Deploy Consul on Kubernetes

In this tutorial, you will:

• Deploy a HashiCorp Cloud Platform (HCP) Consul datacenter and an Elastic Kubernetes Service (EKS) cluster with Terraform
• Configure your terminal to communicate with the Consul datacenter
• View Consul services with the CLI, UI, and/or API

In this tutorial, you will:

• Deploy a HashiCorp Cloud Platform (HCP) Consul datacenter and an Azure Kubernetes Service (AKS) cluster with Terraform
• Configure your terminal to communicate with the Consul datacenter
• View Consul services with the CLI, UI, and/or API

For this tutorial, you will need:

• An AWS account configured for use with Terraform
• An HCP account configured for use with Terraform
• aws-cli >= 2.0
• terraform >= 1.0
• consul >= 1.16.0
• consul-k8s >= 1.2.0
• git >= 2.0
• helm >= 3.0
• kubectl <= 1.24

For this tutorial, you will need:

• An Azure account configured for use with Terraform
• An HCP account configured for use with Terraform
• Azure CLI
• terraform >= 1.0
• consul >= 1.16.0
• consul-k8s >= 1.2.0
• git >= 2.0
• helm >= 3.0
• kubectl <= 1.24

Clone the GitHub repository containing the configuration files and resources.

$ git clone https://github.com/hashicorp-education/learn-consul-get-started-kubernetes

$ git clone git@github.com:hashicorp-education/learn-consul-get-started-kubernetes.git

Change into the directory that contains the complete configuration files for this tutorial.

$ cd learn-consul-get-started-kubernetes/hcp-managed/eks

Clone the GitHub repository containing the configuration files and resources.

$ git clone https://github.com/hashicorp-education/learn-consul-get-started-kubernetes

$ git clone git@github.com:hashicorp-education/learn-consul-get-started-kubernetes.git

Change into the directory that contains the complete configuration files for this tutorial.

$ cd learn-consul-get-started-kubernetes/hcp-managed/aks

With these Terraform configuration files, you are ready to deploy your infrastructure.

Issue the terraform init command from your working directory to download the necessary providers and initialize the backend.

$ terraform init

Initializing the backend...

Initializing provider plugins...
...

Terraform has been successfully initialized!
...

Then, deploy the resources. Confirm the run by entering yes.

$ terraform apply

## ...
Do you want to perform these actions?
 Terraform will perform the actions described above.
 Only 'yes' will be accepted to approve.

 Enter a value: yes

## ...

Apply complete! Resources: 69 added, 0 changed, 0 destroyed.

With these Terraform configuration files, you are ready to deploy your infrastructure.

Issue the terraform init command from your working directory to download the necessary providers and initialize the backend.

$ terraform init

Initializing the backend...

Initializing provider plugins...
...

Terraform has been successfully initialized!
...

Then, deploy the resources. Confirm the run by entering yes.

$ terraform apply

## ...
Do you want to perform these actions?
 Terraform will perform the actions described above.
 Only 'yes' will be accepted to approve.

 Enter a value: yes

## ...

Apply complete! Resources: 24 added, 0 changed, 0 destroyed.

Kubernetes stores cluster connection information in a file called kubeconfig. You can retrieve the Kubernetes configuration settings for your EKS cluster and merge them into your local kubeconfig file by issuing the following command:

$ aws eks --region $(terraform output -raw region) update-kubeconfig --name $(terraform output -raw kubernetes_cluster_id)

Kubernetes stores cluster connection information in a file called kubeconfig. You can retrieve the Kubernetes configuration settings for your EKS cluster and merge them into your local kubeconfig file by issuing the following command:

$ az aks get-credentials --resource-group $(terraform output -raw azure_rg_name) --name $(terraform output -raw aks_cluster_name)

HCP Consul Dedicated is a secure, fully-managed solution for Consul and can be used immediately after the Terraform deployment completes, with no additional deployment/configuration steps. HCP Consul Dedicated provides you with all Consul Enterprise features by default. Feel free to go directly to Configure your CLI to interact with Consul datacenter.

HCP Consul Dedicated is a secure, fully-managed solution for Consul and can be used immediately after the Terraform deployment completes, with no additional deployment/configuration steps. HCP Consul Dedicated provides you with all Consul Enterprise features by default. Feel free to go directly to Configure your CLI to interact with Consul datacenter.

In this section, you will set environment variables in your terminal so your Consul CLI can interact with your Consul datacenter. The Consul CLI reads these environment variables for behavior defaults and will reference these values when you run consul commands.

Tokens are artifacts in the ACL system used to authenticate users, services, and Consul agents. Since ACLs are enabled in this Consul datacenter, entities requesting access to a resource must include a token that is linked with a policy, service identity, or node identity that grants permission to the resource. The ACL system checks the token and grants or denies access to resources based on the associated permissions. A bootstrap token has unrestricted privileges to all resources and APIs.

Set the Consul ACL token as an environment variable.

$ export CONSUL_HTTP_TOKEN=$(terraform output -raw consul_token)

Set the Consul destination address. By default, Consul runs on port 8500 for http and 8501 for https.

$ export CONSUL_HTTP_ADDR=$(terraform output -raw consul_addr)

In this section, you will set environment variables in your terminal so your Consul CLI can interact with your Consul datacenter. The Consul CLI reads these environment variables for behavior defaults and will reference these values when you run consul commands.

Tokens are artifacts in the ACL system used to authenticate users, services, and Consul agents. Since ACLs are enabled in this Consul datacenter, entities requesting access to a resource must include a token that is linked with a policy, service identity, or node identity that grants permission to the resource. The ACL system checks the token and grants or denies access to resources based on the associated permissions. A bootstrap token has unrestricted privileges to all resources and APIs.

Set the Consul ACL token as an environment variable.

$ export CONSUL_HTTP_TOKEN=$(terraform output -raw consul_root_token)

Set the Consul destination address. By default, Consul runs on port 8500 for http and 8501 for https.

$ export CONSUL_HTTP_ADDR=$(terraform output -raw consul_url)

In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh.

$ consul catalog services
consul

$ consul members
Node             Address            Status  Type    Build       Protocol  DC               Partition  Segment
ip-172-25-32-114 172.25.32.114:8301 alive   server  1.16.0+ent  2         learn-consul-gs  default    <all>

$ echo $CONSUL_HTTP_ADDR
learn-hcp-eks-cluster.public.consul.00000000-0000-0000-0000-000000000000.aws.hashicorp.cloud

$ echo $CONSUL_HTTP_TOKEN
fe0dd5c3-f2e1-81e8-cde8-49d26cee5efc

$ curl -k \
    --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
    $CONSUL_HTTP_ADDR/v1/catalog/services\?pretty

{
    "consul": []
}

$ curl -k \
    --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
    $CONSUL_HTTP_ADDR/v1/agent/members\?pretty

[
    {
        "Name": "912fdb64-f013-535c-b564-c4351ecdb96a",
        "Addr": "172.25.16.4",
        "Port": 8301,
        "Tags": {
            "acls": "1",
            "bootstrap": "1",
            "build": "1.16.0+ent:e5a8325f",
            "dc": "learn-consul-gs",
            "ft_admpart": "1",
            "ft_fs": "1",
            "ft_ns": "1",
            "ft_si": "1",
            "grpc_tls_port": "8502",
            "id": "af11b884-3999-9214-7366-331bd1712fed",
            "port": "8300",
            "raft_vsn": "3",
            "role": "consul",
            "segment": "",
            "use_tls": "1",
            "vsn": "2",
            "vsn_max": "3",
            "vsn_min": "2",
            "wan_join_port": "8302"
        },
        "Status": 1,
        "ProtocolMin": 1,
        "ProtocolMax": 5,
        "ProtocolCur": 2,
        "DelegateMin": 2,
        "DelegateMax": 5,
        "DelegateCur": 4
    }
]

All services listed in your Consul catalog are empowered with Consul's service discovery capabilities that simplify scalability challenges and improve application resiliency. Review the Service Discovery overview page to learn more.

In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh.

$ consul catalog services
consul

$ consul members
Node             Address           Status  Type    Build       Protocol  DC               Partition  Segment
912fdb64-f01...  172.25.16.4:8301  alive   server  1.16.0+ent  2         learn-consul-gs  default    <all>

$ echo $CONSUL_HTTP_ADDR
https://servers-public-consul-8d4f721f.db0ea9b8.z1.hashicorp.cloud

$ echo $CONSUL_HTTP_TOKEN
fe0dd5c3-f2e1-81e8-cde8-49d26cee5efc

$ curl -k \
    --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
    $CONSUL_HTTP_ADDR/v1/catalog/services\?pretty

{
    "consul": []
}

$ curl -k \
    --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
    $CONSUL_HTTP_ADDR/v1/agent/members\?pretty

[
    {
        "Name": "912fdb64-f013-535c-b564-c4351ecdb96a",
        "Addr": "172.25.16.4",
        "Port": 8301,
        "Tags": {
            "acls": "1",
            "bootstrap": "1",
            "build": "1.16.0+ent:e5a8325f",
            "dc": "learn-consul-gs",
            "ft_admpart": "1",
            "ft_fs": "1",
            "ft_ns": "1",
            "ft_si": "1",
            "grpc_tls_port": "8502",
            "id": "af11b884-3999-9214-7366-331bd1712fed",
            "port": "8300",
            "raft_vsn": "3",
            "role": "consul",
            "segment": "",
            "use_tls": "1",
            "vsn": "2",
            "vsn_max": "3",
            "vsn_min": "2",
            "wan_join_port": "8302"
        },
        "Status": 1,
        "ProtocolMin": 1,
        "ProtocolMax": 5,
        "ProtocolCur": 2,
        "DelegateMin": 2,
        "DelegateMax": 5,
        "DelegateCur": 4
    }
]

All services listed in your Consul catalog are empowered with Consul's service discovery capabilities that simplify scalability challenges and improve application resiliency. Review the Service Discovery overview page to learn more.