• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Consul
  • Install
  • Tutorials
  • Documentation
  • API
  • CLI
  • Try Cloud(opens in new tab)
  • Sign up
Kubernetes Service Mesh

Skip to main content
17 tutorials
  • Consul and Kubernetes Reference Architecture
  • Consul and Kubernetes Deployment Guide
  • Secure Applications with Service Sidecar Proxies
  • Secure Consul and Registered Services on Kubernetes
  • Secure Service Mesh Communication Across Kubernetes Clusters
  • Layer 7 Observability with Prometheus, Grafana, and Kubernetes
  • Manage Consul with Kubernetes Custom Resource Definitions (CRDs)
  • Consul Service Discovery and Service Mesh on Minikube
  • Consul Service Discovery and Mesh on Kubernetes in Docker (kind)
  • Deploy Consul on Azure Kubernetes Service (AKS)
  • Deploy Consul on Google Kubernetes Engine (GKE)
  • Deploy Consul on Amazon Elastic Kubernetes Service (EKS)
  • Deploy Consul on RedHat OpenShift
  • Control Access into the Service Mesh with Consul API Gateway
  • Deploy Federated Multi-Cloud Kubernetes Clusters
  • Multi Cluster Applications with Consul Enterprise Admin Partitions
  • Vault as Secrets Management for Consul

  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  1. Developer
  2. Consul
  3. Tutorials
  4. Kubernetes Service Mesh
  5. Deploy Consul on Amazon Elastic Kubernetes Service (EKS)

Deploy Consul on Amazon Elastic Kubernetes Service (EKS)

  • 12min

  • ConsulConsul

In this tutorial you will deploy a Consul datacenter to the Elastic Kubernetes Services (EKS) on Amazon Web Services (AWS) with HashiCorp’s official Helm chart or the Consul K8S CLI. After deploying Consul, you will interact with Consul using the CLI, UI, and/or API.

Prerequisites

For this tutorial, you will need:

  • An AWS account with the ability to create a Kubernetes cluster
  • aws-cli
  • kubectl >= 1.21
  • helm >= 3.0
  • consul >= 1.14.0

Create an EKS cluster

At least a three node EKS cluster is required to deploy Consul using the official Consul Helm chart. Create a three node cluster on EKS by following the the EKS documentation.

Configure kubectl to talk to your cluster

Config kubectl to talk to your EKS cluster:

$ aws eks update-kubeconfig --region <region where you deployed your cluster> --name <your cluster name>

You can then run the command kubectl cluster-info to verify you are connected to your Kubernetes cluster:

$ kubectl cluster-info
Kubernetes master is running at https://<your K8s master location>.eks.amazonaws.com
CoreDNS is running at https://<your CoreDNS location>.eks.amazonaws.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

You can also review the documentation for configuring kubectl and EKS here:

  • Creating EKS kubeconfig

Deploy Consul

You can deploy a complete Consul datacenter using the official Consul Helm chart or the Consul K8S CLI. By default, these methods will install a total of three Consul servers. You can review the Consul Kubernetes installation documentation to learn more about these installation options.

Create a values file

To customize your deployment, create a values.yaml file to customization your Consul deployment.

values.yaml
# Contains values that affect multiple components of the chart.
global:
 # The main enabled/disabled setting.
 # If true, servers, clients, Consul DNS and the Consul UI will be enabled.
 enabled: true
 # The prefix used for all resources created in the Helm chart.
 name: consul
 # The name of the datacenter that the agents should register as.
 datacenter: dc1
 # Enables TLS across the cluster to verify authenticity of the Consul servers and clients.
 tls:
   enabled: true
 # Enables ACLs across the cluster to secure access to data and APIs.
 acls:
   # If true, automatically manage ACL tokens and policies for all Consul components.
   manageSystemACLs: true
# Configures values that configure the Consul server cluster.
server:
 enabled: true
 # The number of server agents to run. This determines the fault tolerance of the cluster.
 replicas: 3
# Contains values that configure the Consul UI.
ui:
 enabled: true
 # Registers a Kubernetes Service for the Consul UI as a LoadBalancer.
 service:
   type: LoadBalancer
# Configures and installs the automatic Consul Connect sidecar injector.
connectInject:
 enabled: true

Install Consul in your cluster

You can now deploy a complete Consul datacenter in your Kubernetes cluster using the official Consul Helm chart or the Consul K8S CLI.

$ brew tap hashicorp/tap
$ brew install hashicorp/tap/consul-k8s
$ consul-k8s install -config-file=values.yaml -set global.image=hashicorp/consul:1.14.0

Note: You can review the official Consul K8S CLI documentation to learn more about additional settings.

$ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories
$ helm install --values values.yaml consul hashicorp/consul --create-namespace --namespace consul --version "1.0.0"

Note: You can review the official Helm chart values to learn more about the default settings.

Run the command kubectl get pods to verify the Consul resources were successfully created.

$ kubectl get pods --namespace consul
NAME                                           READY   STATUS    RESTARTS   AGE
consul-connect-injector-6fc8d669b8-2n82l       1/1     Running   0          2m34s
consul-connect-injector-6fc8d669b8-9mqfm       1/1     Running   0          2m34s
consul-controller-554c7f79c4-2xc64             1/1     Running   0          2m34s
consul-server-0                                1/1     Running   0          2m34s
consul-server-1                                1/1     Running   0          2m34s
consul-server-2                                1/1     Running   0          2m34s
consul-webhook-cert-manager-64889c4964-wxc9b   1/1     Running   0          2m34s

Configure your CLI to interact with Consul cluster

In this section, you will set environment variables in your terminal so your Consul CLI can interact with your Consul cluster. The Consul CLI reads these environment variables for behavior defaults and will reference these values when you run consul commands.

Tokens are artifacts in the ACL system used to authenticate users, services, and Consul agents. Since ACLs are enabled in this Consul datacenter, entities requesting access to a resource must include a token that is linked with a policy, service identity, or node identity that grants permission to the resource. The ACL system checks the token and grants or denies access to resources based on the associated permissions. A bootstrap token has unrestricted privileges to all resources and APIs.

Retrieve the ACL bootstrap token from the respective Kubernetes secret and set it as an environment variable.

$ export CONSUL_HTTP_TOKEN=$(kubectl get --namespace consul secrets/consul-bootstrap-acl-token --template={{.data.token}} | base64 -d)

Set the Consul destination address.

$ export CONSUL_HTTP_ADDR=https://$(kubectl get services/consul-ui --namespace consul -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')

Remove SSL verification checks to simplify communication to your Consul cluster.

$ export CONSUL_HTTP_SSL_VERIFY=false

Note: In a production environment, we recommend keeping this SSL verification set to true. Only remove this verification for if you have a Consul cluster without TLS configured in development environment and demonstration purposes.

View Consul services

In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh.

Run the CLI command consul catalog services to return the list of services registered in Consul. Notice this returns only the consul service since it is the only running service in your Consul cluster.

$ consul catalog services
consul

Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running.

Run the CLI command consul members to return the list of Consul agents in your environment.

$ consul members
Node             Address          Status  Type    Build        Protocol  DC   Partition  Segment
consul-server-0  10.0.4.117:8301  alive   server  1.14.0beta1  2         dc1  default    <all>
consul-server-1  10.0.5.11:8301   alive   server  1.14.0beta1  2         dc1  default    <all>
consul-server-2  10.0.4.55:8301   alive   server  1.14.0beta1  2         dc1  default    <all>

Output the token value to your terminal and copy the value to your clipboard. You will use this ACL token to authenticate in the Consul UI.

$ echo $CONSUL_HTTP_TOKEN
fe0dd5c3-f2e1-81e8-cde8-49d26cee5efc

Open a separate terminal window and expose the Consul UI with kubectl port-forward using the consul-ui service name as the target. By default, Consul UI runs on port 6443 when you enable TLS, and port 8500 when TLS is disabled.

$ kubectl port-forward svc/consul-ui --namespace consul 6443:443

Open https://localhost:6443 in your browser to find the Consul UI. Since this environment uses a self-signed TLS certificate for its resources, click to proceed through the certificate warnings.

On the left navigation pane, click Services to review your deployed services. At this time, you will only find the consul service.

Consul UI Services Page

By default, the anonymous ACL policy allows you to view the contents of Consul services, nodes, and intentions. To make changes and see more details within the Consul UI, click Log In in the top right and insert your bootstrap ACL token.

Consul UI Login Page

After successfully authenticating with your ACL token, you are now able to view additional Consul components and make changes in the UI. Notice you can view and manage more options under the Access Controls section on the left navigation pane.

Consul UI Post Authentication

On the left navigation pane, click on Nodes.

Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running.

Consul UI Nodes

View the list of services registered in Consul.

$ curl -k \
    --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
    $CONSUL_HTTP_ADDR/v1/catalog/services

Sample output:

{"consul":[]}

Agents run in either server or client mode. Server agents store all state information, including service and node IP addresses, health checks, and configuration. Client agents are lightweight processes that make up the majority of the datacenter. They report service health status to the server agents. Clients must run on every pod where services are running.

View the list of server and client Consul agents in your environment.

$ curl -k \
    --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
    $CONSUL_HTTP_ADDR/v1/agent/members\?pretty

Sample output:

[
    {
        "Name": "consul-server-0",
        "Addr": "10.244.0.13",
        "Port": 8301,
        "Tags": {
            "acls": "1",
            "bootstrap": "1",
            "build": "1.14.0",
            "dc": "dc1",
            "ft_fs": "1",
            "ft_si": "1",
            "grpc_port": "8502",
            "id": "8016fc4d-767f-8552-b018-0812228bd135",
            "port": "8300",
            "raft_vsn": "3",
            "role": "consul",
            "segment": "",
            "use_tls": "1",
            "vsn": "2",
            "vsn_max": "3",
            "vsn_min": "2",
            "wan_join_port": "8302"
        },
        "Status": 1,
        "ProtocolMin": 1,
        "ProtocolMax": 5,
        "ProtocolCur": 2,
        "DelegateMin": 2,
        "DelegateMax": 5,
        "DelegateCur": 4
    }
...TRUNCATED
]

All services listed in your Consul catalog are empowered with Consul's service discovery capabilities that simplify scalability challenges and improve application resiliency. Review the Service Discovery overview page to learn more.

Next steps

In this tutorial, you deployed a Consul datacenter onto an Elastic Kubernetes Service (EKS) cluster. After deploying Consul, you interacted with Consul using the CLI, UI, and API.

To learn more about deployment best practices, review the Kubernetes Reference Architecture tutorial.

 Previous
 Next

This tutorial also appears in:

  •  
    7 tutorials
    Deploy to Kubernetes
    Practice registering, securing, and observing services deployed with Kubernetes.
    • Consul

On this page

  1. Deploy Consul on Amazon Elastic Kubernetes Service (EKS)
  2. Prerequisites
  3. Deploy Consul
  4. Configure your CLI to interact with Consul cluster
  5. View Consul services
  6. Next steps
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)