Introduction

Consul Dataplane became generally available in consul-k8s v1.0.0 and replaced the need for Consul clients within Kubernetes environments.

In this tutorial, we will walk through the steps needed to set up Consul with Kubernetes as a client to a pre-existing Consul cluster that is using Virtual Machine (VM) server nodes that are WAN Federated. 

Expected Outcome

Consul on Kubernetes will be able to connect to the established cluster.

Prerequisites 

• A WAN Federated Consul Cluster using VMs
• Kubernetes client cluster

Procedure

1. Create the secret containing the CA certificate of your cluster
   • We recommend using base64 to encode the certificate to ensure data accuracy when applying the secret
     

     apiVersion: v1 
     kind: Secret 
     metadata: 
       name: consul-ca-secret
       namespace: consul 
     type: kubernetes.io/tls 
     data: 
       tls.crt: consul-agent-ca-base64
       tls.key: consul-agent-ca-key-base64

2. Create the secret containing the bootstrap token

   kubectl -n consul create secret generic bootstrap-token --from-literal='token=your bootstrap token'

3. Create the secret containing the enterprise license

   kubectl -n consul create secret generic enterprise-license --from-literal='license=your enterprise license'

4. Obtain your Kubernetes Host for the auth method value

   kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}'

5. Create your helm values file
   

   global:
     enabled: false
     tls:
       enabled: true
       caCert:
         secretName: consul-ca-secret
         secretKey: tls.crt
       serverAdditionalIPSANs: ["<Consul Server IP>"]
     acls:
       manageSystemACLs: true
       bootstrapToken:
         secretName: bootstrap-token
         secretKey: token
   externalServers:
     enabled: true
     hosts: 
       - [consul server DNS, IP or exec= string]
     k8sAuthMethodHost: 'https://kubernetes.example.com:443'
     tlsServerName: <Consul Server Node Name>.server.<datcenter>.consul
   enterpriseLicense:
     secretName: enterprise-license
     secretKey: license
     enableLicenseAutoLoad: true

   • If enabling connect-inject on a secondary cluster the following configuration will be required

     federation:
         enabled: true
         k8sAuthMethodHost: 'https://kubernetes.example.com:443'
         primaryDatacenter: dc1

6. Install Consul on your cluster
   

   helm install consul hashicorp/consul --set global.name=consul --namespace consul --values values.yaml

Additional Information

• Join Kubernetes Clusters to external Consul Servers

• Helm Chart Reference: serverAdditionalDNSSANs
• Helm Chart Reference: externalServers tlsServerName