Introduction
Consul Dataplane became generally available in consul-k8s v1.0.0 and replaced the need for Consul clients within Kubernetes environments.
In this tutorial, we will walk through the steps needed to set up Consul with Kubernetes as a client to a pre-existing Consul cluster that is using Virtual Machine (VM) server nodes that are WAN Federated.
Expected Outcome
Consul on Kubernetes will be able to connect to the established cluster.
Prerequisites
- A WAN Federated Consul Cluster using VMs
- Kubernetes client cluster
Procedure
- Create the secret containing the CA certificate of your cluster
- We recommend using base64 to encode the certificate to ensure data accuracy when applying the secret
apiVersion: v1
kind: Secret
metadata:
name: consul-ca-secret
namespace: consul
type: kubernetes.io/tls
data:
tls.crt: consul-agent-ca-base64
tls.key: consul-agent-ca-key-base64
- We recommend using base64 to encode the certificate to ensure data accuracy when applying the secret
- Create the secret containing the bootstrap token
kubectl -n consul create secret generic bootstrap-token --from-literal='token=your bootstrap token'
- Create the secret containing the enterprise license
kubectl -n consul create secret generic enterprise-license --from-literal='license=your enterprise license'
- Obtain your Kubernetes Host for the auth method value
kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}'
- Create your helm values file
global: enabled: false tls: enabled: true caCert: secretName: consul-ca-secret secretKey: tls.crt
serverAdditionalIPSANs: ["<Consul Server IP>"] acls: manageSystemACLs: true bootstrapToken: secretName: bootstrap-token secretKey: token externalServers: enabled: true hosts: - [consul server DNS, IP or exec= string] k8sAuthMethodHost: 'https://kubernetes.example.com:443'
tlsServerName: <Consul Server Node Name>.server.<datcenter>.consul enterpriseLicense: secretName: enterprise-license secretKey: license enableLicenseAutoLoad: true- If enabling connect-inject on a secondary cluster the following configuration will be required
federation:
enabled: true
k8sAuthMethodHost: 'https://kubernetes.example.com:443'
primaryDatacenter: dc1
- If enabling connect-inject on a secondary cluster the following configuration will be required
- Install Consul on your cluster
helm install consul hashicorp/consul --set global.name=consul --namespace consul --values values.yaml
Additional Information
- Helm Chart Reference: serverAdditionalDNSSANs
- Helm Chart Reference: externalServers tlsServerName