feat(consul): address PR review feedback
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was canceled

- Fix consul HTTPRoute backend: consul-consul-ui -> consul-ui
- Add consul.service.consul hostname to Gateway (cert SAN) and HTTPRoute
- Add consul-svc listener on 443 for consul.service.consul SNI routing
- Convert PDB inline patch to patches/consul-server-pdb.yaml
- Set server.disruptionBudget.maxUnavailable: 1 explicitly in values
- Expose consul DNS service as LoadBalancer (purelb 198.18.200.5) for anycast
- Remove sandbox overlay (not needed in production GitOps)
This commit is contained in:
2026-05-23 22:11:41 +10:00
parent 0c73cc7594
commit f224b17ca1
7 changed files with 49 additions and 101 deletions
+13
View File
@@ -12,6 +12,7 @@ metadata:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: consul.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
cert-manager.io/subject-alternative-names: consul.service.consul
external-dns.alpha.kubernetes.io/hostname: consul.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.4
spec:
@@ -29,3 +30,15 @@ spec:
certificateRefs:
- kind: Secret
name: consul-tls
- name: consul-svc
port: 443
protocol: HTTPS
hostname: consul.service.consul
allowedRoutes:
namespaces:
from: Same
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: consul-tls
+24 -1
View File
@@ -15,7 +15,30 @@ spec:
sectionName: https
rules:
- backendRefs:
- name: consul-consul-ui
- name: consul-ui
port: 80
matches:
- path:
type: PathPrefix
value: /
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: consul-svc
namespace: consul
labels:
app.kubernetes.io/name: consul
app.kubernetes.io/instance: consul
spec:
hostnames:
- consul.service.consul
parentRefs:
- name: consul
sectionName: consul-svc
rules:
- backendRefs:
- name: consul-ui
port: 80
matches:
- path:
@@ -6,13 +6,10 @@ resources:
- ../../../base/consul
patches:
- target:
- path: patches/consul-server-pdb.yaml
target:
kind: PodDisruptionBudget
name: consul-server
patch: |-
- op: replace
path: /apiVersion
value: policy/v1
helmCharts:
- name: consul
@@ -0,0 +1,3 @@
- op: replace
path: /apiVersion
value: policy/v1
+7
View File
@@ -12,6 +12,9 @@ server:
connect: true
disruptionBudget:
maxUnavailable: 1
extraConfig: |
{
"disable_remote_exec": true,
@@ -49,3 +52,7 @@ connectInject:
dns:
enabled: true
type: LoadBalancer
annotations: |
purelb.io/service-group: "common"
purelb.io/addresses: 198.18.200.5
@@ -1,44 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/consul
patches:
- target:
kind: Namespace
name: consul
patch: |-
- op: replace
path: /metadata/name
value: sandbox-consul
- target:
kind: Gateway
name: consul
patch: |-
- op: replace
path: /metadata/namespace
value: sandbox-consul
- target:
kind: HTTPRoute
name: consul
patch: |-
- op: replace
path: /metadata/namespace
value: sandbox-consul
- target:
kind: PodDisruptionBudget
name: consul-server
patch: |-
- op: replace
path: /apiVersion
value: policy/v1
helmCharts:
- name: consul
repo: https://helm.releases.hashicorp.com
version: "1.9.7"
releaseName: consul
namespace: sandbox-consul
valuesFile: values.yaml
-51
View File
@@ -1,51 +0,0 @@
global:
name: consul
datacenter: au-syd1
domain: consul
server:
image: hashicorp/consul:1.22.7
replicas: 5
bootstrapExpect: 5
storage: 10Gi
storageClass: cephrbd-fast-delete
connect: true
extraConfig: |
{
"disable_remote_exec": true,
"disable_update_check": true,
"performance": {
"raft_multiplier": 10
},
"ports": {
"dns": 8600,
"grpc": 8502,
"http": 8500,
"https": -1
},
"primary_datacenter": "au-syd1"
}
resources:
requests:
memory: 256Mi
cpu: 100m
limits:
memory: 2Gi
cpu: 1000m
client:
enabled: false
ui:
enabled: true
service:
type: ClusterIP
connectInject:
enabled: false
dns:
enabled: true