Acquisition complete HashiCorp officially joins the IBM family. Learn more
Consul
Consul Home

You are viewing documentation for pre-release version v1.21.0 (rc). View latest version.

Consul agents configuration file reference

This topic describes the parameters for configuring Consul agents.

Refer to the Configure a Consul agent guide for information on the following:

  • Configuration files location
  • Common configuration settings
  • Reloadable configurations
  • Starting and stopping a Consul agent

Overview

Create one or more files to configure the Consul agent on startup. We recommend grouping similar configurations, such as ACL parameters, into separate files to better manage configuration changes.

Write configuration files in HCL or JSON. Both humans and computers can read and edit JSON configuration files. JSON configuration consists of a single JSON object with multiple configuration keys specified within it.

Example Configuration File

datacenter = "east-aws"
data_dir = "/opt/consul"
log_level = "INFO"
node_name = "foobar"
server = true
watches = [
  {
    type = "checks"
    handler = "/usr/bin/health-check-handler.sh"
  }
]

telemetry {
  statsite_address = "127.0.0.1:2180"
}

Time-to-live values

Consul uses the Go time package to parse all time-to-live (TTL) values used in Consul agent configuration files. Specify integer and float values as a string and include one or more of the following units of time:

Examples:

Refer to the formatting specification for additional information.

Examples

The following configuration examples demonstrate scenarios for server and client agent configuration files.

Server node with encryption enabled

The following example shows a server node configured with encryption enabled. Refer to the Security chapter for additional information about how to configure security options for Consul.

node_name = "consul-server"
server = true
ui_config {
  enabled = true
}
data_dir = "consul/data"
addresses {
  http = "0.0.0.0"
}
retry_join = [
  "consul-server2",
  "consul-server3"
]
encrypt = "aPuGh+5UDskRAbkLaXRzFoSOcSM+5vAK+NEYOWHJH7w="

tls {
  defaults {
    verify_incoming = true
    verify_outgoing = true
    ca_file = "/consul/config/certs/consul-agent-ca.pem"
    cert_file = "/consul/config/certs/dc1-server-consul-0.pem"
    key_file = "/consul/config/certs/dc1-server-consul-0-key.pem"
    verify_server_hostname = true
  }
}

Server node in a service mesh

The following example configuration is for a server agent named "consul-server". The server is bootstrapped and the Consul GUI is enabled. The reason this server agent is configured for a service mesh is that the connect configuration is enabled. The connect subsystem provides Consul's service mesh capabilities, including service-to-service connection authorization and encryption using mutual Transport Layer Security (TLS). Applications can use sidecar proxies in a service mesh configuration to establish TLS connections for inbound and outbound connections without being aware of Consul service mesh at all. Refer to Consul Service Mesh for details.

node_name = "consul-server"
server    = true
bootstrap = true
ui_config {
  enabled = true
}
datacenter = "dc1"
data_dir   = "consul/data"
log_level  = "INFO"
addresses {
  http = "0.0.0.0"
}
connect {
  enabled = true
}

Client node with multiple interfaces or IP addresses

The following example shows how to configure Consul to listen on multiple interfaces or IP addresses using a [go-sockaddr template].

The bind_addr is used for internal RPC and Serf communication (read the Agent Configuration for more information).

The client_addr configuration specifies IP addresses used for HTTP, HTTPS, DNS and gRPC servers. Refer to read the Agent Configuration for more information](/consul/docs/reference/agent/configuration-file/general#client_addr)).

node_name = "consul-client"
server    = false
bootstrap = true
ui_config {
  enabled = true
}
datacenter = "dc1"
data_dir   = "consul/data"
log_level  = "INFO"

# used for internal RPC and Serf
bind_addr = "0.0.0.0"

# Used for HTTP, HTTPS, DNS, and gRPC addresses.
# loopback is not included in GetPrivateInterfaces because it is not routable.
client_addr = "{{ GetPrivateInterfaces | exclude \"type\" \"ipv6\" | join \"address\" \" \" }} {{ GetAllInterfaces | include \"flags\" \"loopback\" | join \"address\" \" \" }}"

# advertises gossip and RPC interface to other nodes
advertise_addr = "{{ GetInterfaceIP \"en0\" }}"

Client node registering a service

Using Consul as a central service registry is a common use case. The following example configuration includes common settings to register a service with a Consul agent and enable health checks. Refer to Define Health Checks to learn more about health checks.

node_name  = "consul-client"
server     = false
datacenter = "dc1"
data_dir   = "consul/data"
log_level  = "INFO"
retry_join = ["consul-server"]
service {
  id      = "dns"
  name    = "dns"
  tags    = ["primary"]
  address = "localhost"
  port    = 8600
  check {
    id       = "dns"
    name     = "Consul DNS TCP on port 8600"
    tcp      = "localhost:8600"
    interval = "10s"
    timeout  = "1s"
  }
}