IMPROVEMENTS:
-
Optionally allow enabling TLS for Consul communication [GH-313].
Ifglobal.tls.enabledis set totrue, the Helm chart will generate a CA and necessary certificates and enable TLS for servers, clients, Connect injector, Mesh gateways, catalog sync, ACL bootstrapping, and snapshot agents.Note that this feature is only supported if both servers and clients are running on Kubernetes. We will have better support for other deployment architectures, as well as bringing your own CA, in the future.
Also, note that simply turning on this feature and running
helm upgradewill result in downtime if you are using Consul Connect or Sync Catalog features. We will be adding instructions on how to do this upgrade without downtime soon. Additionally, if you do decide to proceed with an upgrade despite downtime and you're using Consul Connect, all application pods need to be recreated after the upgrade, so that the Connect injector can re-inject Envoy sidecars with TLS enabled. -
Use the latest version of consul-k8s (0.11.0).
-
Add pod name as metadata to client nodes to help users map nodes in Consul to underlying client pods [GH-315].
-
Rename
enterprise-licence.yamltemplate toenterprise-license-job.yaml[GH-321].
BUG FIXES:
-
Fix graceful termination for servers [GH-313].
TheterminationGracePeriodis now set to 30 seconds for the servers. The previous setting of 10 seconds wasn't always enough time for a graceful leave, and in those cases, servers leave the cluster in a "failed" state. Additionally, clients always setleave_on_terminatetotrue.
This replaces thepreStophook that was callingconsul leave. Note thatleave_on_terminatedefaults to true for clients as of Consul0.7, so this change only affects earlier versions. -
Helm test runner now respects the provided namespace [GH-320].
-
Add pod security policies for the
enterprise-license[GH-325]
and theserver-acl-initjobs [GH-326].