hashicorp/consul-helm v0.32.0-beta1

on GitHub

IMPROVEMENTS:

• Specify kubeVersion in Chart.yaml to denote that this chart is compatible with Kubernetes 1.16+. [GH-883]
• CRDs: update the CRD versions from v1beta1 to v1. [GH-883]
• Enterprise: support applying Consul Enterprise license when security context defaults to non-root users. [GH-880]
• Sync Catalog: add new syncCatalog.extraLabels Helm value for configuring labels on sync catalog pods. [GH-892]
• Connect: Support high availability of the connect-inject deployment. [GH-903]

BREAKING CHANGES:

• Minimum Kubernetes versions supported is 1.16+. [GH-883]

• Connect: The Helm values for health checks and cleanup controller have been removed: connectInject.healthChecks and connectInject.cleanupController, as these controllers have been replaced by the endpoints controller. [GH-899]

• Connect: connect webhook deployment now uses webhook-cert-manager to bootstrap the webhook certificates instead of generating them inside of the webhook. [GH-861]

• Connect: Kubernetes Services are now required for all connect injected applications.
  The Kubernetes service name will be used as the service name to register with Consul unless the annotation consul.hashicorp.com/connect-service is provided to the pod to override this.
  If using ACLs the ServiceAccountName must match the service name used with Consul.

  Example Service:

  ---
  apiVersion: v1
  kind: Service
  metadata:
    name: sample-app
  spec:
    selector:
      app: sample-app
    ports:
    - port: 80
      targetPort: 9090
  ---
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    labels:
      app: sample-app
    name: sample-app
  spec:
    replicas: 1
    selector:
      matchLabels:
        app: sample-app
    template:
      metadata:
        annotations:
          'consul.hashicorp.com/connect-inject': 'true'
        labels:
          app: sample-app
      spec:
        containers:
        - name: sample-app
          image: sample-app:0.1.0
          ports:
          - containerPort: 9090

  Note: if you're already using a Kubernetes service, no changes are required.

• Connect: -enable-health-checks-controller, -health-checks-reconcile-period, -cleanup-controller-reconcile-period have been removed
  and are no longer supported as the controllers have been replaced by the endpoints controller. [GH-892]

• Connect: Support transparent proxy. [GH-905]
  This feature allows users to reach other services on the Consul Service Mesh by using KubeDNS instead of using localhost
  and enforces all inbound and outbound traffic within a pod to go through the Envoy proxy.
  Please see Transparent Proxy docs for more information.

  Note: This feature is currently in beta and requires consul-k8s v0.26.0-beta1 or higher.

  Transparent proxy is enabled by default for all Consul service mesh application. You can disable it for the
  entire Helm installation by setting:

  connectInject:
    transparentProxy:
      defaultEnabled: false

  Alternatively, you can enable or disable it for each individual application by using
  the consul.hashicorp.com/transparent-proxy pod annotation:

  ...
  metadata:
    name: example
    labels:
      app: example
    annotations:
      "consul.hashicorp.com/transparent-proxy": "true"
  ...

BUG FIXES:

• Add startup probe to connect-inject deployment to give time for certificates to be available.
  Previously, the deployment could be killed by Kubernetes and crash loop because certificates would take a couple
  of seconds. [GH-885]