consul/website/content/docs/k8s/operations/uninstall.mdx

96 lines
3.8 KiB
Plaintext

---
layout: docs
page_title: Uninstall
description: Uninstall Consul on Kubernetes
---
# Uninstall Consul
Uninstalling Consul requires running `helm delete` **and** then manually cleaning
up some resources that Helm does not delete.
1. First, run `helm delete`:
```shell-session
$ helm delete hashicorp
release "hashicorp" uninstalled
```
-> If using Helm 2, run `helm delete --purge hashicorp`
1. After deleting the Helm release, you need to delete the `PersistentVolumeClaim`'s
for the persistent volumes that store Consul's data. These are not deleted by Helm due to a [bug](https://github.com/helm/helm/issues/5156).
To delete, run:
```shell-session
$ kubectl get pvc -l chart=consul-helm
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
data-default-hashicorp-consul-server-0 Bound pvc-32cb296b-1213-11ea-b6f0-42010a8001db 10Gi RWO standard 17m
data-default-hashicorp-consul-server-1 Bound pvc-32d79919-1213-11ea-b6f0-42010a8001db 10Gi RWO standard 17m
data-default-hashicorp-consul-server-2 Bound pvc-331581ea-1213-11ea-b6f0-42010a8001db 10Gi RWO standard 17m
$ kubectl delete pvc -l chart=consul-helm
persistentvolumeclaim "data-default-hashicorp-consul-server-0" deleted
persistentvolumeclaim "data-default-hashicorp-consul-server-1" deleted
persistentvolumeclaim "data-default-hashicorp-consul-server-2" deleted
```
~> **NOTE:** This will delete **all** data stored in Consul and it can't be
recovered unless you've taken other backups.
1. If installing with ACLs enabled, you will need to then delete the ACL secrets:
```shell-session
$ kubectl get secret | grep consul | grep Opaque
consul-acl-replication-acl-token Opaque 1 41m
consul-bootstrap-acl-token Opaque 1 41m
consul-client-acl-token Opaque 1 41m
consul-connect-inject-acl-token Opaque 1 37m
consul-controller-acl-token Opaque 1 37m
consul-federation Opaque 4 41m
consul-mesh-gateway-acl-token Opaque 1 41m
```
Ensure that the secrets you're about to delete are all created by Consul and not
created by someone else that happen to have the word `consul`.
```shell-session
$ kubectl get secret | grep consul | grep Opaque | awk '{print $1}' | xargs kubectl delete secret
secret "consul-acl-replication-acl-token" deleted
secret "consul-bootstrap-acl-token" deleted
secret "consul-client-acl-token" deleted
secret "consul-connect-inject-acl-token" deleted
secret "consul-controller-acl-token" deleted
secret "consul-federation" deleted
secret "consul-mesh-gateway-acl-token" deleted
secret "consul-gossip-encryption-key" deleted
```
1. If installing with `controller.enabled` then you will need to delete the
webhook certificate:
```shell-session
$ kubectl get secret consul-controller-webhook-cert
NAME TYPE DATA AGE
consul-controller-webhook-cert kubernetes.io/tls 2 47m
```
```shell-session
$ kubectl delete secret consul-controller-webhook-cert
secret "consul-consul-controller-webhook-cert" deleted
```
1. If installing with `tls.enabled` then there will be a `ServiceAccount`
that is left behind:
```shell-session
$ kubectl get serviceaccount consul-tls-init
NAME SECRETS AGE
consul-tls-init 1 47m
```
```shell-session
$ kubectl delete serviceaccount consul-tls-init
serviceaccount "consul-tls-init" deleted
```