2018-09-12 15:44:30 +00:00
---
2020-04-07 18:55:19 +00:00
layout: docs
2020-09-09 16:57:00 +00:00
page_title: Install with Helm Chart - Kubernetes
2020-04-07 18:55:19 +00:00
description: >-
Consul can run directly on Kubernetes, both in server or client mode. For
pure-Kubernetes workloads, this enables Consul to also exist purely within
Kubernetes. For heterogeneous workloads, Consul agents can join a server
running inside or outside of Kubernetes.
2018-09-12 15:44:30 +00:00
---
2019-11-28 21:23:12 +00:00
# Installing Consul on Kubernetes
2018-09-12 15:44:30 +00:00
Consul can run directly on Kubernetes, both in server or client mode.
For pure-Kubernetes workloads, this enables Consul to also exist purely
within Kubernetes. For heterogeneous workloads, Consul agents can join
a server running inside or outside of Kubernetes.
This page starts with a large how-to section for various specific tasks.
To learn more about the general architecture of Consul on Kubernetes, scroll
2020-09-14 17:37:35 +00:00
down to the [architecture](/docs/k8s/installation/install#architecture) section.
2020-04-09 23:46:54 +00:00
If you would like to get hands-on experience testing Consul as a service mesh
for Kubernetes, check the guides in the [Getting Started with Consul service
2021-04-20 17:17:50 +00:00
mesh](https://learn.hashicorp.com/tutorials/consul/service-mesh-deploy?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) track.
2018-09-12 15:44:30 +00:00
2019-11-28 21:23:12 +00:00
## Helm Chart Installation
2018-09-12 15:44:30 +00:00
The recommended way to run Consul on Kubernetes is via the
2020-05-11 21:15:59 +00:00
[Helm chart](/docs/k8s/helm). This will install and configure
2018-09-12 15:44:30 +00:00
all the necessary components to run Consul. The configuration enables you
to run just a server cluster, just a client cluster, or both. Using the Helm
2019-11-28 21:23:12 +00:00
chart, you can have a full Consul deployment up and running in minutes.
2021-05-25 19:36:09 +00:00
Step-by-step tutorials for how to deploy Consul to Kubernetes, please see
our [Deploy to Kubernetes](https://learn.hashicorp.com/collections/consul/kubernetes-deploy)
collection. This collection includes configuration caveats for single node deployments.
2018-09-12 15:44:30 +00:00
2018-09-13 21:45:40 +00:00
While the Helm chart exposes dozens of useful configurations and automatically
2018-09-12 15:44:30 +00:00
sets up complex resources, it **does not automatically operate Consul.**
2019-01-28 22:25:56 +00:00
You are still responsible for learning how to monitor, backup,
2018-09-12 15:44:30 +00:00
upgrade, etc. the Consul cluster.
2018-09-13 21:45:40 +00:00
The Helm chart has no required configuration and will install a Consul
2021-07-02 16:18:46 +00:00
cluster with reasonable defaults out of the box. Prior to going to production,
2018-09-12 15:44:30 +00:00
it is highly recommended that you
2020-05-11 21:15:59 +00:00
[learn about the configuration options](/docs/k8s/helm#configuration-values).
2018-09-12 15:44:30 +00:00
2019-01-08 01:46:44 +00:00
~> **Security Warning:** By default, the chart will install an insecure configuration
of Consul. This provides a less complicated out-of-box experience for new users,
but is not appropriate for a production setup. It is highly recommended to use
a properly secured Kubernetes cluster or make sure that you understand and enable
2020-04-09 23:46:54 +00:00
the [recommended security features](/docs/internals/security). Currently,
2019-01-08 01:46:44 +00:00
some of these features are not supported in the Helm chart and require additional
manual configuration.
2019-11-28 21:23:12 +00:00
### Prerequisites
2021-06-29 16:18:08 +00:00
The Consul Helm chart works only with Helm 3. Install the latest version of the Helm CLI here:
[Installing Helm](https://helm.sh/docs/intro/install/).
2018-09-12 15:44:30 +00:00
### Installing Consul
2020-04-28 18:11:26 +00:00
Add the HashiCorp Helm Repository:
2018-09-12 15:44:30 +00:00
2020-05-19 18:32:38 +00:00
```shell-session
2020-04-28 18:11:26 +00:00
$ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories
2019-11-28 21:23:12 +00:00
```
2020-04-28 18:11:26 +00:00
Ensure you have access to the consul chart:
2020-05-19 18:32:38 +00:00
```shell-session
2020-04-28 18:11:26 +00:00
$ helm search repo hashicorp/consul
NAME CHART VERSION APP VERSION DESCRIPTION
2021-06-29 16:18:08 +00:00
hashicorp/consul 0.32.0 1.10.0 Official HashiCorp Consul Chart
2019-11-28 21:23:12 +00:00
```
Now you're ready to install Consul! To install Consul with the default
configuration using Helm 3 run:
2020-05-19 18:32:38 +00:00
```shell-session
2020-04-28 18:11:26 +00:00
$ helm install consul hashicorp/consul --set global.name=consul
NAME: consul
2018-09-12 15:44:30 +00:00
...
```
2019-12-06 00:46:11 +00:00
_That's it._ The Helm chart does everything to set up a recommended
2018-09-12 15:44:30 +00:00
Consul-on-Kubernetes deployment.
In a couple minutes, a Consul cluster will be formed and a leader
elected and every node will have a running Consul agent.
2019-11-28 21:23:12 +00:00
### Customizing Your Installation
2020-04-06 20:27:35 +00:00
2019-11-28 21:23:12 +00:00
If you want to customize your installation,
create a `config.yaml` file to override the default settings.
2020-04-28 18:11:26 +00:00
You can learn what settings are available by running `helm inspect values hashicorp/consul`
2020-05-11 21:15:59 +00:00
or by reading the [Helm Chart Reference](/docs/k8s/helm).
2019-11-28 21:23:12 +00:00
2020-08-18 22:22:29 +00:00
For example, if you want to enable the [Consul Connect](/docs/k8s/connect) feature,
2020-04-28 18:11:26 +00:00
use the following config file:
```yaml
# config.yaml
global:
name: consul
connectInject:
enabled: true
2021-02-17 19:01:52 +00:00
controller:
enabled: true
2020-04-28 18:11:26 +00:00
```
2019-11-28 21:23:12 +00:00
Once you've created your `config.yaml` file, run `helm install` with the `-f` flag:
2018-09-12 15:44:30 +00:00
2020-05-19 18:32:38 +00:00
```shell-session
2020-04-28 18:11:26 +00:00
$ helm install consul hashicorp/consul -f config.yaml
NAME: consul
...
2019-11-28 21:23:12 +00:00
```
If you've already installed Consul and want to make changes, you'll need to run
2020-05-11 21:15:59 +00:00
`helm upgrade`. See [Upgrading](/docs/k8s/operations/upgrading) for more details.
2019-11-28 21:23:12 +00:00
## Viewing the Consul UI
2018-09-12 15:44:30 +00:00
The Consul UI is enabled by default when using the Helm chart.
2019-11-28 21:23:12 +00:00
For security reasons, it isn't exposed via a `LoadBalancer` Service by default so you must
2020-05-11 21:15:59 +00:00
use `kubectl port-forward` to visit the UI.
#### TLS Disabled
If running with TLS disabled, the Consul UI will be accessible via http on port 8500:
2018-09-12 15:44:30 +00:00
2020-05-19 18:32:38 +00:00
```shell-session
2020-04-28 18:11:26 +00:00
$ kubectl port-forward service/consul-server 8500:8500
2018-09-12 15:44:30 +00:00
...
```
2019-11-28 21:23:12 +00:00
Once the port is forwarded navigate to [http://localhost:8500](http://localhost:8500).
2020-05-11 21:15:59 +00:00
#### TLS Enabled
If running with TLS enabled, the Consul UI will be accessible via https on port 8501:
2020-05-19 18:32:38 +00:00
```shell-session
2020-05-11 21:15:59 +00:00
$ kubectl port-forward service/consul-server 8501:8501
...
```
Once the port is forwarded navigate to [https://localhost:8501](https://localhost:8501).
~> You'll need to click through an SSL warning from your browser because the
Consul certificate authority is self-signed and not in the browser's trust store.
#### ACLs Enabled
If ACLs are enabled, you will need to input an ACL token into the UI in order
to see all resources and make modifications.
To retrieve the bootstrap token that has full permissions, run:
2020-05-19 18:32:38 +00:00
```shell-session
2021-07-28 15:40:35 +00:00
$ kubectl get secrets/consul-bootstrap-acl-token --template={{.data.token}} | base64 --decode
2020-05-11 21:15:59 +00:00
e7924dd1-dc3f-f644-da54-81a73ba0a178%
```
Then paste the token into the UI under the ACLs tab (without the `%`).
~> NOTE: If using multi-cluster federation, your kubectl context must be in the primary datacenter
to retrieve the bootstrap token since secondary datacenters use a separate token
with less permissions.
### Exposing the UI via a service
2019-11-28 21:23:12 +00:00
If you want to expose the UI via a Kubernetes Service, configure
2020-05-11 21:15:59 +00:00
the [`ui.service` chart values](/docs/k8s/helm#v-ui-service).
2019-11-28 21:23:12 +00:00
This service will allow requests to the Consul servers so it should
not be open to the world.
## Accessing the Consul HTTP API
2018-09-12 15:44:30 +00:00
The Consul HTTP API should be accessed by communicating to the local agent
running on the same node. While technically any listening agent (client or
server) can respond to the HTTP API, communicating with the local agent
has important caching behavior, and allows you to use the simpler
2020-04-09 23:46:54 +00:00
[`/agent` endpoints for services and checks](/api/agent).
2018-09-12 15:44:30 +00:00
For Consul installed via the Helm chart, a client agent is installed on
2020-09-14 17:37:35 +00:00
each Kubernetes node. This is explained in the [architecture](/docs/k8s/installation/install#client-agents)
2018-09-12 15:44:30 +00:00
section. To access the agent, you may use the
[downward API](https://kubernetes.io/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/).
2018-10-01 17:35:09 +00:00
An example pod specification is shown below. In addition to pods, anything
with a pod template can also access the downward API and can therefore also
access Consul: StatefulSets, Deployments, Jobs, etc.
2018-09-12 15:44:30 +00:00
```yaml
apiVersion: v1
kind: Pod
metadata:
name: consul-example
spec:
containers:
- name: example
2020-04-06 20:27:35 +00:00
image: 'consul:latest'
2018-09-12 15:44:30 +00:00
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
command:
2020-04-06 20:27:35 +00:00
- '/bin/sh'
- '-ec'
2018-09-12 15:44:30 +00:00
- |
2020-04-06 20:27:35 +00:00
export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
consul kv put hello world
2018-09-12 15:44:30 +00:00
restartPolicy: Never
```
2018-10-01 17:35:09 +00:00
An example `Deployment` is also shown below to show how the host IP can
be accessed from nested pod specifications:
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: consul-example-deployment
spec:
replicas: 1
selector:
matchLabels:
app: consul-example
template:
metadata:
labels:
app: consul-example
spec:
containers:
- name: example
2020-04-06 20:27:35 +00:00
image: 'consul:latest'
2018-10-01 17:35:09 +00:00
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
command:
2020-04-06 20:27:35 +00:00
- '/bin/sh'
- '-ec'
2018-10-01 17:35:09 +00:00
- |
2020-04-06 20:27:35 +00:00
export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
consul kv put hello world
2018-10-01 17:35:09 +00:00
```
2018-09-12 15:44:30 +00:00
## Architecture
2020-09-22 17:31:29 +00:00
Consul runs on Kubernetes with the same
[architecture](/docs/internals/architecture)
as other platforms. There are some benefits Kubernetes can provide
2018-09-12 15:44:30 +00:00
that eases operating a Consul cluster and we document those below. The standard
2019-05-15 15:49:41 +00:00
[production deployment guide](https://learn.hashicorp.com/consul/datacenter-deploy/deployment-guide) is still an
2018-09-12 15:44:30 +00:00
important read even if running Consul within Kubernetes.
Each section below will outline the different components of running Consul
on Kubernetes and an overview of the resources that are used within the
Kubernetes cluster.
### Server Agents
The server agents are run as a **StatefulSet**, using persistent volume
claims to store the server state. This also ensures that the
2020-04-09 23:46:54 +00:00
[node ID](/docs/agent/options#_node_id) is persisted so that servers
2018-09-12 15:44:30 +00:00
can be rescheduled onto new IP addresses without causing issues. The server agents
are configured with
[anti-affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
rules so that they are placed on different nodes. A readiness probe is
configured that marks the pod as ready only when it has established a leader.
A **Service** is registered to represent the servers and expose the various
ports. The DNS address of this service is used to join the servers to each
other without requiring any other access to the Kubernetes cluster. The
service is configured to publish non-ready endpoints so that it can be used
for joining during bootstrap and upgrades.
Additionally, a **PodDisruptionBudget** is configured so the Consul server
cluster maintains quorum during voluntary operational events. The maximum
unavailable is `(n/2)-1` where `n` is the number of server agents.
2018-11-02 01:57:50 +00:00
-> **Note:** Kubernetes and Helm do not delete Persistent Volumes or Persistent
Volume Claims when a
[StatefulSet is deleted](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-storage),
so this must done manually when removing servers.
2018-09-12 15:44:30 +00:00
### Client Agents
The client agents are run as a **DaemonSet**. This places one agent
(within its own pod) on each Kubernetes node.
2020-09-22 17:31:29 +00:00
The clients expose the Consul HTTP API via a static port (8500)
2018-09-12 15:44:30 +00:00
bound to the host port. This enables all other pods on the node to connect
to the node-local agent using the host IP that can be retrieved via the
Kubernetes downward API. See
2020-09-14 17:37:35 +00:00
[accessing the Consul HTTP API](/docs/k8s/installation/install#accessing-the-consul-http-api)
2018-09-12 15:44:30 +00:00
for an example.
2020-09-22 17:31:29 +00:00
We do not use a **NodePort** Kubernetes service because requests to node ports get randomly routed
to any pod in the service and we need to be able to route directly to the Consul
client running on our node.
-> **Note:** There is no way to bind to a local-only
2018-09-12 15:44:30 +00:00
host port. Therefore, any other node can connect to the agent. This should be
considered for security. For a properly production-secured agent with TLS
and ACLs, this is safe.
2020-09-22 17:31:29 +00:00
We run Consul clients as a **DaemonSet** instead of running a client in each
application pod as a sidecar because this would turn
2018-09-12 15:44:30 +00:00
a pod into a "node" in Consul and also causes an explosion of resource usage
2020-09-22 17:31:29 +00:00
since every pod needs a Consul agent. Service registration should be handled via the
2018-09-12 15:44:30 +00:00
catalog syncing feature with Services rather than pods.
-> **Note:** Due to a limitation of anti-affinity rules with DaemonSets,
2019-01-28 22:25:56 +00:00
a client-mode agent runs alongside server-mode agents in Kubernetes. This
2018-09-12 15:44:30 +00:00
duplication wastes some resources, but otherwise functions perfectly fine.
2021-02-08 18:27:20 +00:00
## Next Steps
If you are still considering a move to Kubernetes, or to Consul on Kubernetes specifically, our [Migrate to Microservices with Consul Service Mesh on Kubernetes](https://learn.hashicorp.com/collections/consul/microservices?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS)
collection uses an example application written by a fictional company to illustrate why and how organizations can
migrate from monolith to microservices using Consul service mesh on Kubernetes. The case study in this collection
should provide information valuable for understanding how to develop services that leverage Consul during any stage
of your microservices journey.