From 0c73cc7594085480b40dc1114b3cf02e73cb5602 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 18:50:08 +1000 Subject: [PATCH 1/5] feat(consul): deploy HashiCorp Consul 1.22.7 via Helm chart 1.9.7 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 5-replica server cluster (bootstrapExpect=5) with datacenter=au-syd1, connect enabled, raft_multiplier=10, http=8500, grpc=8502, https=-1. 10Gi cephrbd-fast-delete PVC. Gateway API HTTPRoute on 443→consul-consul-ui:80→8500. PDB patched from policy/v1beta1 to policy/v1 for k8s 1.25+. ArgoCD platform ApplicationSet updated to include consul overlay path. --- apps/base/consul/gateway.yaml | 31 +++++++++++ apps/base/consul/httproute.yaml | 23 +++++++++ apps/base/consul/kustomization.yaml | 8 +++ apps/base/consul/namespace.yaml | 5 ++ .../au-syd1/consul/kustomization.yaml | 23 +++++++++ apps/overlays/au-syd1/consul/values.yaml | 51 +++++++++++++++++++ .../sandbox/consul/kustomization.yaml | 44 ++++++++++++++++ apps/overlays/sandbox/consul/values.yaml | 51 +++++++++++++++++++ argocd/applicationsets/platform.yaml | 1 + 9 files changed, 237 insertions(+) create mode 100644 apps/base/consul/gateway.yaml create mode 100644 apps/base/consul/httproute.yaml create mode 100644 apps/base/consul/kustomization.yaml create mode 100644 apps/base/consul/namespace.yaml create mode 100644 apps/overlays/au-syd1/consul/kustomization.yaml create mode 100644 apps/overlays/au-syd1/consul/values.yaml create mode 100644 apps/overlays/sandbox/consul/kustomization.yaml create mode 100644 apps/overlays/sandbox/consul/values.yaml diff --git a/apps/base/consul/gateway.yaml b/apps/base/consul/gateway.yaml new file mode 100644 index 0000000..90b717e --- /dev/null +++ b/apps/base/consul/gateway.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: consul + namespace: consul + labels: + app.kubernetes.io/name: consul + app.kubernetes.io/instance: consul + traefik.io/instance: internal + annotations: + cert-manager.io/cluster-issuer: vault-issuer + cert-manager.io/common-name: consul.k8s.syd1.au.unkin.net + cert-manager.io/private-key-size: "4096" + external-dns.alpha.kubernetes.io/hostname: consul.k8s.syd1.au.unkin.net + external-dns.alpha.kubernetes.io/target: 198.18.200.4 +spec: + gatewayClassName: traefik-internal + listeners: + - name: https + port: 443 + protocol: HTTPS + hostname: consul.k8s.syd1.au.unkin.net + allowedRoutes: + namespaces: + from: Same + tls: + mode: Terminate + certificateRefs: + - kind: Secret + name: consul-tls diff --git a/apps/base/consul/httproute.yaml b/apps/base/consul/httproute.yaml new file mode 100644 index 0000000..c7ad926 --- /dev/null +++ b/apps/base/consul/httproute.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: consul + namespace: consul + labels: + app.kubernetes.io/name: consul + app.kubernetes.io/instance: consul +spec: + hostnames: + - consul.k8s.syd1.au.unkin.net + parentRefs: + - name: consul + sectionName: https + rules: + - backendRefs: + - name: consul-consul-ui + port: 80 + matches: + - path: + type: PathPrefix + value: / diff --git a/apps/base/consul/kustomization.yaml b/apps/base/consul/kustomization.yaml new file mode 100644 index 0000000..2c2b5da --- /dev/null +++ b/apps/base/consul/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - gateway.yaml + - httproute.yaml diff --git a/apps/base/consul/namespace.yaml b/apps/base/consul/namespace.yaml new file mode 100644 index 0000000..e91e994 --- /dev/null +++ b/apps/base/consul/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: consul diff --git a/apps/overlays/au-syd1/consul/kustomization.yaml b/apps/overlays/au-syd1/consul/kustomization.yaml new file mode 100644 index 0000000..1e3fbef --- /dev/null +++ b/apps/overlays/au-syd1/consul/kustomization.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/consul + +patches: + - target: + kind: PodDisruptionBudget + name: consul-server + patch: |- + - op: replace + path: /apiVersion + value: policy/v1 + +helmCharts: + - name: consul + repo: https://helm.releases.hashicorp.com + version: "1.9.7" + releaseName: consul + namespace: consul + valuesFile: values.yaml diff --git a/apps/overlays/au-syd1/consul/values.yaml b/apps/overlays/au-syd1/consul/values.yaml new file mode 100644 index 0000000..1f967ac --- /dev/null +++ b/apps/overlays/au-syd1/consul/values.yaml @@ -0,0 +1,51 @@ +global: + name: consul + datacenter: au-syd1 + domain: consul + +server: + image: hashicorp/consul:1.22.7 + replicas: 5 + bootstrapExpect: 5 + storage: 10Gi + storageClass: cephrbd-fast-delete + + connect: true + + extraConfig: | + { + "disable_remote_exec": true, + "disable_update_check": true, + "performance": { + "raft_multiplier": 10 + }, + "ports": { + "dns": 8600, + "grpc": 8502, + "http": 8500, + "https": -1 + }, + "primary_datacenter": "au-syd1" + } + + resources: + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 2Gi + cpu: 1000m + +client: + enabled: false + +ui: + enabled: true + service: + type: ClusterIP + +connectInject: + enabled: false + +dns: + enabled: true diff --git a/apps/overlays/sandbox/consul/kustomization.yaml b/apps/overlays/sandbox/consul/kustomization.yaml new file mode 100644 index 0000000..e88dcea --- /dev/null +++ b/apps/overlays/sandbox/consul/kustomization.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/consul + +patches: + - target: + kind: Namespace + name: consul + patch: |- + - op: replace + path: /metadata/name + value: sandbox-consul + - target: + kind: Gateway + name: consul + patch: |- + - op: replace + path: /metadata/namespace + value: sandbox-consul + - target: + kind: HTTPRoute + name: consul + patch: |- + - op: replace + path: /metadata/namespace + value: sandbox-consul + - target: + kind: PodDisruptionBudget + name: consul-server + patch: |- + - op: replace + path: /apiVersion + value: policy/v1 + +helmCharts: + - name: consul + repo: https://helm.releases.hashicorp.com + version: "1.9.7" + releaseName: consul + namespace: sandbox-consul + valuesFile: values.yaml diff --git a/apps/overlays/sandbox/consul/values.yaml b/apps/overlays/sandbox/consul/values.yaml new file mode 100644 index 0000000..1f967ac --- /dev/null +++ b/apps/overlays/sandbox/consul/values.yaml @@ -0,0 +1,51 @@ +global: + name: consul + datacenter: au-syd1 + domain: consul + +server: + image: hashicorp/consul:1.22.7 + replicas: 5 + bootstrapExpect: 5 + storage: 10Gi + storageClass: cephrbd-fast-delete + + connect: true + + extraConfig: | + { + "disable_remote_exec": true, + "disable_update_check": true, + "performance": { + "raft_multiplier": 10 + }, + "ports": { + "dns": 8600, + "grpc": 8502, + "http": 8500, + "https": -1 + }, + "primary_datacenter": "au-syd1" + } + + resources: + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 2Gi + cpu: 1000m + +client: + enabled: false + +ui: + enabled: true + service: + type: ClusterIP + +connectInject: + enabled: false + +dns: + enabled: true diff --git a/argocd/applicationsets/platform.yaml b/argocd/applicationsets/platform.yaml index 218d5ea..040ad30 100644 --- a/argocd/applicationsets/platform.yaml +++ b/argocd/applicationsets/platform.yaml @@ -15,6 +15,7 @@ spec: - path: apps/overlays/*/cert-manager - path: apps/overlays/*/certificates - path: apps/overlays/*/cnpg-system + - path: apps/overlays/*/consul - path: apps/overlays/*/elastic-system - path: apps/overlays/*/externaldns - path: apps/overlays/*/inteldeviceplugins-system -- 2.47.3 From f224b17ca14f64529d5e6e5202f6e12cb493d5b2 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 22:11:41 +1000 Subject: [PATCH 2/5] feat(consul): address PR review feedback - Fix consul HTTPRoute backend: consul-consul-ui -> consul-ui - Add consul.service.consul hostname to Gateway (cert SAN) and HTTPRoute - Add consul-svc listener on 443 for consul.service.consul SNI routing - Convert PDB inline patch to patches/consul-server-pdb.yaml - Set server.disruptionBudget.maxUnavailable: 1 explicitly in values - Expose consul DNS service as LoadBalancer (purelb 198.18.200.5) for anycast - Remove sandbox overlay (not needed in production GitOps) --- apps/base/consul/gateway.yaml | 13 +++++ apps/base/consul/httproute.yaml | 25 ++++++++- .../au-syd1/consul/kustomization.yaml | 7 +-- .../consul/patches/consul-server-pdb.yaml | 3 ++ apps/overlays/au-syd1/consul/values.yaml | 7 +++ .../sandbox/consul/kustomization.yaml | 44 ---------------- apps/overlays/sandbox/consul/values.yaml | 51 ------------------- 7 files changed, 49 insertions(+), 101 deletions(-) create mode 100644 apps/overlays/au-syd1/consul/patches/consul-server-pdb.yaml delete mode 100644 apps/overlays/sandbox/consul/kustomization.yaml delete mode 100644 apps/overlays/sandbox/consul/values.yaml diff --git a/apps/base/consul/gateway.yaml b/apps/base/consul/gateway.yaml index 90b717e..5eadb41 100644 --- a/apps/base/consul/gateway.yaml +++ b/apps/base/consul/gateway.yaml @@ -12,6 +12,7 @@ metadata: cert-manager.io/cluster-issuer: vault-issuer cert-manager.io/common-name: consul.k8s.syd1.au.unkin.net cert-manager.io/private-key-size: "4096" + cert-manager.io/subject-alternative-names: consul.service.consul external-dns.alpha.kubernetes.io/hostname: consul.k8s.syd1.au.unkin.net external-dns.alpha.kubernetes.io/target: 198.18.200.4 spec: @@ -29,3 +30,15 @@ spec: certificateRefs: - kind: Secret name: consul-tls + - name: consul-svc + port: 443 + protocol: HTTPS + hostname: consul.service.consul + allowedRoutes: + namespaces: + from: Same + tls: + mode: Terminate + certificateRefs: + - kind: Secret + name: consul-tls diff --git a/apps/base/consul/httproute.yaml b/apps/base/consul/httproute.yaml index c7ad926..b3179f9 100644 --- a/apps/base/consul/httproute.yaml +++ b/apps/base/consul/httproute.yaml @@ -15,7 +15,30 @@ spec: sectionName: https rules: - backendRefs: - - name: consul-consul-ui + - name: consul-ui + port: 80 + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: consul-svc + namespace: consul + labels: + app.kubernetes.io/name: consul + app.kubernetes.io/instance: consul +spec: + hostnames: + - consul.service.consul + parentRefs: + - name: consul + sectionName: consul-svc + rules: + - backendRefs: + - name: consul-ui port: 80 matches: - path: diff --git a/apps/overlays/au-syd1/consul/kustomization.yaml b/apps/overlays/au-syd1/consul/kustomization.yaml index 1e3fbef..7b5c54f 100644 --- a/apps/overlays/au-syd1/consul/kustomization.yaml +++ b/apps/overlays/au-syd1/consul/kustomization.yaml @@ -6,13 +6,10 @@ resources: - ../../../base/consul patches: - - target: + - path: patches/consul-server-pdb.yaml + target: kind: PodDisruptionBudget name: consul-server - patch: |- - - op: replace - path: /apiVersion - value: policy/v1 helmCharts: - name: consul diff --git a/apps/overlays/au-syd1/consul/patches/consul-server-pdb.yaml b/apps/overlays/au-syd1/consul/patches/consul-server-pdb.yaml new file mode 100644 index 0000000..4825a6c --- /dev/null +++ b/apps/overlays/au-syd1/consul/patches/consul-server-pdb.yaml @@ -0,0 +1,3 @@ +- op: replace + path: /apiVersion + value: policy/v1 diff --git a/apps/overlays/au-syd1/consul/values.yaml b/apps/overlays/au-syd1/consul/values.yaml index 1f967ac..86a49b0 100644 --- a/apps/overlays/au-syd1/consul/values.yaml +++ b/apps/overlays/au-syd1/consul/values.yaml @@ -12,6 +12,9 @@ server: connect: true + disruptionBudget: + maxUnavailable: 1 + extraConfig: | { "disable_remote_exec": true, @@ -49,3 +52,7 @@ connectInject: dns: enabled: true + type: LoadBalancer + annotations: | + purelb.io/service-group: "common" + purelb.io/addresses: 198.18.200.5 diff --git a/apps/overlays/sandbox/consul/kustomization.yaml b/apps/overlays/sandbox/consul/kustomization.yaml deleted file mode 100644 index e88dcea..0000000 --- a/apps/overlays/sandbox/consul/kustomization.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - ../../../base/consul - -patches: - - target: - kind: Namespace - name: consul - patch: |- - - op: replace - path: /metadata/name - value: sandbox-consul - - target: - kind: Gateway - name: consul - patch: |- - - op: replace - path: /metadata/namespace - value: sandbox-consul - - target: - kind: HTTPRoute - name: consul - patch: |- - - op: replace - path: /metadata/namespace - value: sandbox-consul - - target: - kind: PodDisruptionBudget - name: consul-server - patch: |- - - op: replace - path: /apiVersion - value: policy/v1 - -helmCharts: - - name: consul - repo: https://helm.releases.hashicorp.com - version: "1.9.7" - releaseName: consul - namespace: sandbox-consul - valuesFile: values.yaml diff --git a/apps/overlays/sandbox/consul/values.yaml b/apps/overlays/sandbox/consul/values.yaml deleted file mode 100644 index 1f967ac..0000000 --- a/apps/overlays/sandbox/consul/values.yaml +++ /dev/null @@ -1,51 +0,0 @@ -global: - name: consul - datacenter: au-syd1 - domain: consul - -server: - image: hashicorp/consul:1.22.7 - replicas: 5 - bootstrapExpect: 5 - storage: 10Gi - storageClass: cephrbd-fast-delete - - connect: true - - extraConfig: | - { - "disable_remote_exec": true, - "disable_update_check": true, - "performance": { - "raft_multiplier": 10 - }, - "ports": { - "dns": 8600, - "grpc": 8502, - "http": 8500, - "https": -1 - }, - "primary_datacenter": "au-syd1" - } - - resources: - requests: - memory: 256Mi - cpu: 100m - limits: - memory: 2Gi - cpu: 1000m - -client: - enabled: false - -ui: - enabled: true - service: - type: ClusterIP - -connectInject: - enabled: false - -dns: - enabled: true -- 2.47.3 From d03203afeeeca90d501fcfe6d34cb36211f77f15 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 22:12:34 +1000 Subject: [PATCH 3/5] fix(consul): use correct cert-manager alt-names annotation for consul.service.consul SAN --- apps/base/consul/gateway.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/base/consul/gateway.yaml b/apps/base/consul/gateway.yaml index 5eadb41..62d37e4 100644 --- a/apps/base/consul/gateway.yaml +++ b/apps/base/consul/gateway.yaml @@ -12,7 +12,7 @@ metadata: cert-manager.io/cluster-issuer: vault-issuer cert-manager.io/common-name: consul.k8s.syd1.au.unkin.net cert-manager.io/private-key-size: "4096" - cert-manager.io/subject-alternative-names: consul.service.consul + cert-manager.io/alt-names: consul.service.consul external-dns.alpha.kubernetes.io/hostname: consul.k8s.syd1.au.unkin.net external-dns.alpha.kubernetes.io/target: 198.18.200.4 spec: -- 2.47.3 From 646f4e1af17bb4f1986d0f93c35ffcbff1ae2deb Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 22:13:24 +1000 Subject: [PATCH 4/5] =?UTF-8?q?feat(consul):=20add=20HTTP=E2=86=92HTTPS=20?= =?UTF-8?q?redirect=20on=20port=2080?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/base/consul/gateway.yaml | 7 +++++++ apps/base/consul/httproute.yaml | 25 +++++++++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/apps/base/consul/gateway.yaml b/apps/base/consul/gateway.yaml index 62d37e4..30d7e9f 100644 --- a/apps/base/consul/gateway.yaml +++ b/apps/base/consul/gateway.yaml @@ -18,6 +18,13 @@ metadata: spec: gatewayClassName: traefik-internal listeners: + - name: http + port: 80 + protocol: HTTP + hostname: consul.k8s.syd1.au.unkin.net + allowedRoutes: + namespaces: + from: Same - name: https port: 443 protocol: HTTPS diff --git a/apps/base/consul/httproute.yaml b/apps/base/consul/httproute.yaml index b3179f9..53297f6 100644 --- a/apps/base/consul/httproute.yaml +++ b/apps/base/consul/httproute.yaml @@ -1,6 +1,31 @@ --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute +metadata: + name: consul-http-redirect + namespace: consul + labels: + app.kubernetes.io/name: consul + app.kubernetes.io/instance: consul +spec: + hostnames: + - consul.k8s.syd1.au.unkin.net + parentRefs: + - name: consul + sectionName: http + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute metadata: name: consul namespace: consul -- 2.47.3 From ed1ecc00cc90355bda0f9cf1df56d01ef311a105 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 22:37:58 +1000 Subject: [PATCH 5/5] fix(consul): use helmCharts.apiVersions to render policy/v1 PDB natively Pass --api-versions policy/v1/PodDisruptionBudget to helm template so the consul chart's capability check succeeds and renders policy/v1 directly, removing the need for an apiVersion patch. --- apps/overlays/au-syd1/consul/kustomization.yaml | 8 ++------ .../au-syd1/consul/patches/consul-server-pdb.yaml | 3 --- 2 files changed, 2 insertions(+), 9 deletions(-) delete mode 100644 apps/overlays/au-syd1/consul/patches/consul-server-pdb.yaml diff --git a/apps/overlays/au-syd1/consul/kustomization.yaml b/apps/overlays/au-syd1/consul/kustomization.yaml index 7b5c54f..bbc6c94 100644 --- a/apps/overlays/au-syd1/consul/kustomization.yaml +++ b/apps/overlays/au-syd1/consul/kustomization.yaml @@ -5,12 +5,6 @@ kind: Kustomization resources: - ../../../base/consul -patches: - - path: patches/consul-server-pdb.yaml - target: - kind: PodDisruptionBudget - name: consul-server - helmCharts: - name: consul repo: https://helm.releases.hashicorp.com @@ -18,3 +12,5 @@ helmCharts: releaseName: consul namespace: consul valuesFile: values.yaml + apiVersions: + - policy/v1/PodDisruptionBudget diff --git a/apps/overlays/au-syd1/consul/patches/consul-server-pdb.yaml b/apps/overlays/au-syd1/consul/patches/consul-server-pdb.yaml deleted file mode 100644 index 4825a6c..0000000 --- a/apps/overlays/au-syd1/consul/patches/consul-server-pdb.yaml +++ /dev/null @@ -1,3 +0,0 @@ -- op: replace - path: /apiVersion - value: policy/v1 -- 2.47.3