apiVersion: v1 kind: ServiceAccount metadata: name: consul namespace: monitoring labels: app: consul --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: consul labels: app: consul rules: - apiGroups: [""] resources: - pods verbs: - get - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: consul roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: consul subjects: - kind: ServiceAccount name: consul namespace: monitoring --- apiVersion: v1 data: ca.pem: >- LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURtakNDQW9LZ0F3SUJBZ0lVVjVyRWdnbURJdk9GTlhSUHR6RWpJUzhuZDFJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1V6RUxNQWtHQTFVRUJoTUNWVk14RHpBTkJnTlZCQWdUQms5eVpXZHZiakVSTUE4R0ExVUVCeE1JVUc5eQpkR3hoYm1ReEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhDekFKQmdOVkJBc1RBa05CTUI0WERUSXpNVEl4Ck1qRTFNell3TUZvWERUSTRNVEl4TURFMU16WXdNRm93VXpFTE1Ba0dBMVVFQmhNQ1ZWTXhEekFOQmdOVkJBZ1QKQms5eVpXZHZiakVSTUE4R0ExVUVCeE1JVUc5eWRHeGhibVF4RXpBUkJnTlZCQW9UQ2t0MVltVnlibVYwWlhNeApDekFKQmdOVkJBc1RBa05CTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEwYW9mClhLOG1xblYwWWZsZXBCaGhvVXVhMFNwc05FaFNNVVJDalBFdXdsc1FsenFoTUFEUHhGM0owcHA3a3dXdlBsamQKTVhtYnNFQWVNL1ZNUWEwZUh6MnlpN2VaUlVCTUt4SzBoUmROZExNQUM3aEJWcEc4WjJJNkZXZEFMUlkvSXZaawo1T0ladkQrMmh4SnBGang3RG9aTWdPcXNCbmh3S01la1I3Z0NlWG5lbGloaGlQTjlRMTE3YzVlR0JvZGN5U0haCkFINkFaWGEvKytqY3BiZXpGME9COXNJcGx5aEVXeVVFNUlvMmkzdlBidGo2Y09ZUmNkeG1wbS82TXM2enBNd0MKQU03S005QnYzMjBTdktieXNIRUhTbGZFejVpVHZsVVYvZms2N2drTkZlZW9oMVN1VXEvVnByRWRLbm8yUVd3MwpiVUtaM3BZWGwwUXFLOFZQOXdJREFRQUJvMll3WkRBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvCkJBZ3dCZ0VCL3dJQkFqQWRCZ05WSFE0RUZnUVV5Z3YyVXk2Rmc3MEtqbHlJTlFpUWpCajQ2bjB3SHdZRFZSMGoKQkJnd0ZvQVV5Z3YyVXk2Rmc3MEtqbHlJTlFpUWpCajQ2bjB3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUM2RQpoeXg4ZThQUm1VYjcrT0RpUGYxbGQzdTk4QW5LNlRNN3JTbG9sOHd3TnlzWXRpN0Y2WC9KaTVESXQ1NlpNMWhHClhSOGVWeWo3VThkMHRpRVdibmNlWFBiaHJWQjQ5YnBNNFZGRnRDYmN1Y1pMWkVzQnZMQXdJb0VKbUQrN0paVTQKT3lUVGkxcnZwaFRtQ21QaXdJUEFsUk52dlVpL1RmbThUMjY1UzFtQVBHMnNlKy9CZEpnTjl2b2lSR1JBWUtxUAoxMWYvamxqM1UxbHZIUXBTZjMyTHBPazdkK3J0d1loM21hc20xWWlSSzZ2UUsycWIrUTF3a1cvakdwRk9uNVpDCmV2ek9hVncxa2RXOFFmVjlLWXl1K0VzYmkzZ3pQQk1QUmlEZ094Y2oxSEorR3g1QTVUTzlUWXYxTFN4QlEwU2kKRmZZUyt3dFhYLzRoUEdqZ3p1MD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= consul-key.pem: >- LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBNFhRYW5kWkhOQ3BFT2wwSlROOWVDRGZXc1MvV0ZjMFJUdmhyYTIyQUJsOTFBeThsCnAyQkJWNUY2QUp3Y29hdXFldDZmU2p3NVA3K1JxaGRwOVBCdGEycHp2d2h2U3BvVzZTMUwzeXZBRTVUZ2hMeEQKZjdKMXpnQ1VZUHpmL2VWbVowMWxtWElSWXVpaEtlcDU3U1RrOVh3M09ad015YytURDNDZStFWUVyV29kT3RrVApuNHNOZ0E1cHVZMlFMcWs3R3hxaXpWVmZSblhNTjJDWUUvVDFGVUE1MThJS3lJU0xPcFNuanlkeUVwY3ZUYkg0CnIwLzBwNUhxU05LU0xxYmlDcWtZWVRVT0FnMkZQcEkyOFRVNkJCa3BMZCtGM25jQnVFdE1pU1VFZDFiZVh6eGQKZmZlbnkrM3JCOENQT0ZXOCtZUzMyd3lPMldUUExpUUlUU3dGcXdJREFRQUJBb0lCQVFDTGtXK2t4SEVoOXdSegp5UUtuNXlOMEhQVTRqVytQNFhwVWsrOFQreDZsVTFUQjJ0OEpoY29OcHM2TE1CbDljQ05DbXl5ckxTc1hyc1ZECk1lbHpLNS9oUG01WEZhYW4zVXBQb2EzMWcwVU9HanovanZpT1JmRXR6U2dOL3AyL3ROSzNJcS9CMVY2MEIyVTEKNktVQVRMVzh6dC8xTndpbnFtdlV4QmgxaEFzRE9xTTBwVG5ZMHdpbUxabWoxa3dwdkl5NGlBSHFJVnhNTkFYMQpZYnRWV24zYTVvNjJ6S0FvV3hzRUNZSXFhNXRjSTQ0Sk85blJPNWFMazZIK0tvQVBJRmNlbHJqOUV1RjlWQ0RICjhxcFlVVElHOUdqenVUTTJpVVFuNk1jRlVPa2w4ZVI3VEFiSkJzR3ZCNitRb0Z6a1BLTmtneUlQaW1tY2wvaW8KQ0VwSVRwK0pBb0dCQU9qNy9RUjJ1SUtGaSs0bytWU09UVUVlOHdhajNUWWljTWxDOG1ZR3ZXVSsvaGtROHhiZwpycEo3VmNvUFBRSm1pcE9VK3BidDl4Y0VaT0lhbCtjRGlrRFJ3OFYzL1REUWJZZDljVjBEdGYzMXpqcng3WWFpCklvb0lGTVI3c3JYWWJaRGtVWjNqUm9Rb3p0TnlGSEFaUVh3U3YzN044WEY0WGQ5ZEtQTDltdWkxQW9HQkFQZTUKcXI1NVlDM0Y5eUtxOHRnTW01MlRXdG1nU0paa3ZRdTZ0eXZ1TXRQK2ljeHhNeEtYUk45aFdDRC9WV0p4RnYvbgowN05TdWFyeFFwYmhmYlhOa0kzZXdtN0NEQW05bUJwbXAxN28xajF2ejFIYXU4N0tLdkdnWlBxd3o1aXdCRzBrClpGOHJXWkpuS1labHlXcFFJUThHM3pxUHN4QW80TERVcEJFLzhCRGZBb0dCQUpVTjRlbWhLcG9XWmxlUHp6UFIKZG90YkNaQU45ZEJVYUdQYWVNbmROZjQ0TnNoQ2w4TGpLOHg3SzMrQ0VENGc3RGRPOEtMdXkwM21lY1JOenpEMAppdGE5WE1wUTRhTUJOWkdoSjQyaWVpUm54ZkRnSmw0a0RJVFNkcmJkakkvYVR2NkxrOHUzUTczNWZaaTVPMm9jClBsRHFqYWpLaU5WWGRIY2FXc0JhajJpaEFvR0JBTUx4Ty9sYVlLS0V0Lzl6RVZtTlNtU05VaUFTTHkwU3AyWDAKa0RLazV5REduTC9pa1BOZlVOYU1yeUtBYkR2a2pObmpJRWhzb0NseVpCbUI1MEJMUFNjM2xrQTh1ZVpzYWFiVgpBMzcvc2FCMVBXdkh1cVYzbUtXK3Q5aERqWW8xY2JaRnZpcmFYVW1GbnpyaEhNaHB1Q293R1RqblhsMG9IZkZwCjFKYXlmd04zQW9HQVlUQ25QUlJhcDhTMm9XOUhJRkdIczVnWjNFemZtdHhVQmwzT0pCTTJLVnFrSW5QMnNrRCsKS0Q3a01jdWpoakxhamdlNGMrME1VeWxxN1M5R3VPSGFhenI0cUk0RUMvQmtNc25ydGVheFNOVndsdG94SWgvNApZZmNLOWlxUTdINWFtQTB1dzNrUjViSVpHc0g2alJMbHY2cGRuWXo2SHZtY0s3L0VpLytGcmkwPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= consul.pem: >- LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVEVENDQXZXZ0F3SUJBZ0lVQVV5M3lKU0YvWjQrNXl4TEg2a0F2YzhjOERnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1V6RUxNQWtHQTFVRUJoTUNWVk14RHpBTkJnTlZCQWdUQms5eVpXZHZiakVSTUE4R0ExVUVCeE1JVUc5eQpkR3hoYm1ReEV6QVJCZ05WQkFvVENrdDFZbVZ5Ym1WMFpYTXhDekFKQmdOVkJBc1RBa05CTUI0WERUSXpNVEl4Ck1qRTFNemt3TUZvWERUTXpNVEF5TURFMU16a3dNRm93ZnpFTE1Ba0dBMVVFQmhNQ1ZWTXhEekFOQmdOVkJBZ1QKQms5eVpXZHZiakVSTUE4R0ExVUVCeE1JVUc5eWRHeGhibVF4RnpBVkJnTlZCQW9URGtocFoyaDBiM2RsY2lCTQpZV0p6TVE4d0RRWURWUVFMRXdaRGIyNXpkV3d4SWpBZ0JnTlZCQU1UR1hObGNuWmxjaTVrWXpFdVkyeDFjM1JsCmNpNWpiMjV6ZFd3d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURoZEJxZDFrYzAKS2tRNlhRbE0zMTRJTjlheEw5WVZ6UkZPK0d0cmJZQUdYM1VETHlXbllFRlhrWG9BbkJ5aHE2cDYzcDlLUERrLwp2NUdxRjJuMDhHMXJhbk8vQ0c5S21oYnBMVXZmSzhBVGxPQ0V2RU4vc25YT0FKUmcvTi85NVdablRXV1pjaEZpCjZLRXA2bm50Sk9UMWZEYzVuQXpKejVNUGNKNzRSZ1N0YWgwNjJST2ZpdzJBRG1tNWpaQXVxVHNiR3FMTlZWOUcKZGN3M1lKZ1Q5UFVWUURuWHdnckloSXM2bEtlUEozSVNseTlOc2ZpdlQvU25rZXBJMHBJdXB1SUtxUmhoTlE0QwpEWVUra2pieE5Ub0VHU2t0MzRYZWR3RzRTMHlKSlFSM1Z0NWZQRjE5OTZmTDdlc0h3STg0VmJ6NWhMZmJESTdaClpNOHVKQWhOTEFXckFnTUJBQUdqZ2F3d2dha3dEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRV01CUUcKQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlNkL29OVwp0M1pJbmFQUHNjeWdCV2FUVVlMUTB6QWZCZ05WSFNNRUdEQVdnQlRLQy9aVExvV0R2UXFPWElnMUNKQ01HUGpxCmZUQXFCZ05WSFJFRUl6QWhnaGx6WlhKMlpYSXVaR014TG1Oc2RYTjBaWEl1WTI5dWMzVnNod1IvQUFBQk1BMEcKQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUM0RzVVZEIwWHN3ajUvV0h5UlR3QmlOblY0T3pIMXhGYnVYMlh2T2lmQgpkaGFqb01Jc1kvM2lkVnNPRFdsWmFEMVk0SkFEQ3M0d1RKczB4Nm9ObmloZmlsK21KTzlhWU1CWlZycWYzd3FLCnVXWDJCb0pPZHRCOUVLQmppY1E3Ykg0S2Y3cDlGVTdweExIbnhXZW5hZDFrTUY4cS8wbUw2UmdvNS81U1liTXkKS2x2VWZsSlc2MzV3VWJNMTV3UW8rdFFRNDFVKzZBTVlnM3ZuZXNnZXk5ZFhBQzdwSkR4bzBUZDBNOGhWUWIwbwpFRXc2K2wzZzVaM2tGTGkxZ2g1dng2M0E0cm9abHhjekFjTnlPS0ozb3ZkN2VPQVJ6bG9LcE9ZcnJiUkhjOC9uCkswRGtOMWc1VGhibGZ3ZGV2UDFlUlNCVUtyZmdEaVhRRStwa3p1anlXV2tVCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K gossip-encryption-key: S3ZkeVBPVmNMcjI3U3FIK1Nkczl4OGdoRjFOV3NsU3NsYjltN1ZyWTcwVT0= ##KvdyPOVcLr27SqH+Sds9x8ghF1NWslSslb9m7VrY70U= kind: Secret metadata: name: consul-secret namespace: monitoring type: Opaque --- apiVersion: v1 data: consul.hcl: |- #log_level = "error" bind_addr = "0.0.0.0" ca_file = "/consul/tls/ca.pem" cert_file = "/consul/tls/consul.pem" key_file = "/consul/tls/consul-key.pem" auto_encrypt { allow_tls = true } data_dir = "/consul/data" client_addr = "0.0.0.0" disable_host_node_id = true datacenter = "dc1" domain = "cluster.consul" ports = { https = 8443 http = 8500 dns = 8600 serf_lan = 8301 serf_wan = 8302 server = 8300 grpc = 8400 } connect = { enabled = true } retry_join = [ "provider=k8s namespace=monitoring label_selector=\"app=consul,component=server\" connect_timeout=30s" ] server = true telemetry = { prometheus_retention_time = "1m" } verify_incoming = true verify_outgoing = true verify_server_hostname = true ui = true acl = { enabled = true default_policy = "deny" down_policy = "extend-cache" tokens = { master = "27c74c79-467f-475b-a782-0e2a10a839e8" agent = "27c74c79-467f-475b-a782-0e2a10a839e8" } } kind: ConfigMap metadata: name: consul-config namespace: monitoring --- apiVersion: v1 kind: Service metadata: name: consul-headless namespace: monitoring labels: name: consul spec: clusterIP: None ports: - name: http port: 8500 targetPort: 8500 - name: cli-rpc port: 8400 targetPort: 8400 - name: serflan-tcp protocol: "TCP" port: 8301 targetPort: 8301 - name: serflan-udp protocol: "UDP" port: 8301 targetPort: 8301 - name: serfwan-tcp protocol: "TCP" port: 8302 targetPort: 8302 - name: serfwan-udp protocol: "UDP" port: 8302 targetPort: 8302 - name: agent-rpc port: 8300 targetPort: 8300 - name: dns port: 8600 targetPort: 8600 selector: app: consul --- apiVersion: v1 kind: Service metadata: name: consul namespace: monitoring labels: app: consul spec: ports: - name: http protocol: TCP port: 8500 targetPort: 8500 selector: app: consul type: ClusterIP --- apiVersion: apps/v1 kind: StatefulSet metadata: name: consul namespace: monitoring spec: selector: matchLabels: app: consul component: server serviceName: consul podManagementPolicy: "Parallel" replicas: 3 template: metadata: labels: app: consul component: server annotations: consul.hashicorp.com/connect-inject: "false" spec: serviceAccountName: consul # affinity: # podAntiAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # - labelSelector: # matchExpressions: # - key: app # operator: In # values: # - consul # topologyKey: kubernetes.io/hostname terminationGracePeriodSeconds: 10 securityContext: fsGroup: 1000 containers: - name: consul #image: "consul:latest" #image: "harbor.uenpay.com/base/consul:latest" image: "registry.cn-hangzhou.aliyuncs.com/zhengyu1992/consul:1.11.1" env: - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP - name: GOSSIP_ENCRYPTION_KEY valueFrom: secretKeyRef: name: consul-secret key: gossip-encryption-key args: - "agent" - "-advertise=$(POD_IP)" - "-bootstrap-expect=3" - "-config-file=/etc/consul/config/consul.hcl" - "-encrypt=$(GOSSIP_ENCRYPTION_KEY)" volumeMounts: - name: data mountPath: /consul/data - name: config mountPath: /etc/consul/config - name: tls mountPath: /consul/tls lifecycle: preStop: exec: command: - /bin/sh - -c - consul leave ports: - containerPort: 8500 name: ui-port - containerPort: 8400 name: cli-port - containerPort: 8301 name: serflan - containerPort: 8302 name: serfwan - containerPort: 8600 name: dns - containerPort: 8300 name: server volumes: - name: config configMap: name: consul-config - name: tls secret: secretName: consul-secret volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 10Gi --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/proxy-body-size: 1024m nginx.ingress.kubernetes.io/proxy-connect-timeout: '300' nginx.ingress.kubernetes.io/proxy-read-timeout: '300' nginx.ingress.kubernetes.io/proxy-send-timeout: '300' nginx.ingress.kubernetes.io/ssl-redirect: 'false' name: consul.uenpay.com-ingress namespace: monitoring spec: ingressClassName: nginx rules: - host: consul.uenpay.com http: paths: - backend: service: name: consul port: number: 8500 path: / pathType: ImplementationSpecific tls: - hosts: - consul.uenpay.com secretName: uenpay.com