Installing Consul on Kubernetes
You can install Consul on Kubernetes using the following methods:
Refer to the architecture section to learn more about the general architecture of Consul on Kubernetes. For a hands-on experience with Consul as a service mesh for Kubernetes, follow the tutorial.
The recommended way to run Consul on Kubernetes is via the Helm chart. This will install and configure all the necessary components to run Consul. The configuration enables you to run a server cluster, a client cluster, or both.
Step-by-step tutorials for how to deploy Consul to Kubernetes, please see our collection. This collection includes configuration caveats for single-node deployments.
The Helm chart exposes several useful configurations and automatically sets up complex resources, but it does not automatically operate Consul. You must still become familiar with how to monitor, backup, upgrade, etc. the Consul cluster.
The Helm chart has no required configuration and will install a Consul cluster with default configurations. We strongly recommend learning about the configuration options prior to going to production.
Security Warning: By default, the chart will install an insecure configuration of Consul. This provides a less complicated out-of-box experience for new users, but is not appropriate for a production setup. We strongly recommend using a properly-secured Kubernetes cluster or making sure that you understand and enable the . Currently, some of these features are not supported in the Helm chart and require additional manual configuration.
The Consul Helm only supports Helm 3.2+. Install the latest version of the Helm CLI here: Installing Helm.
Add the HashiCorp Helm Repository:
Verify that you have access to the consul chart:
NAME CHART VERSION APP VERSION DESCRIPTION
hashicorp/consul 0.35.0 1.10.3 Official HashiCorp Consul Chart
Prior to installing via Helm, ensure that the
consul
Kubernetes namespace does not exist, as installing on a dedicated namespace is recommended.$ kubectl get namespace
NAME STATUS AGE
default Active 18h
kube-node-lease Active 18h
kube-public Active 18h
Issue the following command to install Consul with the default configuration using Helm. You could also install Consul on a dedicated namespace of your choosing by modifying the value of the
-n
flag for the Helm install.$ helm install consul hashicorp/consul --set global.name=consul --create-namespace -n consul
NAME: consul
...
The Helm chart does everything to set up a recommended Consul-on-Kubernetes deployment. After installation, a Consul cluster will be formed, a leader will be elected, and every node will have a running Consul agent.
For example, if you want to enable the feature, use the following config file:
config.yaml
Once you’ve created your config.yaml
file, run helm install
with the -f
flag:
$ helm install consul hashicorp/consul --create-namespace -n consul -f config.yaml
NAME: consul
...
If you’ve already installed Consul and want to make changes, you’ll need to run helm upgrade
. See Upgrading for more details.
You can install Consul on Kubernetes using the Consul K8s CLI tool. The tool is currently availabe as an alpha release and is not recommended for production environments.
Download and build the CLI as described in the .
Issue the
install
subcommand to install Consul on Kubernetes:consul-k8s install <OPTIONS>
Refer to the Consul K8s CLI reference for details about all commands and available options.
If you did not set the option to
true
, you will be prompted to proceed with the installation if the pre-install checks pass.==> Pre-Install Checks
✓ No existing installations found
✓ No previous persistent volume claims found
✓ No previous secrets found
==> Consul Installation Summary
Installation name: consul
Namespace: myns
Overrides:
connectInject:
enabled: true
global:
name: consul
server:
bootstrapExpect: 1
Proceed with installation? (y/n)
Enter
y
to proceed. The pre-install checks may fail if existingPersistentVolumeClaims
(PVC) are detected. Refer to the for information about removing PVCs.
The Consul UI is enabled by default when using the Helm chart. For security reasons, it isn’t exposed via a LoadBalancer
Service by default so you must use kubectl port-forward
to visit the UI.
TLS Disabled
If running with TLS disabled, the Consul UI will be accessible via http on port 8500:
TLS Enabled
If running with TLS enabled, the Consul UI will be accessible via https on port 8501:
$ kubectl port-forward service/consul-server 8501:8501
Once the port is forwarded navigate to https://localhost:8501.
You’ll need to click through an SSL warning from your browser because the Consul certificate authority is self-signed and not in the browser’s trust store.
ACLs Enabled
If ACLs are enabled, you will need to input an ACL token into the UI in order to see all resources and make modifications.
To retrieve the bootstrap token that has full permissions, run:
$ kubectl get secrets/consul-bootstrap-acl-token --template='{{.data.token | base64decode }}'
e7924dd1-dc3f-f644-da54-81a73ba0a178%
Then paste the token into the UI under the ACLs tab (without the %
).
NOTE: If using multi-cluster federation, your kubectl context must be in the primary datacenter to retrieve the bootstrap token since secondary datacenters use a separate token with less permissions.
If you want to expose the UI via a Kubernetes Service, configure the ui.service chart values. This service will allow requests to the Consul servers so it should not be open to the world.
The Consul HTTP API should be accessed by communicating to the local agent running on the same node. While technically any listening agent (client or server) can respond to the HTTP API, communicating with the local agent has important caching behavior, and allows you to use the simpler .
For Consul installed via the Helm chart, a client agent is installed on each Kubernetes node. This is explained in the architecture section. To access the agent, you may use the .
An example pod specification is shown below. In addition to pods, anything with a pod template can also access the downward API and can therefore also access Consul: StatefulSets, Deployments, Jobs, etc.
apiVersion: v1
kind: Pod
metadata:
name: consul-example
spec:
containers:
- name: example
image: 'consul:latest'
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
command:
- '/bin/sh'
- '-ec'
- |
export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
restartPolicy: Never
An example Deployment
is also shown below to show how the host IP can be accessed from nested pod specifications:
If you are still considering a move to Kubernetes, or to Consul on Kubernetes specifically, our Migrate to Microservices with Consul Service Mesh on Kubernetes collection uses an example application written by a fictional company to illustrate why and how organizations can migrate from monolith to microservices using Consul service mesh on Kubernetes. The case study in this collection should provide information valuable for understanding how to develop services that leverage Consul during any stage of your microservices journey.