Skip to content

v0.34.0
Compare
Choose a tag to compare
@hc-github-team-consul-ecosystem hc-github-team-consul-ecosystem released this 17 Sep 17:36
· 1656 commits to main since this release
v0.34.0
a3e00be

⚠️ This release contains the wrong consul-k8s-control-plane image. Please use v0.34.1 instead.

0.34.0 (September 17, 2021)

FEATURES:

  • CLI
    • The consul-k8s CLI enables users to deploy and operate Consul on Kubernetes.
      • Support consul-k8s install command. [GH-713]
  • Helm Chart
    • Add support for Admin Partitions. (Consul Enterprise only)
      ALPHA [GH-729]

      • This feature allows Consul to be deployed across multiple Kubernetes clusters while sharing a single set of Consul
        servers. The services on each cluster can be independently managed. This feature is an alpha feature. It requires:

        • a flat pod and node network in order for inter-partition networking to work.
        • TLS to be enabled.
        • Consul Namespaces enabled.

        Transparent Proxy is unsupported for cross partition communication.

To enable Admin Partitions on the server cluster use the following config.

global:
  enableConsulNamespaces: true
  tls:
    enabled: true
  image: hashicorp/consul-enterprise:1.11.0-ent-alpha
  adminPartitions:
    enabled: true
server:
  exposeGossipAndRPCPorts: true
  enterpriseLicense:
    secretName: license
    secretKey: key
connectInject:
  enabled: true
  transparentProxy:
    defaultEnabled: false
  consulNamespaces:
    mirroringK8S: true
controller:
  enabled: true

Identify the LoadBalancer External IP of the partition-service

kubectl get svc consul-consul-partition-service -o json | jq -r '.status.loadBalancer.ingress[0].ip'

Migrate the TLS CA credentials from the server cluster to the workload clusters

kubectl get secret consul-consul-ca-key --context "server-context" -o yaml | kubectl apply --context "workload-context" -f -
kubectl get secret consul-consul-ca-cert --context "server-context" -o yaml | kubectl apply --context "workload-context" -f -

Configure the workload cluster using the following config.

global:
  enabled: false
  enableConsulNamespaces: true
  image: hashicorp/consul-enterprise:1.11.0-ent-alpha
  adminPartitions:
    enabled: true
    name: "alpha" # Name of Admin Partition
  tls:
    enabled: true
    caCert:
      secretName: consul-consul-ca-cert
      secretKey: tls.crt
    caKey:
      secretName: consul-consul-ca-key
      secretKey: tls.key
server:
  enterpriseLicense:
    secretName: license
    secretKey: key
externalServers:
  enabled: true
  hosts: [ "loadbalancer IP" ] # external IP of partition service LB
  tlsServerName: server.dc1.consul
client:
  enabled: true
  exposeGossipPorts: true
  join: [ "loadbalancer IP" ] # external IP of partition service LB
connectInject:
  enabled: true
  consulNamespaces:
    mirroringK8S: true
controller:
  enabled: true

This should lead to the workload cluster having only Consul agents that connect with the Consul server. Services in this
cluster behave like independent services. They can be configured to communicate with services in other partitions by
configuring the upstream configuration on the individual services.

  • Control Plane
    • Add support for Admin Partitions. (Consul Enterprise only) **
      ALPHA** [GH-729]
      • Add Partition-Init job that runs in Kubernetes clusters that do not have servers running to provision Admin
        Partitions.
      • Update endpoints-controller, config-entry controller and config entries to add partition config to them.

IMPROVEMENTS:

  • Helm Chart
    • Add ability to specify port for ui service. [GH-604]
    • Use policy/v1 for Consul server PodDisruptionBudget if supported. [GH-606]
    • Add readiness, liveness and startup probes to the connect inject deployment. [GH-626][GH-701]
    • Add support for setting container security contexts on client and server Pods. [GH-620]
    • Update Envoy image to 1.18.4 [GH-699]
    • Add configuration for webhook-cert-manager tolerations [GH-712]
    • Update default Consul version to 1.10.2 [GH-718]
  • Control Plane
    • Add health endpoint to the connect inject webhook that will be healthy when webhook certs are present and not empty. [GH-626]
    • Catalog Sync: Fix issue registering NodePort services with wrong IPs when a node has multiple IP addresses. [GH-619]
    • Allow registering the same service in multiple namespaces. [GH-697]

BUG FIXES:

  • Helm Chart

    • Disable streaming on Consul clients because it is currently not supported when
      doing mesh gateway federation. If you wish to enable it, override the setting using client.extraConfig:

      client:
  extraConfig: |
    {"use_streaming_backend": true}

      [GH-718]

Assets 2
Loading