Consul
Consul on Kubernetes CLI reference
The Consul on Kubernetes CLI, consul-k8s, lets you manage Consul without interacting directly with Helm, the Consul CLI, or kubectl.
This topic describes how to install consul-k8s, and lists the commands and available options for using consul-k8s.
Install the CLI
The following instructions describe how to install the latest version of consul-k8s, as well as earlier versions, so that you can install an appropriate version of tool for your control plane.
Note
You must install the correct version of the CLI for your Consul on Kubernetes deployment. To deploy a previous version of Consul on Kubernetes, download the specific version of the CLI that matches the version of the control plane that you would like to deploy. Refer to the compatibility matrix for details.
Install the latest version
Complete the following instructions for a fresh installation of Consul on Kubernetes.
The Homebrew package manager is required to complete the following installation instructions. The Homebrew formulae always installs the latest version of a binary.
Install the HashiCorp
tap, which is a repository of all Homebrew packages for HashiCorp:$ brew tap hashicorp/tapInstall the Consul K8s CLI with
hashicorp/tap/consulformula.$ brew install hashicorp/tap/consul-k8s(Optional) Issue the
consul-k8s versioncommand to verify the installation:$ consul-k8s version consul-k8s 1.0
Install a previous version
Complete the following instructions to install a specific version of the CLI so that your tool is compatible with your Consul on Kubernetes control plane. Refer to the compatibility matrix for additional information.
Download the appropriate version of Consul K8s CLI using the following
curlcommand. Set the$VERSIONenvironment variable to the appropriate version for your deployment.$ export VERSION=1.1.1 && \ curl --location "https://releases.hashicorp.com/consul-k8s/${VERSION}/consul-k8s_${VERSION}_darwin_amd64.zip" --output consul-k8s-cli.zipUnzip the zip file output to extract the
consul-k8sCLI binary. This overwrites existing files and also creates a.consul-k8ssubdirectory in your$HOMEfolder.$ unzip -o consul-k8s-cli.zip -d ~/consul-k8sAdd the path to your directory. In order to persist the
$PATHacross sessions, dd it to your shellrc (i.e. shell run commands) file for the shell used by your terminal.$ export PATH=$PATH:$HOME/consul-k8s(Optional) Issue the
consul-k8s versioncommand to verify the installation.$ consul-k8s version consul-k8s 1.0
Usage
The Consul on Kubernetes CLI uses the following syntax:
$ consul-k8s <COMMAND> <OPTIONS>
Commands
You can use the following commands with consul-k8s.
config: Interact with helm configuration.config read: Read helm configuration of a Consul installation.
install: Install Consul on Kubernetes.proxy: Inspect Envoy proxies managed by Consul.proxy list: List all Pods running proxies managed by Consul.proxy read: Inspect the Envoy configuration for a given Pod.proxy log: Inspect and modify the Envoy logging configuration for a given Pod.proxy stats: View the Envoy cluster stats for a given Pod.
status: Check the status of a Consul installation on Kubernetes.troubleshoot: Troubleshoot Consul service mesh and networking issues from a given pod.uninstall: Uninstall Consul deployment.upgrade: Upgrade Consul on Kubernetes from an existing installation.version: Print the version of the Consul on Kubernetes CLI.
config
The config command exposes the read subcommand that allows to read the helm configuration of a Consul installation.
config read: Read helm configuration of a Consul installation.
config read
$ consul-k8s config read <OPTIONS>
| Flag | Description | Default |
|---|---|---|
-all-namespaces, -A | Boolean List pods in all Kubernetes namespaces. | false |
-namespace, -n | String The Kubernetes namespace to list proxies in. | Current kubeconfig namespace. |
Refer to the Global Options for additional options that you can use when installing Consul on Kubernetes.
Example Commands
The following example command reads the Helm configuration in the myNS namespace.
$ consul-k8s config read -namespace=myNS
global:
cloud:
clientId:
secretKey: client-id
secretName: consul-hcp-client-id
clientSecret:
secretKey: client-secret
secretName: consul-hcp-client-secret
enabled: true
resourceId:
secretKey: resource-id
secretName: consul-hcp-resource-id
image: hashicorp/consul:1.14.7
name: consul
install
The install command installs Consul on your Kubernetes cluster.
$ consul-k8s install <OPTIONS>
The following options are available.
| Flag | Description | Default |
|---|---|---|
-auto-approve | Boolean value that enables you to skip the installation confirmation prompt. | false |
-dry-run | Boolean value that validates the installation and returns a summary. | false |
-config-file | String value that specifies the path to a file containing custom installation configurations, e.g., Consul Helm chart values file. You can use the -config-file flag multiple times to specify multiple files. | none |
-namespace | String value that specifies the namespace of the Consul installation. | consul |
-preset | String value that installs Consul based on a preset configuration. You can specify the following values: demo: Installs a single replica server with sidecar injection enabled; useful for testing service mesh functionality. secure: Installs a single replica server with sidecar injection, ACLs, and TLS enabled; useful for testing service mesh functionality. | Configuration of the Consul Helm chart. |
-set | String value that enables you to set a customizable value. This flag is comparable to the helm install --set flag. You can use the -set flag multiple times to set multiple values. Consul Helm chart values are supported. | none |
-set-file | String value that specifies the name of an arbitrary config file. This flag is comparable to the helm install --set-file flag. The contents of the file will be used to set a customizable value. You can use the -set-file flag multiple times to specify multiple files. Consul Helm chart values are supported. | none |
-set-string | String value that enables you to set a customizable string value. This flag is comparable to the helm install --set-string flag. You can use the -set-string flag multiple times to specify multiple strings. Consul Helm chart values are supported. | none |
-timeout | Specifies how long to wait for the installation process to complete before timing out. The value is specified with an integer and string value indicating a unit of time. The following units are supported: ms (milliseconds)s (seconds)m (minutes) In the following example, installation will timeout after one minute: consul-k8s install -timeout 1m | 10m |
-wait | Boolean value that determines if Consul should wait for resources in the installation to be ready before exiting the command. | true |
-verbose, -v | Boolean value that specifies whether to output verbose logs from the install command with the status of resources being installed. | false |
-help, -h | Prints usage information for this option. | none |
See Global Options for additional commands that you can use when installing Consul on Kubernetes.
Example Commands
The following example command installs Consul in the myNS namespace according to the secure preset.
$ consul-k8s install -preset=secure -namespace=myNS
The following example commands install Consul on Kubernetes using custom values, files, or strings that are set via flags. The underlying Consul-on-Kubernetes Helm chart uses the flags to customize the installation. The flags are comparable to the helm install flags.
$ consul-k8s install -set key=value
$ consul-k8s install -set key1=value1 -set key2=value2
$ consul-k8s install -set-file config1=value1.conf
$ consul-k8s install -set-file config1=value1.conf -set-file config2=value2.conf
$ consul-k8s install -set-string key=value-bool
proxy
The proxy command exposes two subcommands for interacting with proxies managed by
Consul in your Kubernetes Cluster.
proxy list: List all Pods running proxies managed by Consul.proxy read: Inspect the Envoy configuration for a given Pod.proxy log: Inspect and modify the Envoy logging configuration for a given Pod.proxy stats: View the Envoy cluster stats for a given Pod.
proxy list
$ consul-k8s proxy list <OPTIONS>
| Flag | Description | Default |
|---|---|---|
-all-namespaces, -A | Boolean List pods in all Kubernetes namespaces. | false |
-namespace, -n | String The Kubernetes namespace to list proxies in. | Current kubeconfig namespace. |
-output-format, -o | String If set to json, outputs the result in json format, else table format | table |
Refer to the Global Options for additional options that you can use when installing Consul on Kubernetes.
This command lists proxies and their Type. Types of proxies include:
Sidecar: The majority of pods in the cluster areSidecartypes. They run the proxy as a sidecar to connect the pod as a service in the mesh.API Gateway: These pods run a proxy to manage connections with networks outside of the Consul cluster. Read more about API gateways.Ingress Gateway: These pods run a proxy to manage ingress into the Kubernetes cluster. Read more about ingress gateways.Terminating Gateway: These pods run a proxy to control connections to external services. Read more about terminating gateways.Mesh Gateway: These pods run a proxy to manage connections between Consul clusters connected using mesh federation. Read more about Consul Mesh Federation.
Example Commands
Display all pods in the current Kubernetes namespace that run proxies managed by Consul.
$ consul-k8s proxy list
Namespace: default
Name Type
backend-658b679b45-d5xlb Sidecar
client-767ccfc8f9-6f6gx Sidecar
client-767ccfc8f9-f8nsn Sidecar
client-767ccfc8f9-ggrtx Sidecar
frontend-676564547c-v2mfq Sidecar
Display all pods in the consul Kubernetes namespace that run proxies managed
by Consul.
$ consul-k8s proxy list -n consul
Namespace: consul
Name Type
consul-ingress-gateway-6fb5544485-br6fl Ingress Gateway
consul-ingress-gateway-6fb5544485-m54sp Ingress Gateway
Display all Pods across all namespaces that run proxies managed by Consul.
$ consul-k8s proxy list -A
Namespace: All namespaces
Namespace Name Type
consul consul-ingress-gateway-6fb5544485-br6fl Ingress Gateway
consul consul-ingress-gateway-6fb5544485-m54sp Ingress Gateway
default backend-658b679b45-d5xlb Sidecar
default client-767ccfc8f9-6f6gx Sidecar
default client-767ccfc8f9-f8nsn Sidecar
default client-767ccfc8f9-ggrtx Sidecar
default frontend-676564547c-v2mfq Sidecar
Display all Pods across all namespaces that run proxies managed by Consul in JSON format
$ consul-k8s proxy list -A -o json
Namespace: All namespaces
[
{
"Name": "frontend-6fd97b8fb5-spqb8",
"Namespace": "default",
"Type": "Sidecar"
},
{
"Name": "nginx-6d7469694f-p5wrz",
"Namespace": "default",
"Type": "Sidecar"
},
{
"Name": "payments-667d87bf95-ktb8n",
"Namespace": "default",
"Type": "Sidecar"
},
{
"Name": "product-api-7c4d77c7c9-g4g2b",
"Namespace": "default",
"Type": "Sidecar"
},
{
"Name": "product-api-db-685c844cb-k5l8f",
"Namespace": "default",
"Type": "Sidecar"
},
{
"Name": "public-api-567d949866-cgksl",
"Namespace": "default",
"Type": "Sidecar"
}
]
proxy read
The proxy read command allows you to inspect the configuration of Envoy proxies running on a given Pod.
$ consul-k8s proxy read <PODNAME> <OPTIONS>
The command takes a required value, <PODNAME>. This should be the full name
of a Kubernetes Pod. If a Pod is running more than one Envoy proxy managed by
Consul, as in the Multiport configuration,
configuration for all proxies in the Pod will be displayed.
The following options are available.
| Flag | Description | Default |
|---|---|---|
-namespace, -n | String The namespace where the target Pod can be found. | Current kubeconfig namespace. |
-output, -o | String Output the Envoy configuration as 'table', 'json', or 'raw'. | 'table' |
-clusters | Boolean Filter output to only show clusters. | false |
-endpoints | Boolean Filter output to only show endpoints. | false |
-listeners | Boolean Filter output to only show listeners. | false |
-routes | Boolean Filter output to only show routes. | false |
-secrets | Boolean Filter output to only show secrets. | false |
-address | String Filter clusters, endpoints, and listeners output to only those with endpoint addresses which contain the given value. | "" |
-fqdn | String Filter cluster output to only clusters with a fully qualified domain name which contains the given value. | "" |
-port | Int Filter endpoints output to only endpoints with the given port number. | -1 which does not filter by port |
Example commands
Get the configuration summary for the Envoy proxy running on the Pod
backend-658b679b45-d5xlb.
$ consul-k8s proxy read backend-658b679b45-d5xlb
Envoy configuration for backend-658b679b45-d5xlb in namespace default:
==> Clusters (5)
Name FQDN Endpoints Type Last Updated
local_agent local_agent 192.168.79.187:8502 STATIC 2022-05-13T04:22:39.553Z
client client.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul 192.168.18.110:20000, 192.168.52.101:20000, 192.168.65.131:20000 EDS 2022-08-08T12:02:07.471Z
frontend frontend.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul 192.168.63.120:20000 EDS 2022-08-08T12:02:07.354Z
local_app local_app 127.0.0.1:8080 STATIC 2022-05-13T04:22:39.655Z
original-destination original-destination ORIGINAL_DST 2022-05-13T04:22:39.743Z
==> Endpoints (6)
Address:Port Cluster Weight Status
192.168.79.187:8502 local_agent 1.00 HEALTHY
192.168.18.110:20000 client.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul 1.00 HEALTHY
192.168.52.101:20000 client.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul 1.00 HEALTHY
192.168.65.131:20000 client.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul 1.00 HEALTHY
192.168.63.120:20000 frontend.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul 1.00 HEALTHY
127.0.0.1:8080 local_app 1.00 HEALTHY
==> Listeners (2)
Name Address:Port Direction Filter Chain Match Filters Last Updated
public_listener 192.168.69.179:20000 INBOUND Any * to local_app/ 2022-08-08T12:02:22.261Z
outbound_listener 127.0.0.1:15001 OUTBOUND 10.100.134.173/32, 240.0.0.3/32 to client.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul 2022-07-18T15:31:03.246Z
10.100.31.2/32, 240.0.0.5/32 to frontend.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul
Any to original-destination
==> Routes (1)
Name Destination Cluster Last Updated
public_listener local_app/ 2022-08-08T12:02:22.260Z
==> Secrets (0)
Name Type Last Updated
Get the Envoy configuration summary for all clusters with a fully qualified
domain name that includes "default". Display only clusters and listeners.
$ consul-k8s proxy read backend-658b679b45-d5xlb -fqdn default -clusters -listeners
==> Filters applied
Fully qualified domain names containing: default
Envoy configuration for backend-658b679b45-d5xlb in namespace default:
==> Clusters (2)
Name FQDN Endpoints Type Last Updated
client client.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul 192.168.18.110:20000, 192.168.52.101:20000, 192.168.65.131:20000 EDS 2022-08-08T12:02:07.471Z
frontend frontend.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul 192.168.63.120:20000 EDS 2022-08-08T12:02:07.354Z
==> Listeners (2)
Name Address:Port Direction Filter Chain Match Filters Last Updated
public_listener 192.168.69.179:20000 INBOUND Any * to local_app/ 2022-08-08T12:02:22.261Z
outbound_listener 127.0.0.1:15001 OUTBOUND 10.100.134.173/32, 240.0.0.3/32 to client.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul 2022-07-18T15:31:03.246Z
10.100.31.2/32, 240.0.0.5/32 to frontend.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul
Any to original-destination
Get the Envoy configuration summary in a JSON format. Note that this is not the same as the raw configuration dump from the admin API. This information is the same as what is displayed in the table output above, but in a JSON format.
$ consul-k8s proxy read backend-658b679b45-d5xlb -o json
{
"backend-658b679b45-d5xlb": {
"clusters": [
{
"Name": "local_agent",
"FullyQualifiedDomainName": "local_agent",
"Endpoints": [
"192.168.79.187:8502"
],
"Type": "STATIC",
"LastUpdated": "2022-05-13T04:22:39.553Z"
},
{
"Name": "client",
"FullyQualifiedDomainName": "client.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul",
"Endpoints": [
"192.168.18.110:20000",
"192.168.52.101:20000",
"192.168.65.131:20000"
],
"Type": "EDS",
"LastUpdated": "2022-08-08T12:02:07.471Z"
},
{
"Name": "frontend",
"FullyQualifiedDomainName": "frontend.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul",
"Endpoints": [
"192.168.63.120:20000"
],
"Type": "EDS",
"LastUpdated": "2022-08-08T12:02:07.354Z"
},
{
"Name": "local_app",
"FullyQualifiedDomainName": "local_app",
"Endpoints": [
"127.0.0.1:8080"
],
"Type": "STATIC",
"LastUpdated": "2022-05-13T04:22:39.655Z"
},
{
"Name": "original-destination",
"FullyQualifiedDomainName": "original-destination",
"Endpoints": [],
"Type": "ORIGINAL_DST",
"LastUpdated": "2022-05-13T04:22:39.743Z"
}
],
"endpoints": [
{
"Address": "192.168.79.187:8502",
"Cluster": "local_agent",
"Weight": 1,
"Status": "HEALTHY"
},
{
"Address": "192.168.18.110:20000",
"Cluster": "client.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul",
"Weight": 1,
"Status": "HEALTHY"
},
{
"Address": "192.168.52.101:20000",
"Cluster": "client.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul",
"Weight": 1,
"Status": "HEALTHY"
},
{
"Address": "192.168.65.131:20000",
"Cluster": "client.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul",
"Weight": 1,
"Status": "HEALTHY"
},
{
"Address": "192.168.63.120:20000",
"Cluster": "frontend.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul",
"Weight": 1,
"Status": "HEALTHY"
},
{
"Address": "127.0.0.1:8080",
"Cluster": "local_app",
"Weight": 1,
"Status": "HEALTHY"
}
],
"listeners": [
{
"Name": "public_listener",
"Address": "192.168.69.179:20000",
"FilterChain": [
{
"Filters": [
"* to local_app/"
],
"FilterChainMatch": "Any"
}
],
"Direction": "INBOUND",
"LastUpdated": "2022-08-08T12:02:22.261Z"
},
{
"Name": "outbound_listener",
"Address": "127.0.0.1:15001",
"FilterChain": [
{
"Filters": [
"to client.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul"
],
"FilterChainMatch": "10.100.134.173/32, 240.0.0.3/32"
},
{
"Filters": [
"to frontend.default.dc1.internal.bc3815c2-1a0f-f3ff-a2e9-20d791f08d00.consul"
],
"FilterChainMatch": "10.100.31.2/32, 240.0.0.5/32"
},
{
"Filters": [
"to original-destination"
],
"FilterChainMatch": "Any"
}
],
"Direction": "OUTBOUND",
"LastUpdated": "2022-07-18T15:31:03.246Z"
}
],
"routes": [
{
"Name": "public_listener",
"DestinationCluster": "local_app/",
"LastUpdated": "2022-08-08T12:02:22.260Z"
}
],
"secrets": []
}
}
Get the raw Envoy configuration dump and clusters information for the Envoy
proxy running on the Pod backend-658b679b45-d5xlb. The example command returns
the raw configuration for each service as JSON. You can use the
JQ command line tool to index into
the configuration for the service you want to inspect.
Refer to the Envoy config dump documentation for more information on the structure of the config dump.
The following output is truncated for brevity.
$ consul-k8s proxy read backend-658b679b45-d5xlb -o raw
{
"backend-658b679b45-d5xlb": {
"clusters": {
// [-- snip 372 lines --] output from the Envoy admin interface's /clusters endpoint.
},
"config_dump": {
// [-- snip 1816 lines --] output from the Envoy admin interface's /config_dump?include_eds endpoint.
}
}
proxy log
The proxy log command allows you to inspect and modify the logging configuration of Envoy proxies running on a given Pod.
$ consul-k8s proxy log <PODNAME> <OPTIONS>
The command takes a required value, <PODNAME>. This should be the full name
of a Kubernetes Pod. If a Pod is running more than one Envoy proxy managed by
Consul, as in the Multiport configuration,
the terminal displays configuration information for all proxies in the pod.
The following options are available.
| Flag | Description | Default |
|---|---|---|
-namespace, -n | String Specifies the namespace containing the target Pod. | Current kubeconfig namespace. |
-update-level, -u | String Specifies the logger (optional) and the level to update. Use the following format to configure the same level for loggers: You can also specify a comma-delineated list to configure levels for specific loggers, for example: | none |
-reset, -r | String Reset the log levels for all loggers back to the default of info | info |
Example commands
In the following example, Consul returns the log levels for all of an Envoy proxy's loggers in a pod with the ID server-697458b9f8-4vr29:
$ consul-k8s proxy log server-697458b9f8-4vr29
Envoy log configuration for server-697458b9f8-4vr29 in namespace default:
==> Log Levels for server-697458b9f8-4vr29
Name Level
rds info
backtrace info
hc info
http info
io info
jwt info
rocketmq info
matcher info
runtime info
redis info
stats info
tap info
alternate_protocols_cache info
grpc info
init info
quic info
thrift info
wasm info
aws info
conn_handler info
ext_proc info
hystrix info
tracing info
dns info
oauth2 info
connection info
health_checker info
kafka info
mongo info
config info
admin info
forward_proxy info
misc info
websocket info
dubbo info
happy_eyeballs info
main info
client info
lua info
udp info
cache_filter info
filter info
multi_connection info
quic_stream info
router info
http2 info
key_value_store info
secret info
testing info
upstream info
assert info
ext_authz info
rbac info
decompression info
envoy_bug info
file info
pool info
The following command updates the log levels for all loggers of an Envoy proxy to warning.
$ consul-k8s proxy log server-697458b9f8-4vr29 -update-level warning
Envoy log configuration for server-697458b9f8-4vr29 in namespace default:
==> Log Levels for server-697458b9f8-4vr29
Name Level
pool warning
rbac warning
tracing warning
aws warning
cache_filter warning
decompression warning
init warning
assert warning
client warning
misc warning
udp warning
config warning
hystrix warning
key_value_store warning
runtime warning
admin warning
dns warning
jwt warning
redis warning
quic warning
alternate_protocols_cache warning
conn_handler warning
ext_proc warning
http warning
oauth2 warning
ext_authz warning
http2 warning
kafka warning
mongo warning
router warning
thrift warning
grpc warning
matcher warning
hc warning
multi_connection warning
wasm warning
dubbo warning
filter warning
upstream warning
backtrace warning
connection warning
io warning
main warning
happy_eyeballs warning
rds warning
tap warning
envoy_bug warning
rocketmq warning
file warning
forward_proxy warning
stats warning
health_checker warning
lua warning
secret warning
quic_stream warning
testing warning
websocket warning
The following command updates the grpc log level to error, the http log level to critical, and the runtime log level to debug for pod ID server-697458b9f8-4vr29
$ consul-k8s proxy log server-697458b9f8-4vr29 -update-level grpc:error,http:critical,runtime:debug
Envoy log configuration for server-697458b9f8-4vr29 in namespace default:
==> Log Levels for server-697458b9f8-4vr29
Name Level
assert info
dns info
http critical
pool info
thrift info
udp info
grpc error
hc info
stats info
wasm info
alternate_protocols_cache info
ext_authz info
filter info
http2 info
key_value_store info
tracing info
cache_filter info
quic_stream info
aws info
io info
matcher info
rbac info
tap info
connection info
conn_handler info
rocketmq info
hystrix info
oauth2 info
redis info
backtrace info
file info
forward_proxy info
kafka info
config info
router info
runtime debug
testing info
happy_eyeballs info
ext_proc info
init info
lua info
health_checker info
misc info
envoy_bug info
jwt info
main info
quic info
upstream info
websocket info
client info
decompression info
mongo info
multi_connection info
rds info
secret info
admin info
dubbo info
The following command resets the log levels for all loggers of an Envoy proxy in pod server-697458b9f8-4vr29 to the default level of info.
$ consul-k8s proxy log server-697458b9f8-4vr29 -r
Envoy log configuration for server-697458b9f8-4vr29 in namespace default:
==> Log Levels for server-697458b9f8-4vr29
Name Level
ext_proc info
secret info
thrift info
tracing info
dns info
rocketmq info
happy_eyeballs info
hc info
io info
misc info
conn_handler info
key_value_store info
rbac info
hystrix info
wasm info
admin info
cache_filter info
client info
health_checker info
oauth2 info
runtime info
testing info
grpc info
upstream info
forward_proxy info
matcher info
pool info
aws info
decompression info
jwt info
tap info
assert info
redis info
http info
quic info
rds info
connection info
envoy_bug info
stats info
alternate_protocols_cache info
backtrace info
filter info
http2 info
init info
multi_connection info
quic_stream info
dubbo info
ext_authz info
main info
udp info
websocket info
config info
mongo info
router info
file info
kafka info
lua info
proxy stats
The proxy stats command allows you to inspect the Envoy cluster stats for Envoy proxies running on a given Pod.
$ consul-k8s proxy stats <PODNAME> <OPTIONS>
| Flag | Description | Default |
|---|---|---|
-namespace, -n | String The Kubernetes namespace to list proxies in. | Current kubeconfig namespace. |
Refer to the Global Options for additional options that you can use when installing Consul on Kubernetes.
Example Commands
Display the Envoy cluster stats in a given pod in default namespace.
$ consul-k8s proxy stats product-api-7c4d77c7c9-6slnl
cluster.frontend.default.dc1.internal.4b11bae3-b8ca-ee63-89bc-428cbfa6ef60.consul.version_text: ""
cluster.nginx.default.dc1.internal.4b11bae3-b8ca-ee63-89bc-428cbfa6ef60.consul.version_text: ""
cluster.payments.default.dc1.internal.4b11bae3-b8ca-ee63-89bc-428cbfa6ef60.consul.version_text: ""
cluster.product-api-db.default.dc1.internal.4b11bae3-b8ca-ee63-89bc-428cbfa6ef60.consul.version_text: ""
cluster.public-api.default.dc1.internal.4b11bae3-b8ca-ee63-89bc-428cbfa6ef60.consul.version_text: ""
cluster_manager.cds.version_text: ""
control_plane.identifier: ""
listener_manager.lds.version_text: ""
cluster.consul-dataplane.assignment_stale: 0
cluster.consul-dataplane.assignment_timeout_received: 0
cluster.consul-dataplane.bind_errors: 0
cluster.consul-dataplane.circuit_breakers.default.cx_open: 0
cluster.consul-dataplane.circuit_breakers.default.cx_pool_open: 0
cluster.consul-dataplane.circuit_breakers.default.rq_open: 0
cluster.consul-dataplane.circuit_breakers.default.rq_pending_open: 0
cluster.consul-dataplane.circuit_breakers.default.rq_retry_open: 0
cluster.consul-dataplane.circuit_breakers.high.cx_open: 0
cluster.consul-dataplane.circuit_breakers.high.cx_pool_open: 0
cluster.consul-dataplane.circuit_breakers.high.rq_open: 0
cluster.consul-dataplane.circuit_breakers.high.rq_pending_open: 0
cluster.consul-dataplane.circuit_breakers.high.rq_retry_open: 0
cluster.consul-dataplane.default.total_match_count: 1
cluster.consul-dataplane.http2.deferred_stream_close: 0
cluster.consul-dataplane.http2.dropped_headers_with_underscores: 0
cluster.consul-dataplane.http2.header_overflow: 0
cluster.consul-dataplane.http2.headers_cb_no_stream: 0
cluster.consul-dataplane.http2.inbound_empty_frames_flood: 0
cluster.consul-dataplane.http2.inbound_priority_frames_flood: 0
.........
Display the Envoy cluster stats in a given pod in different namespace.
$ consul-k8s proxy stats public-api-567d949866-452xc -n consul
cluster.frontend.default.dc1.internal.4b11bae3-b8ca-ee63-89bc-428cbfa6ef60.consul.version_text: ""
cluster.nginx.default.dc1.internal.4b11bae3-b8ca-ee63-89bc-428cbfa6ef60.consul.version_text: ""
cluster.payments.default.dc1.internal.4b11bae3-b8ca-ee63-89bc-428cbfa6ef60.consul.version_text: ""
cluster.product-api-db.default.dc1.internal.4b11bae3-b8ca-ee63-89bc-428cbfa6ef60.consul.version_text: ""
cluster.product-api.default.dc1.internal.4b11bae3-b8ca-ee63-89bc-428cbfa6ef60.consul.version_text: ""
cluster_manager.cds.version_text: ""
control_plane.identifier: ""
listener_manager.lds.version_text: ""
cluster.consul-dataplane.assignment_stale: 0
cluster.consul-dataplane.assignment_timeout_received: 0
cluster.consul-dataplane.bind_errors: 0
cluster.consul-dataplane.circuit_breakers.default.cx_open: 0
cluster.consul-dataplane.circuit_breakers.default.cx_pool_open: 0
cluster.consul-dataplane.circuit_breakers.default.rq_open: 0
cluster.consul-dataplane.circuit_breakers.default.rq_pending_open: 0
cluster.consul-dataplane.circuit_breakers.default.rq_retry_open: 0
cluster.consul-dataplane.circuit_breakers.high.cx_open: 0
cluster.consul-dataplane.circuit_breakers.high.cx_pool_open: 0
cluster.consul-dataplane.circuit_breakers.high.rq_open: 0
cluster.consul-dataplane.circuit_breakers.high.rq_pending_open: 0
cluster.consul-dataplane.circuit_breakers.high.rq_retry_open: 0
.........
status
The status command provides an overall status summary of the Consul on Kubernetes installation. It also provides the configuration that was used to deploy Consul K8s and information about the health of Consul servers and clients. This command does not take in any flags.
$ consul-k8s status
Example Command
$ consul-k8s status
==> Consul-K8s Status Summary
NAME | NAMESPACE | STATUS | CHARTVERSION | APPVERSION | REVISION | LAST UPDATED
---------+-----------+----------+--------------+------------+----------+--------------------------
consul | consul | deployed | 0.41.1 | 1.11.4 | 1 | 2022/03/10 07:48:58 MST
==> Config:
connectInject:
enabled: true
metrics:
defaultEnableMerging: true
defaultEnabled: true
enableGatewayMetrics: true
global:
metrics:
enableAgentMetrics: true
enabled: true
name: consul
prometheus:
enabled: true
server:
replicas: 1
ui:
enabled: true
service:
enabled: true
✓ Consul servers healthy (1/1)
✓ Consul clients healthy (3/3)
troubleshoot
The troubleshoot command exposes two subcommands for troubleshooting Consul
service mesh and network issues from a given pod.
troubleshoot upstreams: List all Envoy upstreams in Consul service mesh from the given pod.troubleshoot proxy: Troubleshoot Consul service mesh configuration and network issues between the given pod and the given upstream.
troubleshoot upstreams
$ consul-k8s troubleshoot upstreams -pod <pod> <OPTIONS>
| Flag | Description | Default |
|---|---|---|
-namespace, -n | String The Kubernetes namespace to list proxies in. | Current kubeconfig namespace. |
Example Commands
The following example displays all transparent proxy upstreams in Consul service mesh from the given pod.
$ consul-k8s troubleshoot upstreams -pod frontend-767ccfc8f9-6f6gx
==> Upstreams (explicit upstreams only) (0)
==> Upstreams IPs (transparent proxy only) (1)
[10.4.6.160 240.0.0.3] true map[backend.default.dc1.internal.e08fa6d6-e91e-dfe0-f6e1-ba097a828e31.consul backend2.default.dc1.internal.e08fa6d6-e91e-dfe0-f6e1-ba097a828e31.consul]
If you cannot find the upstream address or cluster for a transparent proxy upstream:
- Check intentions: Tproxy upstreams are configured based on intentions. Make sure you have configured intentions to allow traffic to your upstream.
- To check that the right cluster is being dialed, run a DNS lookup for the upstream you are dialing. For example, run `dig backend.svc.consul` to return the IP address for the `backend` service. If the address you get from that is missing from the upstream IPs, it means that your proxy may be misconfigured.
The following example displays all explicit upstreams from the given pod in the Consul service mesh.
$ consul-k8s troubleshoot upstreams -pod client-767ccfc8f9-6f6gx
==> Upstreams (explicit upstreams only) (1)
server
counting
==> Upstreams IPs (transparent proxy only) (0)
If you cannot find the upstream address or cluster for a transparent proxy upstream:
- Check intentions: Tproxy upstreams are configured based on intentions. Make sure you have configured intentions to allow traffic to your upstream.
- To check that the right cluster is being dialed, run a DNS lookup for the upstream you are dialing. For example, run `dig backend.svc.consul` to return the IP address for the `backend` service. If the address you get from that is missing from the upstream IPs, it means that your proxy may be misconfigured.
troubleshoot proxy
$ consul-k8s troubleshoot proxy -pod <pod> -upstream-ip <ip> <OPTIONS>
$ consul-k8s troubleshoot proxy -pod <pod> -upstream-envoy-id <envoy-id> <OPTIONS>
| Flag | Description | Default |
|---|---|---|
-namespace, -n | String The Kubernetes namespace to list proxies in. | Current kubeconfig namespace. |
-upstream-ip | String The IP address of the upstream transparent proxy | |
-upstream-envoy-id | String The Envoy identifier of the upstream |
Example Commands
The following example troubleshoots the Consul service mesh configuration and network issues between the given pod and the given upstream IP.
$ consul-k8s troubleshoot proxy -pod frontend-767ccfc8f9-6f6gx -upstream-ip 10.4.6.160
==> Validation
✓ certificates are valid
✓ Envoy has 0 rejected configurations
✓ Envoy has detected 0 connection failure(s)
✓ listener for upstream "backend" found
✓ route for upstream "backend" found
✓ cluster "backend.default.dc1.internal..consul" for upstream "backend" found
✓ healthy endpoints for cluster "backend.default.dc1.internal.e08fa6d6-e91e-dfe0-f6e1-ba097a828e31.consul" for upstream "backend" found
✓ cluster "backend2.default.dc1.internal..consul" for upstream "backend" found
! no healthy endpoints for cluster "backend2.default.dc1.internal.e08fa6d6-e91e-dfe0-f6e1-ba097a828e31.consul" for upstream "backend" found
The following example troubleshoots the Consul service mesh configuration and network issues between the given pod and the given upstream.
$ consul-k8s troubleshoot proxy -pod frontend-767ccfc8f9-6f6gx -upstream-envoy-id db
==> Validation
✓ certificates are valid
✓ Envoy has 0 rejected configurations
✓ Envoy has detected 0 connection failure(s)
! no listener for upstream "db" found
! no route for upstream "backend" found
! no cluster "db.default.dc1.internal.e08fa6d6-e91e-dfe0-f6e1-ba097a828e31.consul" for upstream "db" found
! no healthy endpoints for cluster "db.default.dc1.internal.e08fa6d6-e91e-dfe0-f6e1-ba097a828e31.consul" for upstream "db" found
uninstall
The uninstall command removes Consul from Kubernetes.
$ consul-k8s uninstall <OPTIONS>
The following options are available.
| Flag | Description | Default |
|---|---|---|
-auto-approve | Boolean value that enables you to skip the removal confirmation prompt. | false |
-name | String value for the name of the installation to remove. | none |
-namespace | String value that specifies the namespace of the Consul installation to remove. | consul |
-timeout | Specifies how long to wait for the removal process to complete before timing out. The value is specified with an integer and string value indicating a unit of time. The following units are supported: ms (milliseconds)s (seconds)m (minutes) h (hours) In the following example, removal will timeout after one minute: consul-k8s uninstall -timeout 1m | 10m |
-wipe-data | Boolean value that deletes PVCs and secrets associated with the Consul installation during installation. Data will be removed without a verification prompt if the -auto-approve flag is set to true. | false Instructions for removing data will be printed to the console. |
--help | Prints usage information for this option. | none |
See Global Options for additional commands that you can use when uninstalling Consul from Kubernetes.
Example Command
The following example command immediately uninstalls Consul from the my-ns namespace with the name my-consul and removes PVCs and secrets associated with the installation without asking for verification:
$ consul-k8s uninstall -namespace=my-ns -name=my-consul -wipe-data=true -auto-approve=true
upgrade
The upgrade command upgrades the Consul on Kubernetes components to the current version of the consul-k8s cli. Prior to running consul-k8s upgrade, the consul-k8s CLI should first be upgraded to the latest version as described Upgrade the Consul K8s CLI
$ consul-k8s upgrade
The following options are available.
| Flag | Description | Default |
|---|---|---|
-auto-approve | Boolean value that enables you to skip the upgrade confirmation prompt. | false |
-dry-run | Boolean value that allows you to run pre-upgrade checks and returns a summary of the upgrade. | false |
-config-file | String value that specifies the path to a file containing custom upgrade configurations, e.g., Consul Helm chart values file. You can use the -config-file flag multiple times to specify multiple files. | none |
-namespace | String value that specifies the namespace of the Consul installation. | consul |
-preset | String value that upgrades Consul based on a preset configuration. | Configuration of the Consul Helm chart. |
-set | String value that enables you to set a customizable value. This flag is comparable to the helm upgrade --set flag. You can use the -set flag multiple times to set multiple values. Consul Helm chart values are supported. | none |
-set-file | String value that specifies the name of an arbitrary config file. This flag is comparable to the helm upgrade --set-file flag. The contents of the file will be used to set a customizable value. You can use the -set-file flag multiple times to specify multiple files. Consul Helm chart values are supported. | none |
-set-string | String value that enables you to set a customizable string value. This flag is comparable to the helm upgrade --set-string flag. You can use the -set-string flag multiple times to specify multiple strings. Consul Helm chart values are supported. | none |
-timeout | Specifies how long to wait for the upgrade process to complete before timing out. The value is specified with an integer and string value indicating a unit of time. The following units are supported: ms (milliseconds)s (seconds)m (minutes) In the following example, the upgrade will timeout after one minute: consul-k8s upgrade -timeout 1m | 10m |
-wait | Boolean value that determines if Consul should wait for resources in the upgrade to be ready before exiting the command. | true |
-verbose, -v | Boolean value that specifies whether to output verbose logs from the upgrade command with the status of resources being upgraded. | false |
--help | Prints usage information for this option. | none |
See Global Options for additional commands that you can use when installing Consul on Kubernetes.
version
The version command prints the Consul on Kubernetes version. This command does not take any options.
$ consul-k8s version
You can also print the version with the --version flag.
$ consul-k8s --version
Global Options
The following global options are available.
| Flag | Description | Default |
|---|---|---|
-context | String value that sets the Kubernetes context to use for Consul K8s CLI operations. | none |
-kubeconfig, -c | String value that specifies the path to the kubeconfig file. | none |