diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..80631cb --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,22 @@ +**Description** + +This PR fixes # + +**Notes for Reviewers** + +**[Signed commits](../CONTRIBUTING.md#signing-off-on-commits-developer-certificate-of-origin)** + +- [ ] Yes, I signed my commits. + + diff --git a/.github/config.yml b/.github/config.yml index 284c498..436b41c 100644 --- a/.github/config.yml +++ b/.github/config.yml @@ -18,7 +18,8 @@ firstPRMergeComment: > Thanks for your contribution to the Layer5 community! :tada: ![Congrats!](https://raw.githubusercontent.com/layer5io/meshery/master/.github/welcome/Layer5-celebration.png) - + +         :star: Please [star the project](../stargazers) if you have yet to do so. #------------------------------------------------------------------------------- diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 62c5e92..c1f093a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,7 +2,7 @@ name: Meshery Consul on: push: branches: - - '*' + - '**' tags: - 'v*' pull_request: diff --git a/consul/config_templates/README.md b/consul/config_templates/README.md new file mode 100644 index 0000000..8627914 --- /dev/null +++ b/consul/config_templates/README.md @@ -0,0 +1,13 @@ +The manifest consul.yaml was generated with Helm 3 using +``` +helm template consul -f consul-values.yaml -n consul hashicorp/consul --version 0.24.1 > consul-new.yaml +``` + +Then, `namespace: consul` was replaced with `namespace: {{.namespace}}` using sed: +``` +sed -E 's/^( +)namespace: +consul *$/\1namespace: {{.namespace}}/g' consul-new.yaml > consul.yaml +``` + +This makes it possible to deploy Consul to the namespace specified in the Meshery UI. + +Note: Helm support in this adapter is planned. \ No newline at end of file diff --git a/consul/config_templates/consul-values.yaml b/consul/config_templates/consul-values.yaml new file mode 100644 index 0000000..6091b6d --- /dev/null +++ b/consul/config_templates/consul-values.yaml @@ -0,0 +1,1353 @@ +# Available parameters and their default values for the Consul chart. + +# global holds values that affect multiple components of the chart. +global: + # enabled is the master enabled/disabled setting. + # If true, servers, clients, Consul DNS and the Consul UI will be enabled. + # Each component can override this default via its component-specific + # "enabled" config. + # If false, no components will be installed by default and per-component + # opt-in is required, such as by setting `server.enabled` to true. + enabled: true + + # name sets the prefix used for all resources in the helm chart. + # If not set, the prefix will be "-consul". + name: null + + # domain is the domain Consul will answer DNS queries for + # (see https://www.consul.io/docs/agent/options.html#_domain) and the domain + # services synced from Consul into Kubernetes will have, + # e.g. `service-name.service.consul`. + domain: consul + + # image is the name (and tag) of the Consul Docker image for clients and + # servers. This can be overridden per component. + # This should be pinned to a specific version tag, otherwise you may + # inadvertently upgrade your Consul version. + # + # Examples: + # # Consul 1.5.0 + # image: "consul:1.5.0" + # # Consul Enterprise 1.5.0 + # image: "hashicorp/consul-enterprise:1.5.0-ent" + image: "consul:1.8.2" + + # array of objects containing image pull secret names that will be applied to + # each service account. + # This can be used to reference image pull secrets if using + # a custom consul or consul-k8s Docker image. + # See https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry. + # + # Example: + # imagePullSecrets: + # - name: pull-secret-name + # - name: pull-secret-name-2 + imagePullSecrets: [] + + # imageK8S is the name (and tag) of the consul-k8s Docker image that + # is used for functionality such as catalog sync. This can be overridden + # per component. + # Note: support for the catalog sync's liveness and readiness probes was added + # to consul-k8s 0.6.0. If using an older consul-k8s version, you may need to + # remove these checks to make the sync work. + # If using acls.manageSystemACLs then must be >= 0.10.1. + # If using connect inject then must be >= 0.10.1. + # If using Consul Enterprise namespaces, must be >= 0.12. + imageK8S: "hashicorp/consul-k8s:0.18.1" + + # imageEnvoy defines the default envoy image to use for ingress and + # terminating gateways. + imageEnvoy: "envoyproxy/envoy-alpine:v1.14.2" + + # datacenter is the name of the datacenter that the agents should register + # as. This can't be changed once the Consul cluster is up and running + # since Consul doesn't support an automatic way to change this value + # currently: https://github.com/hashicorp/consul/issues/1858. + datacenter: dc1 + + # enablePodSecurityPolicies controls whether pod + # security policies are created for the Consul components created by this + # chart. See https://kubernetes.io/docs/concepts/policy/pod-security-policy/. + enablePodSecurityPolicies: false + + # gossipEncryption configures which Kubernetes secret to retrieve Consul's + # gossip encryption key from (see https://www.consul.io/docs/agent/options.html#_encrypt). + # If secretName or secretKey are not set, gossip encryption will not be enabled. + # The secret must be in the same namespace that Consul is installed into. + # + # The secret can be created by running: + # kubectl create secret generic consul-gossip-encryption-key \ + # --from-literal=key=$(consul keygen). + # + # In this case, secretName would be "consul-gossip-encryption-key" and + # secretKey would be "key". + gossipEncryption: + # secretName is the name of the Kubernetes secret that holds the gossip + # encryption key. The secret must be in the same namespace that Consul is installed into. + secretName: "" + # secretKey is the key within the Kubernetes secret that holds the gossip + # encryption key. + secretKey: "" + + # Enables TLS encryption across the cluster to verify authenticity of the + # servers and clients that connect. Note: It is HIGHLY recommended that you also + # enable Gossip encryption. + # See https://learn.hashicorp.com/consul/security-networking/agent-encryption + # + # Note: this relies on functionality introduced with Consul 1.4.1. Make sure + # your global.image value is at least version 1.4.1. + tls: + enabled: false + + # enableAutoEncrypt turns on the auto-encrypt feature on + # clients and servers. + # It also switches consul-k8s components to retrieve the CA + # from the servers via the API. + # Requires Consul 1.7.1+ and consul-k8s 0.13.0 + enableAutoEncrypt: false + + # serverAdditionalDNSSANs is a list of additional DNS names to + # set as Subject Alternative Names (SANs) in the server certificate. + # This is useful when you need to access the Consul server(s) externally, + # for example, if you're using the UI. + serverAdditionalDNSSANs: [] + + # serverAdditionalIPSANs is a list of additional IP addresses to + # set as Subject Alternative Names (SANs) in the server certificate. + # This is useful when you need to access Consul server(s) externally, + # for example, if you're using the UI. + serverAdditionalIPSANs: [] + + # If verify is true, 'verify_outgoing', 'verify_server_hostname', and + # 'verify_incoming_rpc' will be set to true for Consul servers and clients. + # Set this to false to incrementally roll out TLS on an existing Consul cluster. + # Note: remember to switch it back to true once the rollout is complete. + # Please see this guide for more details: + # https://learn.hashicorp.com/consul/security-networking/certificates + verify: true + + # If httpsOnly is true, Consul will disable the HTTP port on both + # clients and servers and only accept HTTPS connections. + httpsOnly: true + + # caCert is a Kubernetes secret containing the certificate + # of the CA to use for TLS communication within the Consul cluster. + # If you have generated the CA yourself with the consul CLI, + # you could use the following command to create the secret in Kubernetes: + # + # kubectl create secret generic consul-ca-cert \ + # --from-file='tls.crt=./consul-agent-ca.pem' + caCert: + secretName: null + secretKey: null + + # caKey is a Kubernetes secret containing the private key + # of the CA to use for TLS communications within the Consul cluster. + # If you have generated the CA yourself with the consul CLI, + # you could use the following command to create the secret in Kubernetes: + # + # kubectl create secret generic consul-ca-key \ + # --from-file='tls.key=./consul-agent-ca-key.pem' + # + # Note that we need the CA key so that we can generate server and client certificates. + # It is particularly important for the client certificates since they need to have host IPs + # as Subject Alternative Names. In the future, we may support bringing your own server + # certificates. + caKey: + secretName: null + secretKey: null + + # [Enterprise Only] enableConsulNamespaces indicates that you are running + # Consul Enterprise v1.7+ with a valid Consul Enterprise license and would like to + # make use of configuration beyond registering everything into the `default` Consul + # namespace. Requires consul-k8s v0.12+. + # Additional configuration options are found in the `consulNamespaces` section + # of both the catalog sync and connect injector. + enableConsulNamespaces: false + + # Configure ACLs. + acls: + + # If true, the Helm chart will automatically manage ACL tokens and policies + # for all Consul and consul-k8s components. This requires Consul >= 1.4 and consul-k8s >= 0.14.0. + manageSystemACLs: false + + # bootstrapToken references a Kubernetes secret containing the bootstrap token to use + # for creating policies and tokens for all Consul and consul-k8s components. + # If set, we will skip ACL bootstrapping of the servers and will only initialize + # ACLs for the Consul and consul-k8s system components. + # Requires consul-k8s >= 0.14.0 + bootstrapToken: + secretName: null + secretKey: null + + # If true, an ACL token will be created that can be used in secondary + # datacenters for replication. This should only be set to true in the + # primary datacenter since the replication token must be created from that + # datacenter. + # In secondary datacenters, the secret needs to be imported from the primary + # datacenter and referenced via global.acls.replicationToken. + # Requires consul-k8s >= 0.13.0 + createReplicationToken: false + + # replicationToken references a secret containing the replication ACL token. + # This token will be used by secondary datacenters to perform ACL replication + # and create ACL tokens and policies. + # This value is ignored if bootstrapToken is also set. + # Requires consul-k8s >= 0.13.0 + replicationToken: + secretName: null + secretKey: null + + # Settings related to federating with another Consul datacenter. + federation: + # If enabled, this datacenter will be federation-capable. Only federation + # through mesh gateways is supported. + # Mesh gateways and servers will be configured to allow federation. + # Requires global.tls.enabled, meshGateway.enabled and connectInject.enabled + # to be true. + # Requires Consul 1.8+. + enabled: false + + # If true, the chart will create a Kubernetes secret that can be imported + # into secondary datacenters so they can federate with this datacenter. The + # secret contains all the information secondary datacenters need to contact + # and authenticate with this datacenter. This should only be set to true + # in your primary datacenter. The secret name is + # -federation (if setting global.name), otherwise + # -consul-federation. + # Requires consul-k8s 0.15.0+. + createFederationSecret: false + + # Resource settings for lifecycle-sidecar containers. + # The lifecycle sidecar ensures the Consul services are always registered with + # their local consul clients and is used by the ingress/terminating/mesh gateways + # as well as with every connect-injected service. + lifecycleSidecarContainer: + resources: + requests: + memory: "25Mi" + cpu: "20m" + limits: + memory: "50Mi" + cpu: "20m" + +# Server, when enabled, configures a server cluster to run. This should +# be disabled if you plan on connecting to a Consul cluster external to +# the Kube cluster. +server: + enabled: "-" + image: null + replicas: 1 + bootstrapExpect: 1 # Should <= replicas count + + # enterpriseLicense refers to a Kubernetes secret that you have created that + # contains your enterprise license. It is required if you are using an + # enterprise binary. Defining it here applies it to your cluster once a leader + # has been elected. If you are not using an enterprise image + # or if you plan to introduce the license key via another route, then set + # these fields to null. + # Note: the job to apply license runs on both Helm installs and upgrades. + enterpriseLicense: + secretName: null + secretKey: null + + # storage and storageClass are the settings for configuring stateful + # storage for the server pods. storage should be set to the disk size of + # the attached volume. storageClass is the class of storage which defaults + # to null (the Kube cluster will pick the default). + storage: 10Gi + storageClass: null + + # connect will enable Connect on all the servers, initializing a CA + # for Connect-related connections. Other customizations can be done + # via the extraConfig setting. + connect: true + + # Resource settings for Server agents. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # updatePartition is used to control a careful rolling update of Consul + # servers. This should be done particularly when changing the version + # of Consul. Please refer to the documentation for more information. + updatePartition: 0 + + # disruptionBudget enables the creation of a PodDisruptionBudget to + # prevent voluntary degrading of the Consul server cluster. + disruptionBudget: + enabled: true + + # maxUnavailable will default to (n/2)-1 where n is the number of + # replicas. If you'd like a custom value, you can specify an override here. + maxUnavailable: null + + # extraConfig is a raw string of extra configuration to set with the + # server. This should be JSON. + extraConfig: | + {} + + # extraVolumes is a list of extra volumes to mount. These will be exposed + # to Consul in the path `/consul/userconfig//`. The value below is + # an array of objects, examples are shown below. + extraVolumes: [] + # - type: secret (or "configMap") + # name: my-secret + # load: false # if true, will add to `-config-dir` to load by Consul + # items: # optional items array + # - key: key + # path: path + + # Affinity Settings + # Commenting out or setting as empty the affinity variable, will allow + # deployment to single node services such as Minikube + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Toleration Settings for server pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + tolerations: "" + + # nodeSelector labels for server pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + nodeSelector: null + + # used to assign priority to server pods + # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + priorityClassName: "" + + # Extra labels to attach to the server pods. + # This should be a regular YAML map. + # Example: + # extraLabels: + # labelKey: "label-value" + # otherLabelKey: "another-label-value" + extraLabels: null + + # Extra annotations to attach to the server pods. + # This should be a multi-line YAML string. + # Example: + # annotations: | + # "annotation-key": "annotation-value" + annotations: null + + service: + # Annotations to apply to the server service. + # Example: + # annotations: | + # "annotation-key": "annotation-value" + annotations: null + + # extraEnvVars is a list of extra environment variables to set with the stateful set. These could be + # used to include proxy settings required for cloud auto-join feature, + # in case kubernetes cluster is behind egress http proxies. Additionally, it could be used to configure + # custom consul parameters. + extraEnvironmentVars: {} + # http_proxy: http://localhost:3128, + # https_proxy: http://localhost:3128, + # no_proxy: internal.domain.com + + # disableFsGroupSecurityContext disables setting the fsGroup securityContext for the server statefulset, + # this is required when using the OpenShift platform as fsGroup is automatically set to an arbitrary gid. + disableFsGroupSecurityContext : false + +# Configuration for Consul servers when the servers are running outside of Kubernetes. +# When running external servers, configuring these values is recommended +# if setting global.tls.enableAutoEncrypt to true (requires consul-k8s >= 0.13.0) +# or global.acls.manageSystemACLs to true (requires consul-k8s >= 0.14.0). +externalServers: + # If true, the Helm chart will be configured to talk to the external servers. + # If setting this to true, you must also set server.enabled to false. + enabled: false + + # An array of external Consul server hosts that are used to make + # HTTPS connections from the components in this Helm chart. + # Valid values include IPs, DNS names, or Cloud auto-join string. + # The port must be provided separately below. + # NOTE: client.join must also be set to the hosts that should be + # used to join the cluster. In most cases the client.join values + # should be the same, however they may be different if you + # wish to use separate hosts for the HTTPS connections. + hosts: [] + + # The HTTPS port of the Consul servers. + httpsPort: 8501 + + # tlsServerName is the server name to use as the SNI + # host header when connecting with HTTPS. + tlsServerName: null + + # If true, the Helm chart will ignore the CA set in + # global.tls.caCert and will rely on the container's + # system CAs for TLS verification when talking to Consul servers. + # Otherwise, the chart will use global.tls.caCert. + useSystemRoots: false + + # If you are setting global.acls.manageSystemACLs and connectInject.enabled to true, + # set k8sAuthMethodHost to the address of the Kubernetes API server. + # This address must to be reachable from the Consul servers. + # Please see https://www.consul.io/docs/acl/auth-methods/kubernetes.html. + # Requires consul-k8s >= 0.14.0. + # + # You could retrieve this value from your kubeconfig by running: + # kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + k8sAuthMethodHost: null + +# Client, when enabled, configures Consul clients to run on every node +# within the Kube cluster. The current deployment model follows a traditional +# DC where a single agent is deployed per node. +client: + enabled: "-" + image: null + join: null + + # dataDirectoryHostPath is an absolute path to a directory on the host machine + # to use as the Consul client data directory. + # If set to the empty string or null, the Consul agent will store its data + # in the Pod's local filesystem (which will be lost if the Pod is deleted). + # Security Warning: If setting this, Pod Security Policies *must* be enabled on your cluster + # and in this Helm chart (via the global.enablePodSecurityPolicies setting) + # to prevent other Pods from mounting the same host path and gaining + # access to all of Consul's data. Consul's data is not encrypted at rest. + dataDirectoryHostPath: null + + # If true, Consul's gRPC port will be exposed (see https://www.consul.io/docs/agent/options.html#grpc_port). + # This should be set to true if connectInject or meshGateway is enabled. + grpc: true + + # exposeGossipPorts exposes the clients' gossip ports as hostPorts. + # This is only necessary if pod IPs in the k8s cluster are not directly + # routable and the Consul servers are outside of the k8s cluster. This + # also changes the clients' advertised IP to the hostIP rather than podIP. + exposeGossipPorts: false + + # Resource settings for Client agents. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # extraConfig is a raw string of extra configuration to set with the + # client. This should be JSON. + extraConfig: | + {} + + # extraVolumes is a list of extra volumes to mount. These will be exposed + # to Consul in the path `/consul/userconfig//`. The value below is + # an array of objects, examples are shown below. + extraVolumes: [] + # - type: secret (or "configMap") + # name: my-secret + # load: false # if true, will add to `-config-dir` to load by Consul + + # Toleration Settings for Client pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # The example below will allow Client pods to run on every node + # regardless of taints + # tolerations: | + # - operator: "Exists" + tolerations: "" + + # nodeSelector labels for client pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + nodeSelector: null + + # Affinity Settings for Client pods, formatted as a multi-line YAML string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + # Example: + # affinity: | + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node-role.kubernetes.io/master + # operator: DoesNotExist + affinity: {} + + # used to assign priority to client pods + # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + priorityClassName: "" + + # Extra annotations to attach to the client pods + # Example: + # annotations: | + # "annotation-key": "annotation-value" + annotations: null + + # extraEnvVars is a list of extra environment variables to set with the pod. These could be + # used to include proxy settings required for cloud auto-join feature, + # in case kubernetes cluster is behind egress http proxies. Additionally, it could be used to configure + # custom consul parameters. + extraEnvironmentVars: {} + # http_proxy: http://localhost:3128, + # https_proxy: http://localhost:3128, + # no_proxy: internal.domain.com + + # dnsPolicy to use. + dnsPolicy: null + + # hostNetwork defines whether or not we use host networking instead of hostPort in the event + # that a CNI plugin doesnt support hostPort. This has security implications and is not recommended + # as doing so gives the consul client unnecessary access to all network traffic on the host. + # In most cases, pod network and host network are on different networks so this should be + # combined with `dnsPolicy: ClusterFirstWithHostNet` + hostNetwork: false + + # updateStrategy for the DaemonSet. + # See https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy. + # This should be a multi-line string mapping directly to the updateStrategy + # Example: + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + updateStrategy: null + + # snapshotAgent contains settings for setting up and running snapshot agents + # within the Consul clusters. They are required to be co-located with Consul + # clients, so will inherit the clients' nodeSelector, tolerations and affinity. + # This is an Enterprise feature only. + snapshotAgent: + enabled: false + + # replicas determines how many snapshot agent pods are created + replicas: 2 + + # configSecret references a Kubernetes secret that should be manually created to + # contain the entire config to be used on the snapshot agent. This is the preferred + # method of configuration since there are usually storage credentials present. + # Snapshot agent config details: + # https://www.consul.io/docs/commands/snapshot/agent.html#config-file-options- + # To create a secret: + # https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret-using-kubectl-create-secret + configSecret: + secretName: null + secretKey: null + + # Resource settings for snapshot agent pods. + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Optional PEM-encoded CA certificate that will be added to the trusted system CAs. + # Useful if using an S3-compatible storage exposing a self-signed certificate. + # Example + # caCert: | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + caCert: null + +# Configuration for DNS configuration within the Kubernetes cluster. +# This creates a service that routes to all agents (client or server) +# for serving DNS requests. This DOES NOT automatically configure kube-dns +# today, so you must still manually configure a `stubDomain` with kube-dns +# for this to have any effect: +# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers +dns: + enabled: "-" + + # Set a predefined cluster IP for the DNS service. + # Useful if you need to reference the DNS service's IP + # address in CoreDNS config. + clusterIP: null + + # Extra annotations to attach to the dns service + # This should be a multi-line string of + # annotations to apply to the dns Service + annotations: null + +ui: + # True if you want to enable the Consul UI. The UI will run only + # on the server nodes. This makes UI access via the service below (if + # enabled) predictable rather than "any node" if you're running Consul + # clients as well. + enabled: true + + # True if you want to create a Service entry for the Consul UI. + # + # serviceType can be used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) to access the UI. + service: + enabled: true + type: null + + # Annotations to apply to the UI service. + # Example: + # annotations: | + # "annotation-key": "annotation-value" + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + additionalSpec: null + +# syncCatalog will run the catalog sync process to sync K8S with Consul +# services. This can run bidirectional (default) or unidirectionally (Consul +# to K8S or K8S to Consul only). +# +# This process assumes that a Consul agent is available on the host IP. +# This is done automatically if clients are enabled. If clients are not +# enabled then set the node selection so that it chooses a node with a +# Consul agent. +syncCatalog: + # True if you want to enable the catalog sync. Set to "-" to inherit from + # global.enabled. + enabled: false + image: null + default: true # true will sync by default, otherwise requires annotation + + # toConsul and toK8S control whether syncing is enabled to Consul or K8S + # as a destination. If both of these are disabled, the sync will do nothing. + toConsul: true + toK8S: true + + # k8sPrefix is the service prefix to prepend to services before registering + # with Kubernetes. For example "consul-" will register all services + # prepended with "consul-". (Consul -> Kubernetes sync) + k8sPrefix: null + + # k8sAllowNamespaces is a list of k8s namespaces to sync the k8s services from. + # If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, + # services in that k8s namespace will not be synced even if they are explicitly + # annotated. Use ["*"] to automatically allow all k8s namespaces. + # + # For example, ["namespace1", "namespace2"] will only allow services in the k8s + # namespaces `namespace1` and `namespace2` to be synced and registered + # with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to []. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here. + # Requires consul-k8s v0.12+ + k8sAllowNamespaces: ["*"] + + # k8sDenyNamespaces is a list of k8s namespaces that should not have their + # services synced. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to sync. + # Requires consul-k8s v0.12+. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" + # and "namespace2" will be synced. + k8sDenyNamespaces: ["kube-system", "kube-public"] + + # [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For + # backwards compatibility, if both this and the allow/deny lists are set, + # the allow/deny lists will be ignored. + # k8sSourceNamespace is the Kubernetes namespace to watch for service + # changes and sync to Consul. If this is not set then it will default + # to all namespaces. + k8sSourceNamespace: null + + # [Enterprise Only] These settings manage the catalog sync's interaction with + # Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # consulDestinationNamespace is the name of the Consul namespace to register all + # k8s services into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # mirroringK8S causes k8s services to be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. + # `addK8SNamespaceSuffix` may no longer be needed if enabling this option. + mirroringK8S: false + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # service in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # addK8SNamespaceSuffix appends Kubernetes namespace suffix to + # each service name synced to Consul, separated by a dash. + # For example, for a service 'foo' in the default namespace, + # the sync process will create a Consul service named 'foo-default'. + # Set this flag to true to avoid registering services with the same name + # but in different namespaces as instances for the same Consul service. + # Namespace suffix is not added if 'annotationServiceName' is provided. + addK8SNamespaceSuffix: true + + # consulPrefix is the service prefix which prepends itself + # to Kubernetes services registered within Consul + # For example, "k8s-" will register all services prepended with "k8s-". + # (Kubernetes -> Consul sync) + # consulPrefix is ignored when 'annotationServiceName' is provided. + # NOTE: Updating this property to a non-null value for an existing installation will result in deregistering + # of existing services in Consul and registering them with a new name. + consulPrefix: null + + # k8sTag is an optional tag that is applied to all of the Kubernetes services + # that are synced into Consul. If nothing is set, defaults to "k8s". + # (Kubernetes -> Consul sync) + k8sTag: null + + # syncClusterIPServices syncs services of the ClusterIP type, which may + # or may not be broadly accessible depending on your Kubernetes cluster. + # Set this to false to skip syncing ClusterIP services. + syncClusterIPServices: true + + # nodePortSyncType configures the type of syncing that happens for NodePort + # services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst. + # - ExternalOnly will only use a node's ExternalIP address for the sync + # - InternalOnly use's the node's InternalIP address + # - ExternalFirst will preferentially use the node's ExternalIP address, but + # if it doesn't exist, it will use the node's InternalIP address instead. + nodePortSyncType: ExternalFirst + + # aclSyncToken refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the sync process the correct + # permissions. This is only needed if ACLs are enabled on the Consul cluster. + aclSyncToken: + secretName: null + secretKey: null + + # nodeSelector labels for syncCatalog pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + tolerations: null + + # Resource settings for sync catalog pods. + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Log verbosity level. One of "trace", "debug", "info", "warn", or "error". + logLevel: info + + # Override the default interval to perform syncing operations creating Consul services. + consulWriteInterval: null + +# ConnectInject will enable the automatic Connect sidecar injector. +connectInject: + # True if you want to enable connect injection. Set to "-" to inherit from + # global.enabled. + # Requires consul-k8s >= 0.10.1. + enabled: true + image: null # image for consul-k8s that contains the injector + default: false # true will inject by default, otherwise requires annotation + + # The Docker image for Consul to use when performing Connect injection. + # Defaults to global.image. + imageConsul: null + + # Resource settings for connect inject pods. + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # The Docker image for envoy to use as the proxy sidecar when performing + # Connect injection. If using Consul 1.7+, the envoy version must be 1.13+. + # If not set, the image used depends on the consul-k8s version. For + # consul-k8s 0.12.0 the default is envoyproxy/envoy-alpine:v1.13.0. + imageEnvoy: null + + # namespaceSelector is the selector for restricting the webhook to only + # specific namespaces. This should be set to a multiline string. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # Example: + # namespaceSelector: | + # matchLabels: + # namespace-label: label-value + namespaceSelector: null + + # k8sAllowNamespaces is a list of k8s namespaces to allow Connect sidecar + # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, + # pods in that k8s namespace will not be injected even if they are explicitly + # annotated. Use ["*"] to automatically allow all k8s namespaces. + # + # For example, ["namespace1", "namespace2"] will only allow pods in the k8s + # namespaces `namespace1` and `namespace2` to have Connect sidecars injected + # and registered with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to []. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here and + # `namespaceSelector` takes precedence over both since it is applied first. + # `kube-system` and `kube-public` are never injected, even if included here. + # Requires consul-k8s v0.12+ + k8sAllowNamespaces: ["*"] + + # k8sDenyNamespaces is a list of k8s namespaces that should not allow Connect + # sidecar injection. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to be injected. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" + # and "namespace2" will be available for injection. + # + # Note: `namespaceSelector` takes precedence over this since it is applied first. + # `kube-system` and `kube-public` are never injected. + # Requires consul-k8s v0.12+. + k8sDenyNamespaces: [] + + # [Enterprise Only] These settings manage the connect injector's interaction with + # Consul namespaces (requires consul-ent v1.7+ and consul-k8s v0.12+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # consulDestinationNamespace is the name of the Consul namespace to register all + # k8s pods into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # mirroringK8S causes k8s pods to be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. + mirroringK8S: false + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # pod in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # The certs section configures how the webhook TLS certs are configured. + # These are the TLS certs for the Kube apiserver communicating to the + # webhook. By default, the injector will generate and manage its own certs, + # but this requires the ability for the injector to update its own + # MutatingWebhookConfiguration. In a production environment, custom certs + # should probably be used. Configure the values below to enable this. + certs: + # secretName is the name of the secret that has the TLS certificate and + # private key to serve the injector webhook. If this is null, then the + # injector will default to its automatic management mode that will assign + # a service account to the injector to generate its own certificates. + secretName: null + + # caBundle is a base64-encoded PEM-encoded certificate bundle for the + # CA that signed the TLS certificate that the webhook serves. This must + # be set if secretName is non-null. + caBundle: "" + + # certName and keyName are the names of the files within the secret for + # the TLS cert and private key, respectively. These have reasonable + # defaults but can be customized if necessary. + certName: tls.crt + keyName: tls.key + + # nodeSelector labels for connectInject pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + tolerations: null + + # aclBindingRuleSelector accepts a query that defines which Service Accounts + # can authenticate to Consul and receive an ACL token during Connect injection. + # The default setting, i.e. serviceaccount.name!=default, prevents the + # 'default' Service Account from logging in. + # If set to an empty string all service accounts can log in. + # This only has effect if ACLs are enabled. + # + # See https://www.consul.io/docs/acl/acl-auth-methods.html#binding-rules + # and https://www.consul.io/docs/acl/auth-methods/kubernetes.html#trusted-identity-attributes + # for more details. + # Requires Consul >= v1.5 and consul-k8s >= v0.8.0. + aclBindingRuleSelector: "serviceaccount.name!=default" + + # If you are not using global.acls.manageSystemACLs and instead manually setting up an + # auth method for Connect inject, set this to the name of your auth method. + overrideAuthMethodName: "" + + # aclInjectToken refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the Connect injector the correct + # permissions. This is only needed if Consul namespaces [Enterprise only] and ACLs + # are enabled on the Consul cluster and you are not setting + # `global.acls.manageSystemACLs` to `true`. + # This token needs to have `operator = "write"` privileges to be able to + # create Consul namespaces. + aclInjectToken: + secretName: null + secretKey: null + + # Requires Consul >= v1.5 and consul-k8s >= v0.8.1. + centralConfig: + # enabled controls whether central config is enabled on all servers and clients. + # See https://www.consul.io/docs/agent/options.html#enable_central_service_config. + # If changing this after installation, servers and clients must be restarted + # for the change to take effect. + enabled: true + + # defaultProtocol allows you to specify a convenience default protocol if + # most of your services are of the same protocol type. The individual annotation + # on any given pod will override this value. + # Valid values are "http", "http2", "grpc" and "tcp". + defaultProtocol: null + + # proxyDefaults is a raw json string that will be written as the value of + # the "config" key of the global proxy-defaults config entry. + # See: https://www.consul.io/docs/agent/config-entries/proxy-defaults.html + # NOTE: Changes to this value after the chart is first installed have *no* + # effect. In order to change the proxy-defaults config after installation, + # you must use the Consul API. + proxyDefaults: | + {} + + sidecarProxy: + # Set default resources for sidecar proxy. If null, that resource won't + # be set. + # These settings can be overridden on a per-pod basis via these annotations: + # - consul.hashicorp.com/sidecar-proxy-cpu-limit + # - consul.hashicorp.com/sidecar-proxy-cpu-request + # - consul.hashicorp.com/sidecar-proxy-memory-limit + # - consul.hashicorp.com/sidecar-proxy-memory-request + resources: + requests: + # Recommended default: 100Mi + memory: null + # Recommended default: 100m + cpu: null + limits: + # Recommended default: 100Mi + memory: null + # Recommended default: 100m + cpu: null + + # Resource settings for the Connect injected init container. + initContainer: + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "150Mi" + cpu: "50m" + +# Mesh Gateways enable Consul Connect to work across Consul datacenters. +meshGateway: + # If mesh gateways are enabled, a Deployment will be created that runs + # gateways and Consul Connect will be configured to use gateways. + # See https://www.consul.io/docs/connect/mesh_gateway.html + # Requirements: consul 1.6.0+ and consul-k8s 0.15.0+ if using + # global.acls.manageSystemACLs. + enabled: false + + # Globally configure which mode the gateway should run in. + # Can be set to either "remote", "local", "none" or empty string or null. + # See https://consul.io/docs/connect/mesh_gateway.html#modes-of-operation for + # a description of each mode. + # If set to anything other than "" or null, connectInject.centralConfig.enabled + # should be set to true so that the global config will actually be used. + # If set to the empty string, no global default will be set and the gateway mode + # will need to be set individually for each service. + globalMode: local + + # Number of replicas for the Deployment. + replicas: 2 + + # What gets registered as WAN address for the gateway. + wanAddress: + # source configures where to retrieve the WAN address (and possibly port) + # for the mesh gateway from. + # Can be set to either: Service, NodeIP, NodeName or Static. + # + # Service - Determine the address based on the service type. + # If service.type=LoadBalancer use the external IP or hostname of + # the service. Use the port set by service.port. + # If service.type=NodePort use the Node IP. The port will be set to + # service.nodePort so service.nodePort cannot be null. + # If service.type=ClusterIP use the ClusterIP. The port will be set to + # service.port. + # service.type=ExternalName is not supported. + # NodeIP - The node IP as provided by the Kubernetes downward API. + # NodeName - The name of the node as provided by the Kubernetes downward + # API. This is useful if the node names are DNS entries that + # are routable from other datacenters. + # Static - Use the address hardcoded in meshGateway.wanAddress.static. + source: "Service" + + # Port that gets registered for WAN traffic. + # If source is set to "Service" then this setting will have no effect. + # See the documentation for source as to which port will be used in that + # case. + port: 443 + + # If source is set to "Static" then this value will be used as the WAN + # address of the mesh gateways. This is useful if you've configured a + # DNS entry to point to your mesh gateways. + static: "" + + # The service option configures the Service that fronts the Gateway Deployment. + service: + # Whether to create a Service or not. + enabled: true + + # Type of service, ex. LoadBalancer, ClusterIP. + type: LoadBalancer + + # Port that the service will be exposed on. + # The targetPort will be set to meshGateway.containerPort. + port: 443 + + # Optionally hardcode the nodePort of the service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + nodePort: null + + # Annotations to apply to the mesh gateway service. + # Example: + # annotations: | + # "annotation-key": "annotation-value" + annotations: null + + # Optional YAML string that will be appended to the Service spec. + additionalSpec: null + + # Envoy image to use. For Consul v1.7+, Envoy version 1.13+ is required. + imageEnvoy: envoyproxy/envoy-alpine:v1.14.2 + + # If set to true, gateway Pods will run on the host network. + hostNetwork: false + + # dnsPolicy to use. + dnsPolicy: null + + # Consul service name for the mesh gateways. + # Cannot be set to anything other than "mesh-gateway" if + # global.acls.manageSystemACLs is true since the ACL token + # generated is only for the name 'mesh-gateway'. + consulServiceName: "mesh-gateway" + + # Port that the gateway will run on inside the container. + containerPort: 8443 + + # Optional hostPort for the gateway to be exposed on. + # This can be used with wanAddress.port and wanAddress.useNodeIP + # to expose the gateways directly from the node. + # If hostNetwork is true, this must be null or set to the same port as + # containerPort. + # NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul + # agent. + hostPort: null + + # Resource settings for mesh gateway pods. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # Resource settings for the `copy-consul-bin` init container. + initCopyConsulContainer: + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "150Mi" + cpu: "50m" + + # By default, we set an anti-affinity so that two gateway pods won't be + # on the same node. NOTE: Gateways require that Consul client agents are + # also running on the nodes alongside each gateway pod. + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: mesh-gateway + topologyKey: kubernetes.io/hostname + + # Optional YAML string to specify tolerations. + tolerations: null + + # Optional YAML string to specify a nodeSelector config. + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Annotations to apply to the mesh gateway deployment. + # Example: + # annotations: | + # "annotation-key": "annotation-value" + annotations: null + +# Configuration options for ingress gateways. Default values for all +# ingress gateways are defined in `ingressGateways.defaults`. Any of +# these values may be overridden in `ingressGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 and consul-k8s >= 0.16.0 if using +# global.acls.manageSystemACLs and consul-k8s >= 0.10.0 if not. +ingressGateways: + # Enable ingress gateway deployment. Requires `connectInject.enabled=true` + # and `client.enabled=true`. + enabled: false + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each ingress gateway defined. + replicas: 2 + + # The service options configure the Service that fronts the gateway Deployment. + service: + # Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service + # type, you must set the desired nodePorts in the `ports` setting below. + type: ClusterIP + + # Ports that will be exposed on the service and gateway container. Any + # ports defined as ingress listeners on the gateway's Consul configuration + # entry should be included here. The first port will be used as part of + # the Consul service registration for the gateway and be listed in its + # SRV record. If using a NodePort service type, you must specify the + # desired nodePort for each exposed port. + ports: + - port: 8080 + nodePort: null + - port: 8443 + nodePort: null + + # Annotations to apply to the ingress gateway service. Annotations defined + # here will be applied to all ingress gateway services in addition to any + # service annotations defined for a specific gateway in `ingressGateways.gateways`. + # Example: + # annotations: | + # "annotation-key": "annotation-value" + annotations: null + + # Optional YAML string that will be appended to the Service spec. + additionalSpec: null + + # Resource limits for all ingress gateway pods + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # Resource settings for the `copy-consul-bin` init container. + initCopyConsulContainer: + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "150Mi" + cpu: "50m" + + # By default, we set an anti-affinity so that two of the same gateway pods + # won't be on the same node. NOTE: Gateways require that Consul client agents are + # also running on the nodes alongside each gateway pod. + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: ingress-gateway + topologyKey: kubernetes.io/hostname + + # Optional YAML string to specify tolerations. + tolerations: null + + # Optional YAML string to specify a nodeSelector config. + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Annotations to apply to the ingress gateway deployment. Annotations defined + # here will be applied to all ingress gateway deployments in addition to any + # annotations defined for a specific gateway in `ingressGateways.gateways`. + # Example: + # annotations: | + # "annotation-key": "annotation-value" + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + gateways: + - name: ingress-gateway + +# Configuration options for terminating gateways. Default values for all +# terminating gateways are defined in `terminatingGateways.defaults`. Any of +# these values may be overridden in `terminatingGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 and consul-k8s >= 0.16.0 if using +# global.acls.manageSystemACLs and consul-k8s >= 0.10.0 if not. +terminatingGateways: + # Enable terminating gateway deployment. Requires `connectInject.enabled=true` + # and `client.enabled=true`. + enabled: false + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each terminating gateway defined. + replicas: 2 + + # extraVolumes is a list of extra volumes to mount. These will be exposed + # to Consul in the path `/consul/userconfig//`. The value below is + # an array of objects, examples are shown below. + # extraVolumes: + # - type: secret + # name: my-secret + # items: # optional items array + # - key: key + # path: path # secret will now mount to /consul/userconfig/my-secret/path + extraVolumes: [] + + # Resource limits for all terminating gateway pods + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # Resource settings for the `copy-consul-bin` init container. + initCopyConsulContainer: + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "150Mi" + cpu: "50m" + + # By default, we set an anti-affinity so that two of the same gateway pods + # won't be on the same node. NOTE: Gateways require that Consul client agents are + # also running on the nodes alongside each gateway pod. + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: terminating-gateway + topologyKey: kubernetes.io/hostname + + # Optional YAML string to specify tolerations. + tolerations: null + + # Optional YAML string to specify a nodeSelector config. + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Annotations to apply to the terminating gateway deployment. Annotations defined + # here will be applied to all terminating gateway deployments in addition to any + # annotations defined for a specific gateway in `terminatingGateways.gateways`. + # Example: + # annotations: | + # "annotation-key": "annotation-value" + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + gateways: + - name: terminating-gateway + +# Control whether a test Pod manifest is generated when running helm template. +# When using helm install, the test Pod is not submitted to the cluster so this +# is only useful when running helm template. +tests: + enabled: true diff --git a/consul/config_templates/consul.yaml b/consul/config_templates/consul.yaml index 388f5e9..b41841e 100644 --- a/consul/config_templates/consul.yaml +++ b/consul/config_templates/consul.yaml @@ -6,112 +6,98 @@ apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: consul-consul-server - namespace: consul + namespace: {{.namespace}} labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul spec: - maxUnavailable: 1 + maxUnavailable: 0 selector: matchLabels: app: consul release: "consul" component: server - ---- -# Source: consul/templates/client-config-configmap.yaml -# ConfigMap with extra configuration specified directly to the chart -# for client agents only. -apiVersion: v1 -kind: ConfigMap -metadata: - name: consul-consul-client-config - namespace: consul - labels: - app: consul - chart: consul-helm - heritage: Tiller - release: consul -data: - extra-from-values.json: |- - {} - - ---- -# Source: consul/templates/server-config-configmap.yaml -# StatefulSet to run the actual Consul server cluster. -apiVersion: v1 -kind: ConfigMap -metadata: - name: consul-consul-server-config - namespace: consul - labels: - app: consul - chart: consul-helm - heritage: Tiller - release: consul -data: - extra-from-values.json: |- - {} - - --- # Source: consul/templates/client-serviceaccount.yaml - apiVersion: v1 kind: ServiceAccount metadata: name: consul-consul-client - namespace: consul + namespace: {{.namespace}} labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul - --- # Source: consul/templates/connect-inject-serviceaccount.yaml - apiVersion: v1 kind: ServiceAccount metadata: name: consul-consul-connect-injector-webhook-svc-account - namespace: consul + namespace: {{.namespace}} labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul - --- # Source: consul/templates/server-serviceaccount.yaml - apiVersion: v1 kind: ServiceAccount metadata: name: consul-consul-server - namespace: consul + namespace: {{.namespace}} labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul - --- -# Source: consul/templates/client-clusterrole.yaml - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +# Source: consul/templates/client-config-configmap.yaml +# ConfigMap with extra configuration specified directly to the chart +# for client agents only. +apiVersion: v1 +kind: ConfigMap metadata: - name: consul-consul-client + name: consul-consul-client-config + namespace: {{.namespace}} labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul - +data: + extra-from-values.json: |- + {} + + central-config.json: |- + { + "enable_central_service_config": true + } +--- +# Source: consul/templates/server-config-configmap.yaml +# StatefulSet to run the actual Consul server cluster. +apiVersion: v1 +kind: ConfigMap +metadata: + name: consul-consul-server-config + namespace: {{.namespace}} + labels: + app: consul + chart: consul-helm + heritage: Helm + release: consul +data: + extra-from-values.json: |- + {} + + central-config.json: |- + { + "enable_central_service_config": true + } --- # Source: consul/templates/connect-inject-clusterrole.yaml # The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration. @@ -122,7 +108,7 @@ metadata: labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul rules: - apiGroups: ["admissionregistration.k8s.io"] @@ -132,83 +118,89 @@ rules: - "list" - "watch" - "patch" - --- -# Source: consul/templates/server-clusterrole.yaml - +# Source: consul/templates/connect-inject-clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: - name: consul-consul-server + name: consul-consul-connect-injector-webhook-admin-role-binding labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul - +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: consul-consul-connect-injector-webhook +subjects: + - kind: ServiceAccount + name: consul-consul-connect-injector-webhook-svc-account + namespace: {{.namespace}} --- -# Source: consul/templates/client-clusterrolebinding.yaml - +# Source: consul/templates/client-role.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: Role metadata: name: consul-consul-client + namespace: {{.namespace}} labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: consul-consul-client -subjects: - - kind: ServiceAccount - name: consul-consul-client - namespace: consul - +rules: [] --- -# Source: consul/templates/connect-inject-clusterrolebinding.yaml - +# Source: consul/templates/server-role.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: Role metadata: - name: consul-consul-connect-injector-webhook-admin-role-binding + name: consul-consul-server + namespace: {{.namespace}} + labels: + app: consul + chart: consul-helm + heritage: Helm + release: consul +rules: [] +--- +# Source: consul/templates/client-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: consul-consul-client + namespace: {{.namespace}} labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: consul-consul-connect-injector-webhook + kind: Role + name: consul-consul-client subjects: - kind: ServiceAccount - name: consul-consul-connect-injector-webhook-svc-account - namespace: consul - + name: consul-consul-client --- -# Source: consul/templates/server-clusterrolebinding.yaml - +# Source: consul/templates/server-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: name: consul-consul-server + namespace: {{.namespace}} labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: Role name: consul-consul-server subjects: - kind: ServiceAccount name: consul-consul-server - namespace: consul - --- # Source: consul/templates/connect-inject-service.yaml # The service for the Connect sidecar injector @@ -216,11 +208,11 @@ apiVersion: v1 kind: Service metadata: name: consul-consul-connect-injector-svc - namespace: consul + namespace: {{.namespace}} labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul spec: ports: @@ -230,8 +222,6 @@ spec: app: consul release: "consul" component: connect-injector - - --- # Source: consul/templates/dns-service.yaml # Service for Consul DNS. @@ -239,12 +229,13 @@ apiVersion: v1 kind: Service metadata: name: consul-consul-dns - namespace: consul + namespace: {{.namespace}} labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul + component: dns spec: ports: - name: dns-tcp @@ -259,7 +250,6 @@ spec: app: consul release: "consul" hasDNS: "true" - --- # Source: consul/templates/server-service.yaml # Headless service for Consul server DNS entries. This service should only @@ -271,12 +261,13 @@ apiVersion: v1 kind: Service metadata: name: consul-consul-server - namespace: consul + namespace: {{.namespace}} labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul + component: server annotations: # This must be set in addition to publishNotReadyAddresses due # to an open issue where it may not work: @@ -322,7 +313,6 @@ spec: app: consul release: "consul" component: server - --- # Source: consul/templates/ui-service.yaml # UI Service for Consul Server @@ -330,12 +320,13 @@ apiVersion: v1 kind: Service metadata: name: consul-consul-ui - namespace: consul + namespace: {{.namespace}} labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul + component: ui spec: selector: app: consul @@ -345,7 +336,6 @@ spec: - name: http port: 80 targetPort: 8500 - --- # Source: consul/templates/client-daemonset.yaml # DaemonSet to run the Consul clients on every node. @@ -353,11 +343,11 @@ apiVersion: apps/v1 kind: DaemonSet metadata: name: consul-consul - namespace: consul + namespace: {{.namespace}} labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul spec: selector: @@ -377,25 +367,22 @@ spec: hasDNS: "true" annotations: "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/config-checksum": ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356 spec: terminationGracePeriodSeconds: 10 serviceAccountName: consul-consul-client - # Consul agents require a directory for data, even clients. The data - # is okay to be wiped though if the Pod is removed, so just use an - # emptyDir volume. volumes: - name: data emptyDir: {} - name: config configMap: name: consul-consul-client-config - containers: - name: consul - image: "consul:1.5.0" + image: "consul:1.8.2" env: - - name: POD_IP + - name: ADVERTISE_IP valueFrom: fieldRef: fieldPath: status.podIP @@ -407,6 +394,10 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP command: - "/bin/sh" @@ -416,29 +407,22 @@ spec: exec /bin/consul agent \ -node="${NODE}" \ - -advertise="${POD_IP}" \ + -advertise="${ADVERTISE_IP}" \ -bind=0.0.0.0 \ -client=0.0.0.0 \ - -hcl="ports { grpc = 8502 }" \ + -node-meta=pod-name:${HOSTNAME} \ + -hcl='leave_on_terminate = true' \ + -hcl='ports { grpc = 8502 }' \ -config-dir=/consul/config \ -datacenter=dc1 \ -data-dir=/consul/data \ - -retry-join=${CONSUL_FULLNAME}-server-0.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc \ - -retry-join=${CONSUL_FULLNAME}-server-1.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc \ - -retry-join=${CONSUL_FULLNAME}-server-2.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc \ + -retry-join="${CONSUL_FULLNAME}-server-0.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc" \ -domain=consul volumeMounts: - name: data mountPath: /consul/data - name: config mountPath: /consul/config - lifecycle: - preStop: - exec: - command: - - /bin/sh - - -c - - consul leave ports: - containerPort: 8500 hostPort: 8500 @@ -447,7 +431,11 @@ spec: hostPort: 8502 name: grpc - containerPort: 8301 - name: serflan + protocol: "TCP" + name: serflan-tcp + - containerPort: 8301 + protocol: "UDP" + name: serflan-udp - containerPort: 8302 name: serfwan - containerPort: 8300 @@ -466,43 +454,15 @@ spec: - "/bin/sh" - "-ec" - | - curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \ - grep -E '".+"' - ---- -# Source: consul/templates/tests/test-runner.yaml -apiVersion: v1 -kind: Pod -metadata: - name: "consul-consul-test-1klet" - labels: - app: consul - chart: consul-helm - heritage: Tiller - release: consul - annotations: - "helm.sh/hook": test-success -spec: - containers: - - name: consul-test - image: "consul:1.5.0" - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - command: - - "/bin/sh" - - "-ec" - - | - export VALUE="i66r7ndr4tjqbyfnh60o5lgo" - export CONSUL_HTTP_ADDR="${HOST_IP}:8500" - consul kv delete _consul_helm_test - consul kv put _consul_helm_test $VALUE - [ `consul kv get _consul_helm_test` = "$VALUE" ] - consul kv delete _consul_helm_test - restartPolicy: Never - + curl http://127.0.0.1:8500/v1/status/leader \ + 2>/dev/null | grep -E '".+"' + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 100m + memory: 100Mi --- # Source: consul/templates/connect-inject-deployment.yaml # The deployment for running the Connect sidecar injector @@ -510,11 +470,11 @@ apiVersion: apps/v1 kind: Deployment metadata: name: consul-consul-connect-injector-webhook-deployment - namespace: consul + namespace: {{.namespace}} labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul spec: replicas: 1 @@ -537,7 +497,7 @@ spec: serviceAccountName: consul-consul-connect-injector-webhook-svc-account containers: - name: sidecar-injector - image: "hashicorp/consul-k8s:0.8.1" + image: "hashicorp/consul-k8s:0.18.1" env: - name: NAMESPACE valueFrom: @@ -551,10 +511,21 @@ spec: consul-k8s inject-connect \ -default-inject=false \ - -consul-image="consul:1.5.0" \ + -consul-image="consul:1.8.2" \ + -consul-k8s-image="hashicorp/consul-k8s:0.18.1" \ -listen=:8080 \ + -enable-central-config=true \ + -allow-k8s-namespace="*" \ -tls-auto=${CONSUL_FULLNAME}-connect-injector-cfg \ - -tls-auto-hosts=${CONSUL_FULLNAME}-connect-injector-svc,${CONSUL_FULLNAME}-connect-injector-svc.${NAMESPACE},${CONSUL_FULLNAME}-connect-injector-svc.${NAMESPACE}.svc + -tls-auto-hosts=${CONSUL_FULLNAME}-connect-injector-svc,${CONSUL_FULLNAME}-connect-injector-svc.${NAMESPACE},${CONSUL_FULLNAME}-connect-injector-svc.${NAMESPACE}.svc \ + -init-container-memory-limit=150Mi \ + -init-container-memory-request=25Mi \ + -init-container-cpu-limit=50m \ + -init-container-cpu-request=50m \ + -lifecycle-sidecar-memory-limit=50Mi \ + -lifecycle-sidecar-memory-request=25Mi \ + -lifecycle-sidecar-cpu-limit=20m \ + -lifecycle-sidecar-cpu-request=20m \ livenessProbe: httpGet: path: /health/ready @@ -575,7 +546,13 @@ spec: periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 - + resources: + limits: + cpu: 50m + memory: 50Mi + requests: + cpu: 50m + memory: 50Mi --- # Source: consul/templates/server-statefulset.yaml # StatefulSet to run the actual Consul server cluster. @@ -583,16 +560,17 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: consul-consul-server - namespace: consul + namespace: {{.namespace}} labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul + component: server spec: serviceName: consul-consul-server podManagementPolicy: Parallel - replicas: 3 + replicas: 1 selector: matchLabels: app: consul @@ -610,6 +588,7 @@ spec: hasDNS: "true" annotations: "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/config-checksum": ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356 spec: affinity: podAntiAffinity: @@ -620,7 +599,7 @@ spec: release: "consul" component: server topologyKey: kubernetes.io/hostname - terminationGracePeriodSeconds: 10 + terminationGracePeriodSeconds: 30 serviceAccountName: consul-consul-server securityContext: fsGroup: 1000 @@ -630,7 +609,7 @@ spec: name: consul-consul-server-config containers: - name: consul - image: "consul:1.5.0" + image: "consul:1.8.2" env: - name: POD_IP valueFrom: @@ -650,7 +629,7 @@ spec: exec /bin/consul agent \ -advertise="${POD_IP}" \ -bind=0.0.0.0 \ - -bootstrap-expect=3 \ + -bootstrap-expect=1 \ -client=0.0.0.0 \ -config-dir=/consul/config \ -datacenter=dc1 \ @@ -659,8 +638,6 @@ spec: -hcl="connect { enabled = true }" \ -ui \ -retry-join=${CONSUL_FULLNAME}-server-0.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc \ - -retry-join=${CONSUL_FULLNAME}-server-1.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc \ - -retry-join=${CONSUL_FULLNAME}-server-2.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc \ -server volumeMounts: - name: data-consul @@ -697,13 +674,20 @@ spec: - "/bin/sh" - "-ec" - | - curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \ - grep -E '".+"' + curl http://127.0.0.1:8500/v1/status/leader \ + 2>/dev/null | grep -E '".+"' failureThreshold: 2 initialDelaySeconds: 5 periodSeconds: 3 successThreshold: 1 - timeoutSeconds: 5 + timeoutSeconds: 5 + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 100m + memory: 100Mi volumeClaimTemplates: - metadata: name: data-consul @@ -713,7 +697,6 @@ spec: resources: requests: storage: 10Gi - --- # Source: consul/templates/connect-inject-mutatingwebhook.yaml # The MutatingWebhookConfiguration to enable the Connect injector. @@ -721,96 +704,59 @@ apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: name: consul-consul-connect-injector-cfg - namespace: consul + namespace: {{.namespace}} labels: app: consul chart: consul-helm - heritage: Tiller + heritage: Helm release: consul webhooks: - name: consul-consul-connect-injector.consul.hashicorp.com clientConfig: service: name: consul-consul-connect-injector-svc - namespace: consul + namespace: {{.namespace}} path: "/mutate" - caBundle: + caBundle: "" rules: - operations: [ "CREATE" ] apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] - ---- -# Source: consul/templates/client-podsecuritypolicy.yaml - - ---- -# Source: consul/templates/connect-inject-authmethod-clusterrole.yaml - - ---- -# Source: consul/templates/connect-inject-authmethod-clusterrolebinding.yaml - - ---- -# Source: consul/templates/connect-inject-authmethod-serviceaccount.yaml - - --- -# Source: consul/templates/connect-inject-podsecuritypolicy.yaml - - ---- -# Source: consul/templates/enterprise-license-clusterrole.yaml - - ---- -# Source: consul/templates/enterprise-license-clusterrolebinding.yaml - - ---- -# Source: consul/templates/enterprise-license-serviceaccount.yaml - - ---- -# Source: consul/templates/enterprise-license.yaml - - ---- -# Source: consul/templates/server-acl-init-clusterrole.yaml - ---- -# Source: consul/templates/server-acl-init-clusterrolebinding.yaml - ---- -# Source: consul/templates/server-acl-init-job.yaml - - ---- -# Source: consul/templates/server-acl-init-serviceaccount.yaml - ---- -# Source: consul/templates/server-podsecuritypolicy.yaml - - ---- -# Source: consul/templates/sync-catalog-clusterrole.yaml - - ---- -# Source: consul/templates/sync-catalog-clusterrolebinding.yaml - - ---- -# Source: consul/templates/sync-catalog-deployment.yaml -# The deployment for running the sync-catalog pod - ---- -# Source: consul/templates/sync-catalog-podsecuritypolicy.yaml - - ---- -# Source: consul/templates/sync-catalog-serviceaccount.yaml - +# Source: consul/templates/tests/test-runner.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "consul-consul-test" + namespace: {{.namespace}} + labels: + app: consul + chart: consul-helm + heritage: Helm + release: consul + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: consul-test + image: "consul:1.8.2" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CONSUL_HTTP_ADDR + value: http://$(HOST_IP):8500 + command: + - "/bin/sh" + - "-ec" + - | + consul members | tee members.txt + if [ $(grep -c consul-server members.txt) != $(grep consul-server members.txt | grep -c alive) ] + then + echo "Failed because not all consul servers are available" + exit 1 + fi + restartPolicy: Never diff --git a/go.mod b/go.mod index 667e47f..1a4fd40 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 // indirect golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 // indirect - google.golang.org/grpc v1.31.0 + google.golang.org/grpc v1.31.1 gopkg.in/inf.v0 v0.9.1 // indirect k8s.io/api v0.0.0-20190313235455-40a48860b5ab // indirect k8s.io/apimachinery v0.0.0-20190313205120-d7deff9243b1 diff --git a/go.sum b/go.sum index b708444..fc3ca5d 100644 --- a/go.sum +++ b/go.sum @@ -154,6 +154,8 @@ google.golang.org/grpc v1.29.1 h1:EC2SB8S04d2r73uptxphDSUG+kTKVgjRPF+N3xpxRB4= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.31.0 h1:T7P4R73V3SSDPhH7WW7ATbfViLtmamH0DKrP3f9AuDI= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.1 h1:SfXqXS5hkufcdZ/mHtYCh53P2b+92WQq/DZcKLgsFRs= +google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -162,6 +164,7 @@ google.golang.org/protobuf v1.21.0 h1:qdOKuR/EIArgaWNjetjgTzgVTAZ+S/WXVrq9HW9zim google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= google.golang.org/protobuf v1.22.0 h1:cJv5/xdbk1NnMPR1VP9+HU6gupuG9MLBoH1r6RHZ2MY= google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=