Updating your Consul Enterprise license in Kubernetes with consul-helm

Introduction

This article assumes that you have deployed Consul Enterprise on Kubernetes using consul-helm. Consul’s documentation has you create a Kubernetes secret and then reference that secret in your Helm config.yaml for global.enterpriseLicense.secretName.

Use Case

Consul Enterprise licenses can have an expiration date- this Knowledge Base article will provide you with the information you need to update your Consul Enterprise license if you are deploying Consul into Kubernetes with consul-helm.

Procedure

This section assumes you have a new Consul Enterprise license. This section also assumes that you already have a Kubernetes secret that contains your old license.

First, let’s view our existing secret:

$ kubectl get secrets
NAME                  TYPE                                  DATA   AGE
consul-ent-license    Opaque                                1      29h

We can view our current license within Consul by running consul license get directly against our Consul server pods:

$ kubectl exec consul-consul-server-0 consul license get
License is valid
License ID: 62cd0e72-6fb2-dc44-e508-06608b464826
Customer ID: dc7d2863-7c96-d8e3-69cf-f1d43fd82b8b
Expires At: 2020-07-23 03:59:59.999 +0000 UTC
Terminates At: 2020-07-23 03:59:59.999 +0000 UTC
Datacenter: *
Licensed Features:

You will need to base64 encode the contents of your new license file first:

$ cat a39628cf-ca4c-02f4-f3fa-0b20e1ae8654.hclic | base64
MDFNVjRVVTQzQks1SEdZWVRPSlpXRlFNVE1OTkVXVTMzSkxGS0UyTktPTkpFVElXSlNMRjJGU01TRkdCTVhTTURYSlZXVlNNQ01LNU1YVVdUTklWMkUyUjJKUEZHVU9WTFlMRkxWS05DT05KS1RBU0xKTzVVVlNNMldQSlNFT09MVUxKTUVVWlRCSzVJV1NUM0pKSlZWUzZURU5OR1dVWlpTSlY0VEFNMlpQSlZURVRDWEtFMkZVVkNOT1JIR1UzREtMSlVUQzNLTks1SVRBVEpTTEpWVTZSQ0tORkhVT1NMSkpSQlVVNERDTlpIREFXS1hQQlpWU1dDU09CUkRFTkxHTUZMVkMyS1BORkVYQ1NMSk81VVdDV0NPUEpTRk9WVEdNUkRXWTVDMktORVRNU0xLSkYzVTJWRExPUkdVSVdMVUpWVkVNVktOS1JNVE1UTDJMRTNFNFJERE9WR1dVU0pVSlZLRVNNS1BLUlZUQ1YzSkpGWlVTM1NPR0JNVlFTUlFMQVpWRTREQ0s1S1dTVDNKSkY0VTJSQ0ZHVkdGSVFKU0pSS0VTNkNXSVJBVEdUM0tJRjNVNjJTQk81TFdTU0xUSkZXVk1ORERJNVdIU1dLWUtKWUdFTVJWTVpTRU8zRFVMSkpVU05TSk5KRVhPVExLSUYyRTJSQ1pPUkdXVVNTVkpWQ0ZTTlNPS1JWVE1UU1VOTjJVNlZETEdWTFdTU0xUSkZYRkUzREROVVlYQVlUTklZWUdDVlpaT1ZNREdVVFFNSkxWSzJLUE5GRVhTVEtFSkYzVVlWQ0JHSkdGSVNMWktaQ0VDTVNQTkpLVEtUM0tLVTJVWTJUTEdWSFZNMzNKSlJCVVU1M0ROVTRXV1pDWEpZWUVTMlRQTkZNVEVPTFZNTVpWTTQySk5GM1dTV1ROUEJVRlVNMk5ORkhXNDQzSk1ORFVNMlRCR0pERzRXU1RKRTNFUzNTQ1BGTkZPTUxRTVJMVEEyTEdMQVlEMkxUV01GMldZNUIyT1lZVFVZTEtOTVlUQ05KVUpCWkZNUVRLTEZSV1FXS1ZJWkVHNE5LWUdFWlhRNERJSjVSVFNTTExNSlpTNlpURkpCTEhPVDJYTUpHVlEyM0hLUkxUSTVEUUk1TFdXUkxVRzVCR1laRERNWllFS1RCV000MkRRUjMyTTVYRVdUVE1PTTNETVVMU0dWUlVJUUo1SFU=

You will update your secret consul-ent-license with our new license file by running the following:

$ kubectl edit secret consul-ent-license

This will bring up an editor where you will want to modify data.key to contain the contents of your license file. Replace the contents of the key filed with the base64 encoded contents of your new license file:

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  key: MDFNVjRVVTQzQks1SEdZWVRPSlpXRlFNVE1OTkVXVTMzSkxGS0UyTktPTkpFVElXSlNMRjJGU01TRkdCTVhTTURYSlZXVlNNQ01LNU1YVVdUTklWMkUyUjJKUEZHVU9WTFlMRkxWS05DT05KS1RBU0xKTzVVVlNNMldQSlNFT09MVUxKTUVVWlRCSzVJV1NUM0pKSlZWUzZURU5OR1dVWlpTSlY0VEFNMlpQSlZURVRDWEtFMkZVVkNOT1JIR1UzREtMSlVUQzNLTks1SVRBVEpTTEpWVTZSQ0tORkhVT1NMSkpSQlVVNERDTlpIREFXS1hQQlpWU1dDU09CUkRFTkxHTUZMVkMyS1BORkVYQ1NMSk81VVdDV0NPUEpTRk9WVEdNUkRXWTVDMktORVRNU0xLSkYzVTJWRExPUkdVSVdMVUpWVkVNVktOS1JNVE1UTDJMRTNFNFJERE9WR1dVU0pVSlZLRVNNS1BLUlZUQ1YzSkpGWlVTM1NPR0JNVlFTUlFMQVpWRTREQ0s1S1dTVDNKSkY0VTJSQ0ZHVkdGSVFKU0pSS0VTNkNXSVJBVEdUM0tJRjNVNjJTQk81TFdTU0xUSkZXVk1ORERJNVdIU1dLWUtKWUdFTVJWTVpTRU8zRFVMSkpVU05TSk5KRVhPVExLSUYyRTJSQ1pPUkdXVVNTVkpWQ0ZTTlNPS1JWVE1UU1VOTjJVNlZETEdWTFdTU0xUSkZYRkUzREROVVlYQVlUTklZWUdDVlpaT1ZNREdVVFFNSkxWSzJLUE5GRVhTVEtFSkYzVVlWQ0JHSkdGSVNMWktaQ0VDTVNQTkpLVEtUM0tLVTJVWTJUTEdWSFZNMzNKSlJCVVU1M0ROVTRXV1pDWEpZWUVTMlRQTkZNVEVPTFZNTVpWTTQySk5GM1dTV1ROUEJVRlVNMk5ORkhXNDQzSk1ORFVNMlRCR0pERzRXU1RKRTNFUzNTQ1BGTkZPTUxRTVJMVEEyTEdMQVlEMkxUV01GMldZNUIyT1lZVFVZTEtOTVlUQ05KVUpCWkZNUVRLTEZSV1FXS1ZJWkVHNE5LWUdFWlhRNERJSjVSVFNTTExNSlpTNlpURkpCTEhPVDJYTUpHVlEyM0hLUkxUSTVEUUk1TFdXUkxVRzVCR1laRERNWllFS1RCV000MkRRUjMyTTVYRVdUVE1PTTNETVVMU0dWUlVJUUo1SFU=
kind: Secret
metadata:
  creationTimestamp: "2020-05-28T19:15:52Z"
  name: consul-ent-license
  namespace: default
  resourceVersion: "61207"
  selfLink: /api/v1/namespaces/default/secrets/consul-ent-license
  uid: 95508029-ada2-4bde-8bfa-a277c12e38f8
type: Opaque

After saving your updated secret, verify that the config.yaml file you are using for the Consul Helm chart references your updated secret in `global.enterpriseLicense.secretName. This file should look something like this:

# config.yaml
global:
  image: 'hashicorp/consul-enterprise:1.7.3-ent'
  enterpriseLicense:
    secretName: 'consul-ent-license'
    secretKey: 'key'

Then run helm upgrade:

$ helm upgrade hashicorp hashicorp/consul -f config.yaml

Your Consul cluster should be updated with your new license! You can verify by running consul license get against your cluster:

$ kubectl exec consul-consul-server-0 consul license get
License is valid
License ID: 32bd7df8-4f99-ab84-ca9d-b1a27691825e
Customer ID: dc7d2863-7c96-d8e3-69cf-f1d43fd82b8b
Expires At: 2020-07-23 03:59:59.999 +0000 UTC
Terminates At: 2020-07-23 03:59:59.999 +0000 UTC
Datacenter: *
Licensed Features:

Additional Information

You can update your Consul license manually using the top-level consul license command. This is generally not recommended as the license that you have stored in your Kubernetes secret and referenced in global.enterpriseLicense.secretName will be applied to your Consul cluster the next time you run Helm.