agentless: support updating health checks on consul clients during an…

… upgrade to agentless
hashicorp · Nov 9, 2022 · da5d6c5 · da5d6c5
1 parent d076b7c
commit da5d6c5
Show file tree

Hide file tree

Showing 13 changed files with 696 additions and 260 deletions.
diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml
@@ -82,9 +82,9 @@ spec:
         - name: sidecar-injector
           image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}"
           ports:
-          - containerPort: 8080
-            name: webhook-server
-            protocol: TCP
+            - containerPort: 8080
+              name: webhook-server
+              protocol: TCP
           env:
             - name: NAMESPACE
               valueFrom:
@@ -239,24 +239,12 @@ spec:
                 {{- end }}
                 {{- end }}
 
-                {{- if .Values.global.consulSidecarContainer }}
-                {{- $consulSidecarResources := .Values.global.consulSidecarContainer.resources }}
-                {{- if not (kindIs "invalid" $consulSidecarResources.limits.memory) }}
-                -default-consul-sidecar-memory-limit={{ $consulSidecarResources.limits.memory }} \
-                {{- end }}
-                {{- if not (kindIs "invalid" $consulSidecarResources.requests.memory) }}
-                -default-consul-sidecar-memory-request={{ $consulSidecarResources.requests.memory }} \
-                {{- end }}
-                {{- if not (kindIs "invalid" $consulSidecarResources.limits.cpu) }}
-                -default-consul-sidecar-cpu-limit={{ $consulSidecarResources.limits.cpu }} \
-                {{- end }}
-                {{- if not (kindIs "invalid" $consulSidecarResources.requests.cpu) }}
-                -default-consul-sidecar-cpu-request={{ $consulSidecarResources.requests.cpu }} \
-                {{- end }}
-                {{- end }}
                 {{- if .Values.global.cloud.enabled }}
                 -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \
                 {{- end }}
+                {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }}
+                -enable-auto-encrypt \
+                {{- end }}
           startupProbe:
             httpGet:
               path: /readyz/ready
@@ -286,38 +274,38 @@ spec:
             timeoutSeconds: 5
           volumeMounts:
           {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }}
-          - name: certs
-            mountPath: /etc/connect-injector/certs
-            readOnly: true
+            - name: certs
+              mountPath: /etc/connect-injector/certs
+              readOnly: true
           {{- end }}
           {{- if and .Values.global.tls.enabled (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots))}}
-          - name: consul-ca-cert
-            mountPath: /consul/tls/ca
-            readOnly: true
+            - name: consul-ca-cert
+              mountPath: /consul/tls/ca
+              readOnly: true
           {{- end }}
           {{- with .Values.connectInject.resources }}
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
       volumes:
       {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }}
-      - name: certs
-        secret:
-          defaultMode: 420
-          secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert
+        - name: certs
+          secret:
+            defaultMode: 420
+            secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert
       {{- end }}
       {{- if .Values.global.tls.enabled }}
       {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
-      - name: consul-ca-cert
-        secret:
+        - name: consul-ca-cert
+          secret:
           {{- if .Values.global.tls.caCert.secretName }}
-          secretName: {{ .Values.global.tls.caCert.secretName }}
+            secretName: {{ .Values.global.tls.caCert.secretName }}
           {{- else }}
-          secretName: {{ template "consul.fullname" . }}-ca-cert
+            secretName: {{ template "consul.fullname" . }}-ca-cert
           {{- end }}
-          items:
-          - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
-            path: tls.crt
+            items:
+              - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
+                path: tls.crt
       {{- end }}
       {{- end }}
       {{- if .Values.connectInject.priorityClassName }}

diff --git a/control-plane/connect-inject/common/annotations.go b/control-plane/connect-inject/common/annotations.go
diff --git a/control-plane/connect-inject/constants/annotations_and_labels.go b/control-plane/connect-inject/constants/annotations_and_labels.go
@@ -166,6 +166,9 @@ const (
 	// to explicitly perform the peering operation again.
 	AnnotationPeeringVersion = "consul.hashicorp.com/peering-version"
 
+	// AnnotationConsulK8sVersion is the current version of this binary.
+	AnnotationConsulK8sVersion = "consul.hashicorp.com/connect-k8s-version"
+
 	// LabelServiceIgnore is a label that can be added to a service to prevent it from being
 	// registered with Consul.
 	LabelServiceIgnore = "consul.hashicorp.com/service-ignore"