IMPROVEMENTS:
- Specify
kubeVersion
inChart.yaml
to denote that this chart is compatible with Kubernetes 1.16+. [GH-883] - CRDs: update the CRD versions from v1beta1 to v1. [GH-883]
- Enterprise: support applying Consul Enterprise license when security context defaults to non-root users. [GH-880]
- Sync Catalog: add new
syncCatalog.extraLabels
Helm value for configuring labels on sync catalog pods. [GH-892] - Connect: Support high availability of the connect-inject deployment. [GH-903]
BREAKING CHANGES:
-
Minimum Kubernetes versions supported is 1.16+. [GH-883]
-
Connect: The Helm values for health checks and cleanup controller have been removed:
connectInject.healthChecks
andconnectInject.cleanupController
, as these controllers have been replaced by the endpoints controller. [GH-899] -
Connect: connect webhook deployment now uses
webhook-cert-manager
to bootstrap the webhook certificates instead of generating them inside of the webhook. [GH-861] -
Connect: Kubernetes Services are now required for all connect injected applications.
The Kubernetes service name will be used as the service name to register with Consul unless the annotationconsul.hashicorp.com/connect-service
is provided to the pod to override this.
If using ACLs the ServiceAccountName must match the service name used with Consul.Example Service:
--- apiVersion: v1 kind: Service metadata: name: sample-app spec: selector: app: sample-app ports: - port: 80 targetPort: 9090 --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: sample-app name: sample-app spec: replicas: 1 selector: matchLabels: app: sample-app template: metadata: annotations: 'consul.hashicorp.com/connect-inject': 'true' labels: app: sample-app spec: containers: - name: sample-app image: sample-app:0.1.0 ports: - containerPort: 9090
Note: if you're already using a Kubernetes service, no changes are required.
-
Connect:
-enable-health-checks-controller
,-health-checks-reconcile-period
,-cleanup-controller-reconcile-period
have been removed
and are no longer supported as the controllers have been replaced by the endpoints controller. [GH-892] -
Connect: Support transparent proxy. [GH-905]
This feature allows users to reach other services on the Consul Service Mesh by using KubeDNS instead of usinglocalhost
and enforces all inbound and outbound traffic within a pod to go through the Envoy proxy.
Please see Transparent Proxy docs for more information.Note: This feature is currently in beta and requires consul-k8s
v0.26.0-beta1
or higher.Transparent proxy is enabled by default for all Consul service mesh application. You can disable it for the
entire Helm installation by setting:connectInject: transparentProxy: defaultEnabled: false
Alternatively, you can enable or disable it for each individual application by using
theconsul.hashicorp.com/transparent-proxy
pod annotation:... metadata: name: example labels: app: example annotations: "consul.hashicorp.com/transparent-proxy": "true" ...
BUG FIXES:
- Add startup probe to connect-inject deployment to give time for certificates to be available.
Previously, the deployment could be killed by Kubernetes and crash loop because certificates would take a couple
of seconds. [GH-885]