Running Consul on Kubernetes

This tutorial will walk you through deploying a three (3) node Consul cluster on Kubernetes.

Overview

• Three (3) node Consul cluster using a StatefulSet
• Secure communication between Consul members using TLS and encryption keys

Prerequisites

This tutorial leverages features available in Kubernetes 1.11.0 and later.

• kubernetes 1.11.x

gcloud container clusters create consul \
  --cluster-version 1.11.2-gke.9

The following clients must be installed on the machine used to follow this tutorial:

• consul 1.4.0-rc
• cfssl and cfssljson 1.2

Usage

Clone this repo:

git clone https://github.com/kelseyhightower/consul-on-kubernetes.git

Change into the consul-on-kubernetes directory:

cd consul-on-kubernetes

Generate TLS Certificates

RPC communication between each Consul member will be encrypted using TLS. Initialize a Certificate Authority (CA):

cfssl gencert -initca ca/ca-csr.json | cfssljson -bare ca

Create the Consul TLS certificate and private key:

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca/ca-config.json \
  -profile=default \
  ca/consul-csr.json | cfssljson -bare consul

At this point you should have the following files in the current working directory:

ca-key.pem
ca.pem
consul-key.pem
consul.pem

Generate the Consul Gossip Encryption Key

Gossip communication between Consul members will be encrypted using a shared encryption key. Generate and store an encrypt key:

GOSSIP_ENCRYPTION_KEY=$(consul keygen)

Create the Consul Secret and Configmap

The Consul cluster will be configured using a combination of CLI flags, TLS certificates, and a configuration file, which reference Kubernetes configmaps and secrets.

Store the gossip encryption key and TLS certificates in a Secret:

kubectl create secret generic consul \
  --from-literal="gossip-encryption-key=${GOSSIP_ENCRYPTION_KEY}" \
  --from-file=ca.pem \
  --from-file=consul.pem \
  --from-file=consul-key.pem

Store the Consul server configuration file in a ConfigMap:

kubectl create configmap consul --from-file=configs/server.json

Create the Consul Service

Create a headless service to expose each Consul member internally to the cluster:

kubectl create -f services/consul.yaml

Create the Consul Service Account

kubectl apply -f serviceaccounts/consul.yaml

kubectl apply -f clusterroles/consul.yaml

Create the Consul StatefulSet

Deploy a three (3) node Consul cluster using a StatefulSet:

kubectl create -f statefulsets/consul.yaml

Each Consul member will be created one by one. Verify each member is Running before moving to the next step.

kubectl get pods

NAME       READY     STATUS    RESTARTS   AGE
consul-0   1/1       Running   0          20s
consul-1   1/1       Running   0          20s
consul-2   1/1       Running   0          20s

Verification

At this point the Consul cluster has been bootstrapped and is ready for operation. To verify things are working correctly, review the logs for one of the cluster members.

kubectl logs consul-0

The consul CLI can also be used to check the health of the cluster. In a new terminal start a port-forward to the consul-0 pod.

kubectl port-forward consul-0 8500:8500

Forwarding from 127.0.0.1:8500 -> 8500
Forwarding from [::1]:8500 -> 8500

Run the consul members command to view the status of each cluster member.

consul members

Node      Address          Status  Type    Build     Protocol  DC   Segment
consul-0  10.32.2.8:8301   alive   server  1.4.0rc1  2         dc1  <all>
consul-1  10.32.1.7:8301   alive   server  1.4.0rc1  2         dc1  <all>
consul-2  10.32.0.13:8301  alive   server  1.4.0rc1  2         dc1  <all>

Accessing the Web UI

The Consul UI does not support any form of authentication out of the box so it should not be exposed. To access the web UI, start a port-forward session to the consul-0 Pod in a new terminal.

kubectl port-forward consul-0 8500:8500

Visit http://127.0.0.1:8500 in your web browser.

Cleanup

Run the cleanup script to remove the Kubernetes resources created during this tutorial:

bash cleanup