From 11ac2ae91e30ea7b78a4cfb74cd7dc30e796ed2d Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 22:40:49 +1000 Subject: [PATCH] feat(consul): deploy HashiCorp Consul 1.22.7 via Helm chart (5-replica cluster) (#149) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Deploys HashiCorp Consul 1.22.7 using Helm chart 1.9.7 with 5 server replicas - Configuration modelled on production consul: \`datacenter=au-syd1\`, \`connect=true\`, \`raft_multiplier=10\`, HTTP on 8500, GRPC on 8502, HTTPS disabled - 5-replica server cluster with \`bootstrapExpect=5\` - 10Gi cephrbd-fast-delete PVC per server pod - Gateway API: HTTPS gateway + HTTPRoute (443→consul-consul-ui:80→8500) at \`consul.k8s.syd1.au.unkin.net\` - PodDisruptionBudget patched from \`policy/v1beta1\` to \`policy/v1\` (k8s 1.25+ compatibility) - ArgoCD platform ApplicationSet updated to include consul overlay path - Clients disabled (server-only deployment) - ConnectInject disabled (can be enabled later for service mesh) ## Requires - PR #147 (artifactapi: add hashicorp/consul to docker immutable patterns) to be merged first ## Test plan - [ ] Sandbox tested in \`sandbox-consul\`: all 5 server pods 1/1 Running, cluster formed - [ ] After merge: ArgoCD syncs consul namespace - [ ] Verify \`consul.k8s.syd1.au.unkin.net\` is accessible via Gateway Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/149 --- apps/base/consul/gateway.yaml | 51 +++++++++++++ apps/base/consul/httproute.yaml | 71 +++++++++++++++++++ apps/base/consul/kustomization.yaml | 8 +++ apps/base/consul/namespace.yaml | 5 ++ .../au-syd1/consul/kustomization.yaml | 16 +++++ apps/overlays/au-syd1/consul/values.yaml | 58 +++++++++++++++ argocd/applicationsets/platform.yaml | 1 + 7 files changed, 210 insertions(+) create mode 100644 apps/base/consul/gateway.yaml create mode 100644 apps/base/consul/httproute.yaml create mode 100644 apps/base/consul/kustomization.yaml create mode 100644 apps/base/consul/namespace.yaml create mode 100644 apps/overlays/au-syd1/consul/kustomization.yaml create mode 100644 apps/overlays/au-syd1/consul/values.yaml diff --git a/apps/base/consul/gateway.yaml b/apps/base/consul/gateway.yaml new file mode 100644 index 0000000..30d7e9f --- /dev/null +++ b/apps/base/consul/gateway.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: consul + namespace: consul + labels: + app.kubernetes.io/name: consul + app.kubernetes.io/instance: consul + traefik.io/instance: internal + annotations: + cert-manager.io/cluster-issuer: vault-issuer + cert-manager.io/common-name: consul.k8s.syd1.au.unkin.net + cert-manager.io/private-key-size: "4096" + cert-manager.io/alt-names: consul.service.consul + external-dns.alpha.kubernetes.io/hostname: consul.k8s.syd1.au.unkin.net + external-dns.alpha.kubernetes.io/target: 198.18.200.4 +spec: + gatewayClassName: traefik-internal + listeners: + - name: http + port: 80 + protocol: HTTP + hostname: consul.k8s.syd1.au.unkin.net + allowedRoutes: + namespaces: + from: Same + - name: https + port: 443 + protocol: HTTPS + hostname: consul.k8s.syd1.au.unkin.net + allowedRoutes: + namespaces: + from: Same + tls: + mode: Terminate + certificateRefs: + - kind: Secret + name: consul-tls + - name: consul-svc + port: 443 + protocol: HTTPS + hostname: consul.service.consul + allowedRoutes: + namespaces: + from: Same + tls: + mode: Terminate + certificateRefs: + - kind: Secret + name: consul-tls diff --git a/apps/base/consul/httproute.yaml b/apps/base/consul/httproute.yaml new file mode 100644 index 0000000..53297f6 --- /dev/null +++ b/apps/base/consul/httproute.yaml @@ -0,0 +1,71 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: consul-http-redirect + namespace: consul + labels: + app.kubernetes.io/name: consul + app.kubernetes.io/instance: consul +spec: + hostnames: + - consul.k8s.syd1.au.unkin.net + parentRefs: + - name: consul + sectionName: http + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: consul + namespace: consul + labels: + app.kubernetes.io/name: consul + app.kubernetes.io/instance: consul +spec: + hostnames: + - consul.k8s.syd1.au.unkin.net + parentRefs: + - name: consul + sectionName: https + rules: + - backendRefs: + - name: consul-ui + port: 80 + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: consul-svc + namespace: consul + labels: + app.kubernetes.io/name: consul + app.kubernetes.io/instance: consul +spec: + hostnames: + - consul.service.consul + parentRefs: + - name: consul + sectionName: consul-svc + rules: + - backendRefs: + - name: consul-ui + port: 80 + matches: + - path: + type: PathPrefix + value: / diff --git a/apps/base/consul/kustomization.yaml b/apps/base/consul/kustomization.yaml new file mode 100644 index 0000000..2c2b5da --- /dev/null +++ b/apps/base/consul/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - gateway.yaml + - httproute.yaml diff --git a/apps/base/consul/namespace.yaml b/apps/base/consul/namespace.yaml new file mode 100644 index 0000000..e91e994 --- /dev/null +++ b/apps/base/consul/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: consul diff --git a/apps/overlays/au-syd1/consul/kustomization.yaml b/apps/overlays/au-syd1/consul/kustomization.yaml new file mode 100644 index 0000000..bbc6c94 --- /dev/null +++ b/apps/overlays/au-syd1/consul/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/consul + +helmCharts: + - name: consul + repo: https://helm.releases.hashicorp.com + version: "1.9.7" + releaseName: consul + namespace: consul + valuesFile: values.yaml + apiVersions: + - policy/v1/PodDisruptionBudget diff --git a/apps/overlays/au-syd1/consul/values.yaml b/apps/overlays/au-syd1/consul/values.yaml new file mode 100644 index 0000000..86a49b0 --- /dev/null +++ b/apps/overlays/au-syd1/consul/values.yaml @@ -0,0 +1,58 @@ +global: + name: consul + datacenter: au-syd1 + domain: consul + +server: + image: hashicorp/consul:1.22.7 + replicas: 5 + bootstrapExpect: 5 + storage: 10Gi + storageClass: cephrbd-fast-delete + + connect: true + + disruptionBudget: + maxUnavailable: 1 + + extraConfig: | + { + "disable_remote_exec": true, + "disable_update_check": true, + "performance": { + "raft_multiplier": 10 + }, + "ports": { + "dns": 8600, + "grpc": 8502, + "http": 8500, + "https": -1 + }, + "primary_datacenter": "au-syd1" + } + + resources: + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 2Gi + cpu: 1000m + +client: + enabled: false + +ui: + enabled: true + service: + type: ClusterIP + +connectInject: + enabled: false + +dns: + enabled: true + type: LoadBalancer + annotations: | + purelb.io/service-group: "common" + purelb.io/addresses: 198.18.200.5 diff --git a/argocd/applicationsets/platform.yaml b/argocd/applicationsets/platform.yaml index 63be86a..ac5afac 100644 --- a/argocd/applicationsets/platform.yaml +++ b/argocd/applicationsets/platform.yaml @@ -15,6 +15,7 @@ spec: - path: apps/overlays/*/cert-manager - path: apps/overlays/*/certificates - path: apps/overlays/*/cnpg-system + - path: apps/overlays/*/consul - path: apps/overlays/*/elastic-system - path: apps/overlays/*/externaldns - path: apps/overlays/*/inteldeviceplugins-system