hashicorp/consul-helm v0.28.0

on GitHub

⚠️ This release defaults the Consul image to 1.9.1, which panics on upgrades
(Issue). We recommend using
Consul-helm 0.29.0+ or updating the Consul image to 1.9.2+. ⚠️

BREAKING CHANGES:

• Setting server.bootstrapExpect to a value less than server.replicas will now
  give an error. This was a misconfiguration as the servers wouldn't wait
  until the proper number have started before electing a leader. [GH-721]
• Clients and servers now run as non root. Users can also configure server.securityContext and client.securityContext
  if they wish to overwrite this behavior. Please see Helm reference for more information.
  [GH-748]

FEATURES:

• CRDs: add new CRD IngressGateway for configuring Consul's ingress-gateway config entry. [GH-714]
• CRDs: add new CRD TerminatingGateway for configuring Consul's terminating-gateway config entry. [GH-715]
• Enable client agents outside of the K8s cluster to join a consul datacenter
  without the Pod IPs of the consul servers and clients in K8s needing to be
  routable. Adds new helm values server.exposeGossipAndRPCPorts and
  server.ports.serflan.port. To enable external client agents, enable
  server.exposeGossipAndRPCPorts and client.exposeGossipPorts, and set
  server.ports.serflan.port to a port not being used on the host, e.g 9301.
  The internal IP of the K8s nodes do need to be routable from the external
  client agent and the external client agent's IP also needs to be routable
  from the K8s nodes.
  [GH-740]
  Note: If you have an existing Consul Helm deployment and would like to upgrade that deployment to use server.exposeGossipAndRPCPorts and client.exposeGossipPorts, the ports won't get configured correctly due to this Kubernetes issue. You will need to run the following patch commands afterwards to correctly configure the ports:
  • For the clients (edit the hostPort and containerPort values to match the client gossip port):
    • kubectl -n consul patch daemonset hashicorp-consul --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/ports/-", "value": {"containerPort": 8301, "hostPort": 8301, "name": "serflan-udp", "protocol": "UDP"}}]'
  • For the servers (edit the hostPort and containerPort values to match the server gossip port):
    • kubectl -n consul patch statefulset hashicorp-consul-server --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/ports/-", "value": {"containerPort": 9301, "hostPort": 9301, "name": "serflan-udp", "protocol": "UDP"}}]'

IMPROVEMENTS:

• Updated the default consul-k8s image to hashicorp/consul-k8s:0.22.0.
  This release includes an important bug fix where the lifecycle-sidecar sometimes re-registered the application.
  Please see consul-k8s v0.22.0 release for more info.
• Updated the default Consul image to hashicorp/consul:1.9.1.
• Make server.bootstrapExpect optional. If not set, will now default to server.replicas.
  If you're currently setting server.replicas, there is no effect. [GH-721]

BUG FIXES:

• Fix pod security policy when running mesh gateways in hostNetwork mode. [GH-605]

• CRDs: (Consul Enterprise only) change ServiceResolver field failover[].namespaces to failover[].namespace.
  This will not affect existing ServiceResolver resources and will only update the documentation for that field.

  If failover[].namespaces was used previously, it was ignored and after this change it will still be ignored.
  If failover[].namespace was used previously, it worked correctly and after this change it will still work correctly. [GH-714]

• Recreate the Server/Client Pod when the Server/Client ConfigMap is updated via helm upgrade
  by using Server ConfigMap and Client ConfigMap values as hashes on Server StatefulSet and Client DaemonSet annotations respectively.
  This updates the previously hashed values of the extraConfig. [GH-550]

• Remove unused ports 8302 and 8300 from the client daemonset pods. [GH-737]