The information contained in this article has been verified as up-to-date on the date of the original publication of the article. HashiCorp endeavors to keep this information up-to-date and correct, but it makes no representations or warranties of any kind, express or implied, about the ongoing completeness, accuracy, reliability, or suitability of the information provided.
All information contained in this article is for general information purposes only. Any reliance you place on such information as it applies to your use of your HashiCorp product is therefore strictly at your own risk.
Benefits of Consul Enterprise
Why move to Enterprise?
Users may want to purchase and upgrade their Consul deployments to leverage one or several of the following features of Consul Enterprise within their Kubernetes environment:
- Long-Term Support (LTS): Reduce upgrade frequency and overhead by using a Consul LTS release that's officially supported for longer periods than a standard release.
- Admin Partitions: Define administrative boundaries for multi-tenancy within a single or multiple Consul Datacenters.
- Locality Aware Routing: Manage service mesh traffic priorities based on regional and zone-based routing preferences.
- Sameness Groups: Easily manage service failover and resiliency with Admin Partition with Peered Cluster using identity-based service groups.
- Consul Namespaces: Manage defined namespace boundaries between Kubernetes and Consul for seamless service mesh and service discovery integration.
- Service Mesh HTTP Request Rate Limiting: Fine-tune L7 service mesh traffic rates to manage cluster resource utilization at both the service and URL path levels.
- Server gRPC/RPC Request Rate Limiting: Manage Consul compute and memory resource consumption by limiting gRPC and RPC internal traffic rates.
- Consul Audit Logging: Improve security posture by gaining insight into Consul access and usage patterns via Consul HTTP API audit logging.
- FIPS 140-2 Compliance: Secure your Consul deployments with BoringCrypto and CNGCrypto in compliance with FIPS 140-2.
- API Gateway JWT Auth Verification: Prevent non-authentic traffic for your service mesh from the API ingress boundary by using JWTs for authentication/authorization.
- OIDC Auth Method: Easily manage user access to Consul via OIDC provider vice Consul ACL tokens.
See Enterprise Feature Availability by License for more details on these features.
Consul on Kubernetes: OSS/CE to Enterprise
Prerequisites
- Consul Enterprise License: Your customer support contact can generate a trial license for any HashiCorp enterprise product. If you are an existing HashiCorp enterprise customer, you may contact your organization's customer success manager (CSM) for information on how to get your organization's enterprise license.
- Kubernetes/OpenShift Cluster Administrative Access for cluster secret creation and Helm/Argo upgrades for Consul deployment.
Procedure
To minimize upgrade risks, follow these recommendations:
- Upgrade directly to the corresponding Enterprise version: If you're running Consul 1.11.0 OSS, upgrade to Consul 1.11.0 Enterprise.
- Enable Enterprise features after the upgrade: Wait until all Consul servers in the cluster are running the Enterprise version before activating new features. This reduces the chance of encountering errors during the upgrade process.
Note: If using Vault to manage Consul's Enterprise license, first store the license in Vault as described in Storing the Enterprise License in Vault.
- If you're storing the Consul Enterprise license in a Kubernetes secret, create the secret using the following command:
# Set local shell CONSUL_LICENSE environment variable to literal value of license
$ export CONSUL_LICENSE="$(cat consul.hclic)"
# Generate Kube Secret Object
$ kubectl create secret generic consul-ent-license \
--namespace "<consul_deployment_ns>" \
--from-literal="key=$CONSUL_LICENSE" - To prepare for the Consul Enterprise upgrade, update your
values.yamlwith the license secret information
## Kubernetes Secret
global:
name: consul
enterpriseLicense:
secretName: consul-ent-license
secretKey: key
enableLicenseAutoload: true## Vault Secret
global:
name: consul
enterpriseLicense:
secretName: 'consul/secret/enterpriselicense'
secretKey: key - In
values.yaml, updateglobal.imageto the Consul Enterprise repository path.-
Note:
consul-dataplaneandconsul-k8s-control-planeimages are not Enterprise-specific.
global:
name: consul
image: hashicorp/consul-enterprise:1.19.1-ent
-
Note:
-
Apply Changes: Update your Consul deployment with the modified
values.yaml. -
Monitor Rollout: Carefully observe the
consul-serverStatefulSet rollout. -
Verify Update Order: Ensure pods are updated in descending index order (highest to lowest). Each pod must completely restart and become healthy before the next pod in the sequence begins its update (e.g.
consul-server-2,consul-server-1,consul-server-0).
Additional Resources
- Consul Enterprise License Overview
- Consul Enterprise Feature availability by license
- Consul OSS to ENT Process (non-Kubernetes)