This tutorial covers the necessary steps to install and configure a new Consul datacenter on Kubernetes, as defined in the Consul Reference Architecture tutorial. By the end of this tutorial, you will be able to:
To complete this tutorial you will need:
Before deploying Consul, you will need to have kubectl credentials that allow you to create and modify policies, deploy services, create secrets, and create RBAC objects. You can find documentation for RBAC and service accounts for the following cloud providers using the links below.
Note
Consul can be deployed on any properly configured Kubernetes cluster in the cloud or on-premises.
You may wish to create Kubernetes secrets to store Consul data. Secrets can be referenced in the customized Helm chart values file.
Add an Enterprise license key (optional)If you have purchased Enterprise Consul, you will need to add the enterprise license to the Kubernetes secretes engine. Also, you will need to specify Consul image using the Helm chart values file. The default image used by the official Consul helm chart is the open source version of Consul. The image name format will resemble this string: hashicorp/consul-enterprise:<latest version>-ent.
For Enterprise customers that have purchased a license, work with your Customer Success Manager (CSM) to get the appropriate license. Once you have obtained the license, you can use the following command to register it as a secret in Kubernetes.
$ kubectl create secret generic consul-license --from-literal="key=$(<YOUR LICENSE FROM CSM>)"
Now that you have prepared your Kubernetes cluster, you can customize the Helm chart. First, you will need to add the HashiCorp Helm Chart repository:
$ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories
The Helm chart is configured with default values. You can override these values by creating your own config.yaml file and passing it to helm install with the -f flag, e.g. helm install consul hashicorp/consul -f config.yaml. Below we detail some parameters you can customize, and provide an example file. However, you should consider your particular production needs when configuring your chart.
The values under the global key will affect all the other parameters in the chart.
To enable all Consul components in the Helm chart, set enabled to true. This means servers, clients, Consul DNS, and the Consul UI will be installed with their defaults. You may also set the following global parameters based on your specific environment requirements or naming conventions.
image is the name and tag of the Consul Docker image - override this if you want to run a specific version of Consul, or if you are using Consul Enterprise. Consult the Consul compatibility matrix before overriding the image setting to make sure the chart version you are using is compatible with the image you are specifying.datacenter the name of your Consul datacenter. The default value is dc1, but can be overridden if necessary.domain the domain Consul uses for DNS queries. The default value is consul but can be overridden if necessary.For security, we recommend you set the global.acls.manageSystemACLs parameter to true. This will instruct Consul to initialize it's ACL system during chart installation.
Additionally, setting the global.gossipEncryption.autoGenerate parameter to true will configure gossip encryption automatically with a random key when Consul is installed.
We also recommend you read the Consul Helm chart documentation to review all the possible global parameters.
Consul UITo enable the Consul web UI update the ui section to your values file and set enabled to true.
Note
You can also set up a LoadBalancer resource or other service type in Kubernetes to make it easier to access the UI.
Consul serversFor production deployments, you should deploy 3 or 5 Consul servers for quorum and failure tolerance. For most deployments, 3 servers are adequate.
In the server section set replicas to 3. This will deploy three servers and cause Consul to wait to perform leader election until all three are healthy. The resources will depend on your environment; in the example at the end of the tutorial, the resources are set for a large environment.
To ensure the Consul servers are placed on different Kubernetes nodes, you will need to configure affinity. Otherwise, the failure of one Kubernetes node could cause the loss of multiple Consul servers, and result in quorum loss. The default values.yaml has affinity configured correctly.
If you have an Enterprise license, you should reference the Kubernetes secret in the enterpriseLicense parameter. Read the Consul Helm chart documentation to review the server parameters related to configuring an enterprise license.
Since a Consul client is deployed on every Kubernetes node, you do not need to specify the number of clients for your deployments. You will, however, need to specify resources. Since Consul clients are designed for horizontal scalability, the resources in the example at the end of this tutorial should be sufficient for most production scenarios.
It is worth mentioning that when configuring clients, you have the ability to override the default node reconnect timeout. By default, Consul will wait 72 hours before reaping unresponsive nodes. Since Consul on Kubernetes often runs on ephemeral infrastructure, such as spot instances, this default setting may not meet your needs. To override the default, you can set the client.extraConfig setting by passing a valid JSON object that includes an advertise_reconnect_timeout key set to the timeout interval that makes sense for your environment. As shown in this example.
client:
extraConfig: |
{"advertise_reconnect_timeout": "15m"}
To review all the possible client parameters, refer to the Consul Helm chart documentation.
Consul service mesh configurationTo enable Consul service mesh, set enabled under the connectInject key to true. In the connectInject section, you can also configure security features. Enabling the default parameter will result in the injector automatically injecting the envoy-sidecar sidecar proxy and consul-sidecar life-cycle sidecar into all pods. If you prefer to manually annotate which pods to inject, you should set connectInject.default to false.
Setting the aclBindingRuleSelector parameter to serviceaccount.name!=default ensures that new services do not all receive the same token if you are only using a default service account. This setting is only necessary if you have enabled ACLs in the global section.
Read more about the Connect Inject parameters.
Your finished config.yaml file should resemble the following example. For more complete descriptions of all the available parameters, check the values.yaml file provided with the Helm chart and the reference documentation.
config.yaml
# Configure global settings in this section.
global:
name: consul
# Bootstrap ACLs within Consul. This is highly recommended.
acls:
manageSystemACLs: true
# Gossip encryption
gossipEncryption:
autoGenerate: true
# Configure your Consul servers in this section.
server:
# Specify three servers that wait until all are healthy to bootstrap the Consul cluster.
replicas: 3
# Specify the resources that servers request for placement. These values will serve a large environment.
resources:
requests:
memory: '32Gi'
cpu: '4'
disk: '50Gi'
limits:
memory: '32Gi'
cpu: '4'
disk: '50Gi'
# If using Enterprise, reference the Kubernetes secret that holds your license here
enterpriseLicense:
secretName: 'consul-license'
secretKey: 'key'
# Configure Consul clients in this section
client:
# Specify the resources that clients request for deployment.
resources:
requests:
memory: '8Gi'
cpu: '2'
disk: '15Gi'
limits:
memory: '8Gi'
cpu: '2'
disk: '15Gi'
# Enable and configure the Consul UI.
ui:
enabled: true
# Enable Consul connect pod injection
connectInject:
enabled: true
default: true
controller:
enabled: true
Now that you have customized your config.yaml file, you can deploy Consul with Helm or the Consul K8S CLI. It is recommended to deploy Consul into its own dedicated namespace as shown below. This should only take a few minutes. The Consul pods should appear in the pod list immediately.
$ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories
$ helm install consul hashicorp/consul --values config.yaml --create-namespace --namespace consul --version "0.43.0"
Note
You can review the official Helm chart values to learn more about the default settings.
$ brew install hashicorp/tap/consul-k8s
$ consul-k8s install -config-file=config.yaml -set global.image=hashicorp/consul:1.12.0
To check the deployment process on the command line you can use kubectl get pods --namespace consul.
$ kubectl get pods --namespace consul
In this tutorial, you configured Consul using the Helm chart for a production environment. This involved ensuring that your Kubernetes cluster had a properly distributed configuration for Consul servers, specifying enough resources for your agents, securing the datacenter with ACLs and gossip encryption, and enabling other Consul functionality including Connect service mesh and the Consul UI.
Now, you can interact with your Consul datacenter through the UI or CLI.
If you exposed the UI using a load balancer it will be available at the LoadBalancer Ingress IP address and Port that is output from the following command.
$ kubectl describe service consul-server --namespace consul
To access the Consul CLI, open a terminal session using the Kubernetes CLI.
$ kubectl exec --stdin --tty consul-server-0 --namespace consul -- /bin/sh
Note
You may need to replace consul-server-0 with the server name from your datacenter if you overrode the global.name setting in your Helm values file.
This will allow you to navigate the file system and run Consul CLI commands on the pod. For example you can view the Consul members.
When you have finished interacting with the pod, exit the shell.
In this tutorial, you installed and configured a new Consul datacenter on Kubernetes using the official Helm chart or Consul K8S CLI. To continue learning about Consul service discovery and service mesh, complete the Consul service mesh tutorials. For more information on securing and debugging Consul on Kubernetes review the Secure Consul and Registered Services on Kubernetes tutorial.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4