consul/website/pages/docs/k8s/installation/servers-outside-kubernetes.mdx

---
layout: docs
page_title: Consul Servers Outside of Kubernetes - Kubernetes
sidebar_title: Consul Servers Outside Kubernetes
description: Running Consul servers outside of Kubernetes
---

# Consul Servers Outside of Kubernetes

If you have a Consul cluster already running, you can configure your
Consul clients inside Kubernetes to join this existing cluster.

The below `config.yaml` file shows how to configure the Helm chart to install
Consul clients that will join an existing cluster.

The `global.enabled` value first disables all chart components by default
so that each component is opt-in. This allows us to _only_ setup the client
agents. We then opt-in to the client agents by setting `client.enabled` to
`true`.

Next, `client.exposeGossipPorts` can be set to `true` or `false` depending on if
you want the clients to be exposed on the Kubernetes internal node IPs (`true`) or
their pod IPs (`false`).

Finally, `client.join` is set to an array of valid
[`-retry-join` values](/docs/agent/options#retry-join). In the
example above, a fake [cloud auto-join](/docs/agent/cloud-auto-join)
value is specified. This should be set to resolve to the proper addresses of
your existing Consul cluster.

```yaml
# config.yaml
global:
  enabled: false

client:
  enabled: true
  # Set this to true to expose the Consul clients using the Kubernetes node
  # IPs. If false, the pod IPs must be routable from the external servers.
  exposeGossipPorts: true
  join:
    - 'provider=my-cloud config=val ...'
```

-> **Networking:** Note that for the Kubernetes nodes to join an existing
cluster, the nodes (and specifically the agent pods) must be able to connect
to all other server and client agents inside and _outside_ of Kubernetes over [LAN](/docs/glossary#lan-gossip).
If this isn't possible, consider running a separate Consul cluster inside Kubernetes
and federating it with your cluster outside Kubernetes.
You may also consider adopting Consul Enterprise for
[network segments](/docs/enterprise/network-segments).

## Configuring TLS with Auto-encrypt

Consul's auto-encrypt feature allows clients to automatically provision their certificates by making a request to the servers at startup.
If you would like to use this feature with external Consul servers, you need to configure the Helm chart with information about the servers
so that it can retrieve the clients' CA to use for securing the rest of the cluster.
To do that, you must add the following values, in addition to the values mentioned above:

```yaml
global:
  tls:
    enabled: true
    enableAutoEncrypt: true
externalServers:
  enabled: true
  hosts:
  - "provider=my-cloud config=val ..."
```

In most cases, `externalServers.hosts` will be the same as `client.join`, however, both keys must be set because
they are used for different purposes: one for Serf LAN and the other for HTTPS connections.
Please see the [reference documentation](https://www.consul.io/docs/platform/k8s/helm.html#v-externalservers-hosts)
for more info. If your HTTPS port is different from Consul's default `8501`, you must also set
`externalServers.httpsPort`.

## Configuring ACLs

If you are running external servers with ACLs enabled, there are a couple of ways to configure the Helm chart
to help initialize ACL tokens for Consul clients and consul-k8s components for you.

### Manually Bootstrapping ACLs

If you would like to call the [ACL bootstrapping API](/api/acl/acl.html#bootstrap-acls) yourself or if your cluster has already been bootstrapped with ACLs,
you can provide the bootstrap token to the Helm chart. The Helm chart will then use this token to configure ACLs
for Consul clients and any consul-k8s components you are enabling.

First, create a Kubernetes secret containing your bootstrap token:

```shell
kubectl create secret generic bootstrap-token --from-literal='token=<your bootstrap token>'
```

Then provide that secret to the Helm chart:

```yaml
global:
  acls:
    manageSystemACLs: true
    bootstrapToken:
      secretName: bootstrap-token
      secretKey: token
```

The bootstrap token requires the following minimal permissions:

* `acl:write`
* `operator:write` if enabling Consul namespaces
* `agent:read` if using WAN federation over mesh gateways

Next, configure external servers. The Helm chart will use this configuration to talk to the Consul server's API
to create policies, tokens, and an auth method. If you are [enabling Consul Connect](/docs/platform/k8s/connect.html),
`k8sAuthMethodHost` should be set to the address of your Kubernetes API server
so that the Consul servers can validate a Kubernetes service account token when using the [Kubernetes auth method](https://www.consul.io/docs/acl/auth-methods/kubernetes.html)
with `consul login`.

```yaml
externalServers:
  enabled: true
  hosts:
  - "provider=my-cloud config=val ..."
  k8sAuthMethodHost: "https://kubernetes.example.com:443"
```

Your resulting Helm configuration will end up looking similar to this:

```yaml
global:
  enabled: false
  acls:
    manageSystemACLs: true
    bootstrapToken:
      secretName: bootstrap-token
      secretKey: token
client:
  enabled: true
  # Set this to true to expose the Consul clients using the Kubernetes node
  # IPs. If false, the pod IPs must be routable from the external servers.
  exposeGossipPorts: true
  join:
    - "provider=my-cloud config=val ..."
externalServers:
  enabled: true
  hosts:
  - "provider=my-cloud config=val ..."
  k8sAuthMethodHost: "https://kubernetes.example.com:443"
```

### Bootstrapping ACLs via the Helm chart

If you would like the Helm chart to call the bootstrapping API and set the server tokens for you, then the steps are similar.
The only difference is that you don't need to set the bootstrap token. The Helm chart will save the bootstrap token as a Kubernetes secret.

```yaml
global:
  enabled: false
  acls:
    manageSystemACLs: true
client:
  enabled: true
  # Set this to true to expose the Consul clients using the Kubernetes node
  # IPs. If false, the pod IPs must be routable from the external servers.
  exposeGossipPorts: true
  join:
    - "provider=my-cloud config=val ..."
externalServers:
  enabled: true
  hosts:
  - "provider=my-cloud config=val ..."
  k8sAuthMethodHost: "https://kubernetes.example.com:443"
```
Reorg kube docs 2019-12-19 02:02:26 +00:00			`---`
intro and api navigation converted 2020-04-07 18:55:19 +00:00			`layout: docs`
			`page_title: Consul Servers Outside of Kubernetes - Kubernetes`
remove 'sidebar_current' from frontmatter 2020-04-13 18:40:26 +00:00			`sidebar_title: Consul Servers Outside Kubernetes`
intro and api navigation converted 2020-04-07 18:55:19 +00:00			`description: Running Consul servers outside of Kubernetes`
Reorg kube docs 2019-12-19 02:02:26 +00:00			`---`

			`# Consul Servers Outside of Kubernetes`

			`If you have a Consul cluster already running, you can configure your`
			`Consul clients inside Kubernetes to join this existing cluster.`

			The below `config.yaml` file shows how to configure the Helm chart to install
			`Consul clients that will join an existing cluster.`

			The `global.enabled` value first disables all chart components by default
			`so that each component is opt-in. This allows us to _only_ setup the client`
			agents. We then opt-in to the client agents by setting `client.enabled` to
			`true`.

docs: clarify that clients and servers need to talk over LAN if outside k8s (#7156) 2020-01-30 03:09:38 +00:00			Next, `client.exposeGossipPorts` can be set to `true` or `false` depending on if
			you want the clients to be exposed on the Kubernetes internal node IPs (`true`) or
Reorg kube docs 2019-12-19 02:02:26 +00:00			their pod IPs (`false`).

			Finally, `client.join` is set to an array of valid
replace internal .html link extensions 2020-04-09 23:46:54 +00:00			[`-retry-join` values](/docs/agent/options#retry-join). In the
			`example above, a fake [cloud auto-join](/docs/agent/cloud-auto-join)`
Reorg kube docs 2019-12-19 02:02:26 +00:00			`value is specified. This should be set to resolve to the proper addresses of`
			`your existing Consul cluster.`

			```yaml
			`# config.yaml`
			`global:`
			`enabled: false`

			`client:`
			`enabled: true`
			`# Set this to true to expose the Consul clients using the Kubernetes node`
			`# IPs. If false, the pod IPs must be routable from the external servers.`
			`exposeGossipPorts: true`
			`join:`
initial 2020-04-06 20:27:35 +00:00			`- 'provider=my-cloud config=val ...'`
Reorg kube docs 2019-12-19 02:02:26 +00:00			```

			`-> Networking: Note that for the Kubernetes nodes to join an existing`
			`cluster, the nodes (and specifically the agent pods) must be able to connect`
replace internal .html link extensions 2020-04-09 23:46:54 +00:00			`to all other server and client agents inside and _outside_ of Kubernetes over [LAN](/docs/glossary#lan-gossip).`
Reorg kube docs 2019-12-19 02:02:26 +00:00			`If this isn't possible, consider running a separate Consul cluster inside Kubernetes`
			`and federating it with your cluster outside Kubernetes.`
			`You may also consider adopting Consul Enterprise for`
remove internal /index.html 2020-04-09 23:20:00 +00:00			`[network segments](/docs/enterprise/network-segments).`
docs: add docs for configuring ACLs with external servers (#7802) 2020-05-11 18:26:10 +00:00
			`## Configuring TLS with Auto-encrypt`

			`Consul's auto-encrypt feature allows clients to automatically provision their certificates by making a request to the servers at startup.`
			`If you would like to use this feature with external Consul servers, you need to configure the Helm chart with information about the servers`
			`so that it can retrieve the clients' CA to use for securing the rest of the cluster.`
			`To do that, you must add the following values, in addition to the values mentioned above:`

			```yaml
			`global:`
			`tls:`
			`enabled: true`
			`enableAutoEncrypt: true`
			`externalServers:`
			`enabled: true`
			`hosts:`
			`- "provider=my-cloud config=val ..."`
			```

			In most cases, `externalServers.hosts` will be the same as `client.join`, however, both keys must be set because
			`they are used for different purposes: one for Serf LAN and the other for HTTPS connections.`
			`Please see the [reference documentation](https://www.consul.io/docs/platform/k8s/helm.html#v-externalservers-hosts)`
			for more info. If your HTTPS port is different from Consul's default `8501`, you must also set
			`externalServers.httpsPort`.

			`## Configuring ACLs`

			`If you are running external servers with ACLs enabled, there are a couple of ways to configure the Helm chart`
			`to help initialize ACL tokens for Consul clients and consul-k8s components for you.`

			`### Manually Bootstrapping ACLs`

			`If you would like to call the [ACL bootstrapping API](/api/acl/acl.html#bootstrap-acls) yourself or if your cluster has already been bootstrapped with ACLs,`
			`you can provide the bootstrap token to the Helm chart. The Helm chart will then use this token to configure ACLs`
			`for Consul clients and any consul-k8s components you are enabling.`

			`First, create a Kubernetes secret containing your bootstrap token:`

			```shell
			`kubectl create secret generic bootstrap-token --from-literal='token=<your bootstrap token>'`
			```

			`Then provide that secret to the Helm chart:`

			```yaml
			`global:`
			`acls:`
			`manageSystemACLs: true`
			`bootstrapToken:`
			`secretName: bootstrap-token`
			`secretKey: token`
			```

			`The bootstrap token requires the following minimal permissions:`

			* `acl:write`
			* `operator:write` if enabling Consul namespaces
			* `agent:read` if using WAN federation over mesh gateways

			`Next, configure external servers. The Helm chart will use this configuration to talk to the Consul server's API`
			`to create policies, tokens, and an auth method. If you are [enabling Consul Connect](/docs/platform/k8s/connect.html),`
			`k8sAuthMethodHost` should be set to the address of your Kubernetes API server
			`so that the Consul servers can validate a Kubernetes service account token when using the [Kubernetes auth method](https://www.consul.io/docs/acl/auth-methods/kubernetes.html)`
			with `consul login`.

			```yaml
			`externalServers:`
			`enabled: true`
			`hosts:`
			`- "provider=my-cloud config=val ..."`
			`k8sAuthMethodHost: "https://kubernetes.example.com:443"`
			```

			`Your resulting Helm configuration will end up looking similar to this:`

			```yaml
			`global:`
			`enabled: false`
			`acls:`
			`manageSystemACLs: true`
			`bootstrapToken:`
			`secretName: bootstrap-token`
			`secretKey: token`
			`client:`
			`enabled: true`
			`# Set this to true to expose the Consul clients using the Kubernetes node`
			`# IPs. If false, the pod IPs must be routable from the external servers.`
			`exposeGossipPorts: true`
			`join:`
			`- "provider=my-cloud config=val ..."`
			`externalServers:`
			`enabled: true`
			`hosts:`
			`- "provider=my-cloud config=val ..."`
			`k8sAuthMethodHost: "https://kubernetes.example.com:443"`
			```

			`### Bootstrapping ACLs via the Helm chart`

			`If you would like the Helm chart to call the bootstrapping API and set the server tokens for you, then the steps are similar.`
			`The only difference is that you don't need to set the bootstrap token. The Helm chart will save the bootstrap token as a Kubernetes secret.`

			```yaml
			`global:`
			`enabled: false`
			`acls:`
			`manageSystemACLs: true`
			`client:`
			`enabled: true`
			`# Set this to true to expose the Consul clients using the Kubernetes node`
			`# IPs. If false, the pod IPs must be routable from the external servers.`
			`exposeGossipPorts: true`
			`join:`
			`- "provider=my-cloud config=val ..."`
			`externalServers:`
			`enabled: true`
			`hosts:`
			`- "provider=my-cloud config=val ..."`
			`k8sAuthMethodHost: "https://kubernetes.example.com:443"`
			```