feat(consul): deploy HashiCorp Consul 1.22.7 via Helm chart (5-replica cluster) #149

Merged
unkinben merged 5 commits from benvin/consul into main 2026-05-23 22:40:49 +10:00
7 changed files with 210 additions and 0 deletions
+51
View File
@@ -0,0 +1,51 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: consul
namespace: consul
labels:
app.kubernetes.io/name: consul
app.kubernetes.io/instance: consul
traefik.io/instance: internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: consul.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
cert-manager.io/alt-names: consul.service.consul
external-dns.alpha.kubernetes.io/hostname: consul.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.4
spec:
gatewayClassName: traefik-internal
listeners:
- name: http
port: 80
protocol: HTTP
hostname: consul.k8s.syd1.au.unkin.net
allowedRoutes:
namespaces:
from: Same
- name: https
port: 443
protocol: HTTPS
hostname: consul.k8s.syd1.au.unkin.net
allowedRoutes:
namespaces:
from: Same
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: consul-tls
- name: consul-svc
port: 443
protocol: HTTPS
hostname: consul.service.consul
allowedRoutes:
namespaces:
from: Same
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: consul-tls
+71
View File
@@ -0,0 +1,71 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: consul-http-redirect
namespace: consul
labels:
app.kubernetes.io/name: consul
app.kubernetes.io/instance: consul
spec:
hostnames:
- consul.k8s.syd1.au.unkin.net
unkinben marked this conversation as resolved Outdated
Outdated
Review

it should also respond to consul.service.consul

it should also respond to consul.service.consul
parentRefs:
- name: consul
sectionName: http
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
matches:
- path:
type: PathPrefix
value: /
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: consul
namespace: consul
labels:
app.kubernetes.io/name: consul
app.kubernetes.io/instance: consul
spec:
hostnames:
- consul.k8s.syd1.au.unkin.net
parentRefs:
- name: consul
sectionName: https
rules:
- backendRefs:
- name: consul-ui
port: 80
matches:
- path:
type: PathPrefix
value: /
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: consul-svc
namespace: consul
labels:
app.kubernetes.io/name: consul
app.kubernetes.io/instance: consul
spec:
hostnames:
- consul.service.consul
parentRefs:
- name: consul
sectionName: consul-svc
rules:
- backendRefs:
- name: consul-ui
port: 80
matches:
- path:
type: PathPrefix
value: /
+8
View File
@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- gateway.yaml
- httproute.yaml
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: consul
@@ -0,0 +1,16 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/consul
helmCharts:
- name: consul
repo: https://helm.releases.hashicorp.com
unkinben marked this conversation as resolved Outdated
Outdated
Review

patches should be yaml files.
ensure the maxunavailable is 1
we dont need the sandbox overlays.

patches should be yaml files. ensure the maxunavailable is 1 we dont need the sandbox overlays.
version: "1.9.7"
releaseName: consul
namespace: consul
valuesFile: values.yaml
apiVersions:
- policy/v1/PodDisruptionBudget
+58
View File
@@ -0,0 +1,58 @@
global:
name: consul
datacenter: au-syd1
domain: consul
server:
image: hashicorp/consul:1.22.7
replicas: 5
bootstrapExpect: 5
storage: 10Gi
storageClass: cephrbd-fast-delete
connect: true
disruptionBudget:
maxUnavailable: 1
extraConfig: |
{
"disable_remote_exec": true,
"disable_update_check": true,
"performance": {
"raft_multiplier": 10
unkinben marked this conversation as resolved
Review

ensure the dns service is reachable outside the cluster. on the current prod consul service i exposed the dns via dnsmasq with an anycast address. the 198.18.200.* range are anycast through purelb so we can replicate this. if we can use a udproute (is there a crd for this?) or add an ip to the service.

[sysadmin@ausyd1nxvm2008 ~]$ cat /etc/dnsmasq.d/10-consul.conf
server=/consul/198.18.28.53#8600
listen-address=198.18.19.14
ensure the dns service is reachable outside the cluster. on the current prod consul service i exposed the dns via dnsmasq with an anycast address. the 198.18.200.* range are anycast through purelb so we can replicate this. if we can use a udproute (is there a crd for this?) or add an ip to the service. ``` [sysadmin@ausyd1nxvm2008 ~]$ cat /etc/dnsmasq.d/10-consul.conf server=/consul/198.18.28.53#8600 listen-address=198.18.19.14 ```
},
"ports": {
"dns": 8600,
"grpc": 8502,
"http": 8500,
"https": -1
},
"primary_datacenter": "au-syd1"
}
resources:
requests:
memory: 256Mi
cpu: 100m
limits:
memory: 2Gi
cpu: 1000m
client:
enabled: false
ui:
enabled: true
service:
type: ClusterIP
connectInject:
enabled: false
dns:
enabled: true
type: LoadBalancer
annotations: |
purelb.io/service-group: "common"
purelb.io/addresses: 198.18.200.5
+1
View File
@@ -15,6 +15,7 @@ spec:
- path: apps/overlays/*/cert-manager
- path: apps/overlays/*/certificates
- path: apps/overlays/*/cnpg-system
- path: apps/overlays/*/consul
- path: apps/overlays/*/elastic-system
- path: apps/overlays/*/externaldns
- path: apps/overlays/*/inteldeviceplugins-system