inject_default_merged_metrics_port | Configures the port at which the Consul sidecar will listen on to return combined metrics. This port only needs to be changed if it conflicts with the application's ports. | number |
20100 |
no |
| connect_inject_default_prometheus_scrape_path | Configures the path Prometheus will scrape metrics from, by configuring the pod annotation prometheus.io/path and the corresponding handler in the Envoysidecar. NOTE: This is not the path that your application exposes metrics on. That can be configured with the consul.hashicorp.com/service-metrics-path annotation. |
string |
"/metrics" |
no |
| connect_inject_default_prometheus_scrape_port | Configures the port Prometheus will scrape metrics from, by configuring the Pod annotation prometheus.io/port and the corresponding listener inthe Envoy sidecar. NOTE: This is not the port that your application exposes metrics on. That can be configured with the consul.hashicorp.com/service-metrics-port annotation. |
number |
20200 |
no |
| connect_inject_denied_namespaces | List of denied namespaces to inject. | list |
[] |
no |
| connect_inject_failure_policy | Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. Once the webhook is back online the pod will be scheduled. In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running which can lead to hangs. In these environments it is recommend to use "Ignore" instead. This setting can be safely disabled by setting to "Ignore". |
string |
"Fail" |
no |
| connect_inject_init_resources | Resource settings for the Connect injected init container. | map |
{ |
no |
| connect_inject_log_level | Log verbosity level. One of debug, info, warn, or error. | string |
"" |
no |
| connect_inject_metrics_default_enabled | If true, the connect-injector will automatically add prometheus annotations to connect-injected pods. It will also add a listener on the Envoy sidecar to expose metrics. The exposed metrics will depend on whether metrics merging is enabled: - If metrics merging is enabled: the Consul sidecar will run a merged metrics server combining Envoy sidecar and Connect service metrics, i.e. if your service exposes its own Prometheus metrics. - If metrics merging is disabled: the listener will just expose Envoy sidecar metrics. Defaults to var.metrics_enabled |
string |
"-" |
no |
| connect_inject_namespace_selector | A YAML string selector for restricting injection to only matching namespaces. By default all namespaces except the system namespace will have injection enabled. | string |
"matchExpressions:\n - key: \"kubernetes.io/metadata.name\"\n operator: \"NotIn\"\n values: [\"kube-system\",\"local-path-storage\"]\n" |
no |
| connect_inject_override_auth_method_name | If you are not using global.acls.manageSystemACLs and instead manually setting up an auth method for Connect inject, set this to the name of your auth method. | string |
"" |
no |
| connect_inject_priority_class | Pod Priority Class for Connect Inject | string |
"" |
no |
| connect_inject_replicas | Number of replicas for Connect Inject deployment | number |
2 |
no |
| connect_inject_resources | Resources for connect inject pod | map |
{ |
no |
| connect_inject_service_account_annotations | YAML string with annotations for the Connect Inject service account | string |
"" |
no |
| connect_inject_sidecar_proxy_resources | Set default resources for sidecar proxy. If null, that resource won't be set. | map |
{ |
no |
| connect_inject_tolerations | Template string for Connect Inject Tolerations | string |
"" |
no |
| consul_domain | Top level Consul domain for DNS queries | string |
"consul" |
no |
| consul_image_name | Docker Image of Consul to run | string |
"consul" |
no |
| consul_image_tag | Docker image tag of Consul to run | string |
"1.10.4" |
no |
| consul_k8s_image | Docker image of the consul-k8s binary to run | string |
"hashicorp/consul-k8s-control-plane" |
no |
| consul_k8s_tag | Image tag of the consul-k8s binary to run | string |
"0.36.0" |
no |
| consul_raw_values | Create a null_resource with the raw values passed in to render the YAML values file. Useful for observing diffs. |
bool |
true |
no |
| consul_recursors | A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. | list(string) |
[] |
no |
| consul_sidecar_container_resources | Resource settings for consul -sidecar containers. The consul sidecar ensures the Consul services are always registered with their local consul clients and is used by the ingress/terminating/mesh gateways as well as with every connect-injected service. |
map |
{ |
no |
| consul_template_image | Image for Consul Template | string |
"hashicorp/consul-template:0.26.0" |
no |
| controller_acl_token | Secret containing ACL token if ACL is enabled and manage_system_acls is not enabled | object({ |
{ |
no |
| controller_enable | Enable Consul Configuration Entries CRD Controller | bool |
false |
no |
| controller_log_level | CRD Controller Log level. | string |
"" |
no |
| controller_node_affinity | YAML string for Controller affinity | any |
null |
no |
| controller_node_selector | YAML string for Controller Node Selector | any |
null |
no |
| controller_node_tolerations | YAML string for Controller tolerations | any |
null |
no |
| controller_priority_class | Priority class for Controller pods | string |
"" |
no |
| controller_replicas | Number of replicas for the CRD controller | number |
1 |
no |
| controller_resources | CRD Controller resources | map |
{ |
no |
| controller_service_account_annotations | YAML string with annotations for CRD Controller service account | string |
"" |
no |
| core_dns_labels | Labels for CoreDNS ConfigMap | map |
{ |
no |
| core_dns_template | Template for CoreDNS CoreFile configuration. Use Terraform string interpolation format with the variable consul_dns_address for Consul DNS endpoint. See Default for an example |
string |
".:53 {\n errors\n health\n kubernetes cluster.local in-addr.arpa ip6.arpa {\n pods insecure\n fallthrough in-addr.arpa ip6.arpa\n }\n prometheus :9153\n forward . /etc/resolv.conf\n cache 30\n loop\n reload\n loadbalance\n}\n\nconsul {\n errors\n cache 30\n forward . ${consul_dns_address}\n}\n" |
no |
| create_replication_token | If true, an ACL token will be created that can be used in secondary datacenters for replication. This should only be set to true in the primary datacenter since the replication token must be created from that datacenter. In secondary datacenters, the secret needs to be imported from the primary datacenter | bool |
false |
no |
| enable_agent_metrics | Configures consul agent metrics. | bool |
false |
no |
| enable_connect_inject | Enable Connect Injector process | bool |
false |
no |
| enable_esm | Enable Consul ESM deployment | bool |
false |
no |
| enable_exporter | Enable Consul Exporter deployment | bool |
false |
no |
| enable_gateway_metrics | If true, mesh, terminating, and ingress gateways will expose their Envoy metrics on port 20200 at the /metrics path and all gateway pods will have Prometheus scrape annotations. |
bool |
true |
no |
| enable_sync_catalog | Enable Service catalog sync: https://www.consul.io/docs/platform/k8s/service-sync.html | bool |
true |
no |
| enable_ui | Enable Consul UI | bool |
false |
no |
| envoy_extra_args | Pass arguments to the injected envoy sidecar. Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli | any |
null |
no |
| esm_affinity | Affinity for ESM | any |
{} |
no |
| esm_chart_name | Name of the ESM Chart name | string |
"consul-esm" |
no |
| esm_chart_repository | ESM Chart repository | string |
"https://basisai.github.io/charts/" |
no |
| esm_chart_version | ESM Chart version | string |
"0.3.1" |
no |
| esm_container_security_context | securityContext for ESM containers | any |
{} |
no |
| esm_env | Environment variables for Consul ESM | any |
[] |
no |
| esm_external_node_meta | The node metadata values used for the ESM to qualify a node in the catalog as an "external node". | map(string) |
{ |
no |
| esm_http_addr | HTTP address of the local Consul agent | string |
"" |
no |
| esm_image | Docker image for ESM | string |
"hashicorp/consul-esm" |
no |
| esm_init_container_set_sysctl | Enable setting sysctl settings via a privileged container to allow pings | bool |
false |
no |
| esm_kv_path | The directory in the Consul KV store to use for storing ESM runtime data. | string |
"consul-esm/" |
no |
| esm_log_level | Log level for ESM | string |
"INFO" |
no |
| esm_node_agent_port | Override port for Consul agent Daemonset | number |
null |
no |
| esm_node_probe_interval | The interval to ping and update coordinates for external nodes that have 'external-probe' set to true. By default, ESM will attempt to ping and update the coordinates for all nodes it is watching every 10 seconds. | string |
"10s" |
no |
| esm_node_reconnect_timeout | The length of time to wait before reaping an external node due to failed pings. | string |
"72h" |
no |
| esm_ping_type | The method to use for pinging external nodes. | string |
"udp" |
no |
| esm_pod_annotations | Annotations for Consul ESM Pods | map(string) |
{} |
no |
| esm_pod_security_context | securityContext for ESM pods | any |
{} |
no |
| esm_release_name | Name of the ESM Chart Release | string |
"consul-esm" |
no |
| esm_replica | Number of ESM replica | number |
3 |
no |
| esm_resources | Resources for ESM | any |
{ |
no |
| esm_server_address | Override Consul Server address for TLS when using Auto Encrypt | string |
null |
no |
| esm_server_port | Override Consul Server port for TLS when using Auto Encrypt | number |
null |
no |
| esm_service_name | ESM service name in Consul | string |
"consul-esm" |
no |
| esm_service_tag | Service tag for ESM | string |
"" |
no |
| esm_tag | Docker Image tag for ESM | string |
"0.6.0" |
no |
| esm_tolerations | Toleration for ESM | any |
[] |
no |
| esm_use_node_agent | Use Consul agent Daemonset | bool |
true |
no |
| exporter_affinity | Affinity for Consul Exporter | map |
{} |
no |
| exporter_chart_name | Name of the Consul Exporter Chart name | string |
"prometheus-consul-exporter" |
no |
| exporter_chart_repository | Consul Exporter Chart repository | string |
"https://prometheus-community.github.io/helm-charts" |
no |
| exporter_chart_version | Consul Exporter Chart version | string |
"0.4.0" |
no |
| exporter_env | Additional Environment Variables for Exporter | list |
[] |
no |
| exporter_extra_containers | Extra extra Containers | list |
[] |
no |
| exporter_extra_volume_mounts | Extra volume mounts for Exporter | list |
[] |
no |
| exporter_extra_volumes | Extra volumes for Exporter | list |
[] |
no |
| exporter_image | Docker image for Consul Exporter | string |
"prom/consul-exporter" |
no |
| exporter_init_containers | Extra Init Containers | list |
[] |
no |
| exporter_options | Arguments for Exporter. See https://github.com/prometheus/consul_exporter#flags | map |
{} |
no |
| exporter_pod_annotations | Annotations for Exporter Pods | map(string) |
{} |
no |
| exporter_psp | Create PSP resources for Exporter | bool |
true |
no |
| exporter_rbac_enabled | Create RBAC resources for Exporter | bool |
true |
no |
| exporter_release_name | Name of the Consul Exporter Chart Release | string |
"consul-exporter" |
no |
| exporter_replica | Number of Consul Exporter replicas | number |
1 |
no |
| exporter_resources | Resources for Consul Exporter | map |
{ |
no |
| exporter_service_annotations | Consul Exporter service's annotations | map |
{} |
no |
| exporter_service_monitor | Create a ServiceMonitor to configure scraping | bool |
false |
no |
| exporter_tag | Docker Image tag for Consul Exporter | string |
"v0.7.1" |
no |
| exporter_tolerations | Tolerations for Consul Exporter | list |
[] |
no |
| fullname_override | Fullname Override of Helm resources | string |
"" |
no |
| gossip_encryption_key | 32 Bytes Base64 Encoded Consul Gossip Encryption Key. Set to null to disable |
any |
null |
no |
| image_envoy | Image and tag for Envoy Docker image to use for sidecar proxies, mesh, terminating and ingress gateways | string |
"envoyproxy/envoy-alpine:v1.18.4" |
no |
| log_json_enable | Enable all component logs to be output in JSON format | bool |
false |
no |
| manage_system_acls | Manager ACL Tokens for Consul and consul-k8s components | bool |
false |
no |
| max_history | Max History for Helm | number |
20 |
no |
| metrics_enabled | Configures the Helm chart’s components to expose Prometheus metrics for the Consul service mesh. | bool |
false |
no |
| name | Sets the prefix used for all resources in the helm chart. If not set, the prefix will be "-consul". | any |
null |
no |
| pod_security_policy_enable | Create PodSecurityPolicy Resources | bool |
true |
no |
| release_name | Helm release name for Consul | string |
"consul" |
no |
| replication_token | A secret containing the replication ACL token. | object({ |
{ |
no |
| secret_annotation | Annotations for the Consul Secret | map |
{} |
no |
| secret_name | Name of the secret for Consul | string |
"consul" |
no |
| server_affinity | A YAML string that can be templated via helm specifying the affinity for server pods | string |
"podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n app: {{ template \"consul.name\" . }}\n release: \"{{ .Release.Name }}\"\n component: server\n topologyKey: kubernetes.io/hostname\n" |
no |
| server_annotations | A YAML string for server pods | string |
"" |
no |
| server_datacenter | Datacenter to configure Consul as. | any |
n/a | yes |
| server_extra_config | Additional configuration to include for servers in JSON/HCL | map |
{} |
no |
| server_extra_volumes | List of map of extra volumes specification for server pods. See https://www.consul.io/docs/platform/k8s/helm.html#v-server-extravolumes for the keys | list |
[] |
no |
| server_priority_class | Priority class for servers | string |
"" |
no |
| server_replicas | Number of server replicas to run | number |
5 |
no |
| server_resources | Resources for server | map |
{ |
no |
| server_security_context | Security context for server pods | map |
{ |
no |
| server_service_account_annotations | YAML string for annotations for server service account | string |
"" |
no |
| server_storage | This defines the disk size for configuring the servers' StatefulSet storage. For dynamically provisioned storage classes, this is the desired size. For manually defined persistent volumes, this should be set to the disk size of the attached volume. | string |
"10Gi" |
no |
| server_storage_class | The StorageClass to use for the servers' StatefulSet storage. It must be able to be dynamically provisioned if you want the storage to be automatically created. For example, to use Local storage classes, the PersistentVolumeClaims would need to be manually created. An empty value will use the Kubernetes cluster's default StorageClass. | string |
"" |
no |
| server_tolerations | A YAML string that can be templated via helm specifying the tolerations for server pods | string |
"" |
no |
| server_topology_spread_constraints | YAML string for topology spread constraints for server pods | string |
"" |
no |
| server_update_partition | This value is used to carefully control a rolling update of Consul server agents. This value specifies the partition (https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) for performing a rolling update. Please read the linked Kubernetes documentation and https://www.consul.io/docs/k8s/upgrade#upgrading-consul-servers for more information. | number |
0 |
no |
| sync_acl_token | Secret containing ACL token if ACL is enabled and manage_system_acls is not enabled | object({ |
{ |
no |
| sync_add_k8s_namespace_suffix | Appends Kubernetes namespace suffix to each service name synced to Consul, separated by a dash. | bool |
true |
no |
| sync_affinity | YAML template string for Sync Catalog affinity | string |
"" |
no |
| sync_by_default | If true, all valid services in K8S are synced by default. If false, the service must be annotated properly to sync. In either case an annotation can override the default. | bool |
true |
no |
| sync_cluster_ip_services | If true, will sync Kubernetes ClusterIP services to Consul. This can be disabled to have the sync ignore ClusterIP-type services. | bool |
true |
no |
| sync_k8s_prefix | A prefix to prepend to all services registered in Kubernetes from Consul. This defaults to '' where no prefix is prepended; Consul services are synced with the same name to Kubernetes. (Consul -> Kubernetes sync only) | string |
"" |
no |
| sync_k8s_tag | An optional tag that is applied to all of the Kubernetes services that are synced into Consul. If nothing is set, this defaults to 'k8s'. (Kubernetes -> Consul sync only) | string |
"k8s" |
no |
| sync_node_port_type | Configures the type of syncing that happens for NodePort services. The only valid options are: ExternalOnly, InternalOnly, and ExternalFirst. ExternalOnly will only use a node's ExternalIP address for the sync, otherwise the service will not be synced. InternalOnly uses the node's InternalIP address. ExternalFirst will preferentially use the node's ExternalIP address, but if it doesn't exist, it will use the node's InternalIP address instead. | string |
"" |
no |
| sync_priority_class | Priority Class Name for Consul Sync Catalog | string |
"" |
no |
| sync_resources | Sync Catalog resources | map |
{ |
no |
| sync_service_account_annotations | YAML string for annotations for sync catalog service account | string |
"" |
no |
| sync_to_consul | If true, will sync Kubernetes services to Consul. This can be disabled to have a one-way sync. | bool |
true |
no |
| sync_to_k8s | If true, will sync Consul services to Kubernetes. This can be disabled to have a one-way sync. | bool |
true |
no |
| sync_tolerations | Template string for Sync Catalog Tolerations | string |
"" |
no |
| terminating_gateway_defaults | Terminating Gateway defaults. You can override any of these fields under terminating_gateways.Annotations are concatenated Note: You do not have to specify all of the fields to override them. If you omit them, they will fall back to the defaults for the Helm Chart. |
map |
{ |
no |
| terminating_gateway_enable | Deploy Terminating Gateways | bool |
false |
no |
| terminating_gateways | Gateways is a list of gateway objects. The only required field for each is name, though they can also contain any of the fields interminating_gateway_defaults. Values defined here override the defaults except in thecase of annotations where both will be applied. |
list |
[ |
no |
| tls_ca | Self generated CA for Consul Server TLS. Values should be PEM encoded | object({ |
null |
no |
| tls_enable_auto_encrypt | Enable auto encrypt. Uses the connect CA to distribute certificates to clients | bool |
false |
no |
| tls_enabled | Enable TLS for the cluster | bool |
false |
no |
| tls_https_only | If true, Consul will disable the HTTP port on both clients and servers and only accept HTTPS connections. | bool |
true |
no |
| tls_server_additional_dns_sans | List of additional DNS names to set as Subject Alternative Names (SANs) in the server certificate. This is useful when you need to access the Consul server(s) externally, for example, if you're using the UI. | list |
[] |
no |
| tls_server_additional_ip_sans | List of additional IP addresses to set as Subject Alternative Names (SANs) in the server certificate. This is useful when you need to access Consul server(s) externally, for example, if you're using the UI. | list |
[] |
no |
| tls_server_cert_secret | A Kubernetes secret containing a certificate & key for the server agents to use for TLS communication within the Consul cluster. Additional SANs are required. | string |
null |
no |
| tls_verify | If true, 'verify_outgoing', 'verify_server_hostname', and 'verify_incoming_rpc' will be set to true for Consul servers and clients. Set this to false to incrementally roll out TLS on an existing Consul cluster. Note: remember to switch it back to true once the rollout is complete. Please see this guide for more details: https://learn.hashicorp.com/consul/security-networking/certificates |
bool |
true |
no |
| transparent_proxy_default_enabled | Enable transparent proxy by default on all connect injected pods | bool |
true |
no |
| transparent_proxy_default_overwrite_probes | Overwrite HTTP probes by default when transparent proxy is in use | bool |
true |
no |
| ui_additional_spec | Additional Spec for the UI service | string |
"" |
no |
| ui_annotations | UI service annotations | string |
"" |
no |
| ui_metrics_base_url | URL of the prometheus server, usually the service URL. | string |
"http://prometheus-server" |
no |
| ui_metrics_enabled | Enable displaying metrics in UI. Defaults to value of var.metrics_enabled | string |
"-" |
no |
| ui_metrics_provider | Provider for metrics. See https://www.consul.io/docs/agent/options#ui_config_metrics_provider | string |
"prometheus" |
no |
| ui_service_type | Type of service for Consul UI | string |
"ClusterIP" |
no |
| Name | Description |
|---|---|
| kube_dns_service_cluster_ip | Cluster IP of the Consul DNS service |
| release | Helm Release Object |