feat(consul): deploy HashiCorp Consul 1.22.7 via Helm chart (5-replica cluster) #149

Merged
unkinben merged 5 commits from benvin/consul into main 2026-05-23 22:40:49 +10:00
Owner

Summary

  • Deploys HashiCorp Consul 1.22.7 using Helm chart 1.9.7 with 5 server replicas
  • Configuration modelled on production consul: `datacenter=au-syd1`, `connect=true`, `raft_multiplier=10`, HTTP on 8500, GRPC on 8502, HTTPS disabled
  • 5-replica server cluster with `bootstrapExpect=5`
  • 10Gi cephrbd-fast-delete PVC per server pod
  • Gateway API: HTTPS gateway + HTTPRoute (443→consul-consul-ui:80→8500) at `consul.k8s.syd1.au.unkin.net`
  • PodDisruptionBudget patched from `policy/v1beta1` to `policy/v1` (k8s 1.25+ compatibility)
  • ArgoCD platform ApplicationSet updated to include consul overlay path
  • Clients disabled (server-only deployment)
  • ConnectInject disabled (can be enabled later for service mesh)

Requires

  • PR #147 (artifactapi: add hashicorp/consul to docker immutable patterns) to be merged first

Test plan

  • Sandbox tested in `sandbox-consul`: all 5 server pods 1/1 Running, cluster formed
  • After merge: ArgoCD syncs consul namespace
  • Verify `consul.k8s.syd1.au.unkin.net` is accessible via Gateway
## Summary - Deploys HashiCorp Consul 1.22.7 using Helm chart 1.9.7 with 5 server replicas - Configuration modelled on production consul: \`datacenter=au-syd1\`, \`connect=true\`, \`raft_multiplier=10\`, HTTP on 8500, GRPC on 8502, HTTPS disabled - 5-replica server cluster with \`bootstrapExpect=5\` - 10Gi cephrbd-fast-delete PVC per server pod - Gateway API: HTTPS gateway + HTTPRoute (443→consul-consul-ui:80→8500) at \`consul.k8s.syd1.au.unkin.net\` - PodDisruptionBudget patched from \`policy/v1beta1\` to \`policy/v1\` (k8s 1.25+ compatibility) - ArgoCD platform ApplicationSet updated to include consul overlay path - Clients disabled (server-only deployment) - ConnectInject disabled (can be enabled later for service mesh) ## Requires - PR #147 (artifactapi: add hashicorp/consul to docker immutable patterns) to be merged first ## Test plan - [ ] Sandbox tested in \`sandbox-consul\`: all 5 server pods 1/1 Running, cluster formed - [ ] After merge: ArgoCD syncs consul namespace - [ ] Verify \`consul.k8s.syd1.au.unkin.net\` is accessible via Gateway
unkinben added 1 commit 2026-05-23 18:50:28 +10:00
feat(consul): deploy HashiCorp Consul 1.22.7 via Helm chart 1.9.7
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
0c73cc7594
5-replica server cluster (bootstrapExpect=5) with datacenter=au-syd1,
connect enabled, raft_multiplier=10, http=8500, grpc=8502, https=-1.
10Gi cephrbd-fast-delete PVC. Gateway API HTTPRoute on 443→consul-consul-ui:80→8500.
PDB patched from policy/v1beta1 to policy/v1 for k8s 1.25+.
ArgoCD platform ApplicationSet updated to include consul overlay path.
unkinben reviewed 2026-05-23 21:58:40 +10:00
@@ -0,0 +9,4 @@
app.kubernetes.io/instance: consul
spec:
hostnames:
- consul.k8s.syd1.au.unkin.net
Author
Owner

it should also respond to consul.service.consul

it should also respond to consul.service.consul
unkinben marked this conversation as resolved
unkinben reviewed 2026-05-23 22:01:47 +10:00
@@ -0,0 +20,4 @@
"raft_multiplier": 10
},
"ports": {
"dns": 8600,
Author
Owner

ensure the dns service is reachable outside the cluster. on the current prod consul service i exposed the dns via dnsmasq with an anycast address. the 198.18.200.* range are anycast through purelb so we can replicate this. if we can use a udproute (is there a crd for this?) or add an ip to the service.

[sysadmin@ausyd1nxvm2008 ~]$ cat /etc/dnsmasq.d/10-consul.conf
server=/consul/198.18.28.53#8600
listen-address=198.18.19.14
ensure the dns service is reachable outside the cluster. on the current prod consul service i exposed the dns via dnsmasq with an anycast address. the 198.18.200.* range are anycast through purelb so we can replicate this. if we can use a udproute (is there a crd for this?) or add an ip to the service. ``` [sysadmin@ausyd1nxvm2008 ~]$ cat /etc/dnsmasq.d/10-consul.conf server=/consul/198.18.28.53#8600 listen-address=198.18.19.14 ```
unkinben marked this conversation as resolved
unkinben reviewed 2026-05-23 22:02:28 +10:00
@@ -0,0 +5,4 @@
resources:
- ../../../base/consul
patches:
Author
Owner

I prefer patches to be file with yaml.

I prefer patches to be file with yaml.
unkinben marked this conversation as resolved
unkinben reviewed 2026-05-23 22:03:51 +10:00
@@ -0,0 +7,4 @@
patches:
- target:
kind: PodDisruptionBudget
Author
Owner

patches should be yaml files.
ensure the maxunavailable is 1
we dont need the sandbox overlays.

patches should be yaml files. ensure the maxunavailable is 1 we dont need the sandbox overlays.
unkinben marked this conversation as resolved
unkinben added 1 commit 2026-05-23 22:11:48 +10:00
feat(consul): address PR review feedback
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was canceled
f224b17ca1
- Fix consul HTTPRoute backend: consul-consul-ui -> consul-ui
- Add consul.service.consul hostname to Gateway (cert SAN) and HTTPRoute
- Add consul-svc listener on 443 for consul.service.consul SNI routing
- Convert PDB inline patch to patches/consul-server-pdb.yaml
- Set server.disruptionBudget.maxUnavailable: 1 explicitly in values
- Expose consul DNS service as LoadBalancer (purelb 198.18.200.5) for anycast
- Remove sandbox overlay (not needed in production GitOps)
unkinben added 1 commit 2026-05-23 22:12:39 +10:00
fix(consul): use correct cert-manager alt-names annotation for consul.service.consul SAN
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was canceled
d03203afee
unkinben added 1 commit 2026-05-23 22:13:27 +10:00
feat(consul): add HTTP→HTTPS redirect on port 80
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
646f4e1af1
unkinben added 1 commit 2026-05-23 22:38:09 +10:00
fix(consul): use helmCharts.apiVersions to render policy/v1 PDB natively
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
ed1ecc00cc
Pass --api-versions policy/v1/PodDisruptionBudget to helm template so the
consul chart's capability check succeeds and renders policy/v1 directly,
removing the need for an apiVersion patch.
unkinben merged commit 11ac2ae91e into main 2026-05-23 22:40:49 +10:00
unkinben deleted branch benvin/consul 2026-05-23 22:40:49 +10:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/argocd-apps#149