The information contained in this article has been verified as up-to-date on the date of the original publication of the article.  HashiCorp endeavors to keep this information up-to-date and correct, but it makes no representations or warranties of any kind, express or implied, about the ongoing completeness, accuracy, reliability, or suitability of the information provided.

All information contained in this article is for general information purposes only.  Any reliance you place on such information as it applies to your use of your HashiCorp product is therefore strictly at your own risk.

Introduction

When Consul is deployed in Kubernetes, it offers the capability to integrate sidecar proxies seamlessly into deployment specifications through the Consul connect-injector. These sidecar proxies, generated by the connect-injector, serve to intercept ingress and egress traffic from the pods, facilitating interaction with Consul directly from within the pods

Scenario

When deploying workloads that may require extended time for graceful termination, scenarios may arise where the default termination period of the connect-injector proves too brief and necessitates extension. Similarly, adjustments might be necessary when the termination period of the workload container within Kubernetes is excessively prolonged.

By default, the termination period for the connect-injector's sidecar container and Kubernetes containers alike is set to 30 seconds. While typically this duration is sufficient for orderly shutdown, certain circumstances demand customization.

The Kubernetes pod-lifecycle governs the handling of container termination

Recommendation

The Consul connect-injector sidecar termination period should, at minimum, always match the workload to ensure that networking is being intercepted as expected. 

• In this example we have a pod with a termination grace period of 60 seconds
  

  apiVersion: v1
  kind: Pod
  metadata:
    name: hashicorp-example
  spec:
    containers:
      - name: busybox
        image: busybox
        lifecycle:
          terminationGracePeriodSeconds: 60
  

• In Consul-K8S the value can be modified globally under the follow Helm value attributes
  

  connectInject:
    sidecarProxy:
      lifecycle:
        defaultShutdownGracePeriodSeconds: 60
  

• Adjusting this value in the Helm chart ensures that all deployments employing connect-inject will inherit the specified grace period as the default setting.
  • Alternatively, for more granular control, you can customize this behavior on specific deployments by including the following annotation in the deployment manifest
    

    consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds

• Considering our example, after incorporating the annotation, the manifest would resemble the following
  

  apiVersion: v1
  kind: Pod
  metadata:
    name: hashicorp-example
    annotations:
      consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds: 60
  spec:
    containers:
      - name: busybox
        image: busybox
        lifecycle:
          terminationGracePeriodSeconds: 60
  

Resources

• Pod Lifecycle: Termination of Pods (Kubernetes page)
• Helm Chart Reference: connectInject lifecycle
• Container Lifecycle Hooks (Kubernetes page)