Consul Dataplane runs as a separate binary controlled with the `consul-dataplane` CLI command. Learn how to use this command to configure your dataplane on Kubernetes with this reference guide and example code.
The `consul-dataplane` command interacts with the binary for [simplified service mesh with Consul Dataplane](/consul/docs/k8s/dataplane/index). Use this command to install Consul Dataplane, configure its Envoy proxies, and secure Dataplane deployments.
The following options are required when starting `consul-dataplane` with the CLI:
- `-addresses`
- `-service-node-name`
- `-proxy-service-id`
### Command Options
- `-addresses` - Consul server gRPC addresses. Can be a DNS name or an executable command. Refer to [go-netaddrs](https://github.com/hashicorp/go-netaddrs#summary) for details and examples.
- `-ca-certs` - The path to a file or directory containing CA certificates used to verify the server's certificate.
- `-credential-type` - The type of credentials used to authenticate with Consul servers, either `"static"` or `"login"`.
- `-envoy-admin-bind-address` - The address the Envoy admin server is available on. Default is `"127.0.0.1"`.
- `-envoy-admin-bind-port` - The port the Envoy admin server is available on. Default is `19000`.
- `-envoy-concurrency` - The number of worker threads that Envoy uses. Default is `2`.
- `-envoy-ready-bind-address` - The address Envoy's readiness probe is available on.
- `-grpc-port` - The Consul server gRPC port to which consul-dataplane connects. Default is `8502`.
- `-log-json` - Enables log messages in JSON format. Default is `false`.
- `-log-level` - Log level of the messages to print. Available log levels are `"trace"`, `"debug"`, `"info"`, `"warn"`, and `"error"`. Default is `"info"`.
- `-login-auth-method` - The auth method used to log in.
- `-login-bearer-token` - The bearer token presented to the auth method.
- `-login-bearer-token-path` - The path to a file containing the bearer token presented to the auth method.
- `-login-datacenter` - The datacenter containing the auth method.
- `-login-meta` - A set of key/value pairs to attach to the ACL token. Each pair is formatted as `<key>=<value>`. This flag may be passed multiple times.
- `-proxy-service-id` - The proxy service instance's ID.
- `-server-watch-disabled` - Prevent `consul-dataplane` from consuming the server update stream. Use this flag when Consul servers are behind a load balancer. Default is `false`.
- `-static-token` - The ACL token used to authenticate requests to Consul servers when `-credential-type` is set to `"static"`.
- `-telemetry-use-central-config` - Controls whether the proxy applies the central telemetry configuration. Default is `true`.
- `-tls-cert` - The path to a client certificate file. This flag is required if `tls.grpc.verify_incoming` is enabled on the server.
- `-tls-disabled` - Communicate with Consul servers over a plaintext connection. Useful for testing, but not recommended for production. Default is `false`.
- `-tls-insecure-skip-verify` - Do not verify the server's certificate. Useful for testing, but not recommended for production. Default is `false`.
- `-tls-key` - The path to a client private key file. This flag is required if `tls.grpc.verify_incoming` is enabled on the server.
- `-tls-server-name` - The hostname to expect in the server certificate's subject. This flag is required if `-addresses` is not a DNS name.
- `-version` - Print the current version of `consul-dataplane`.
- `-xds-bind-addr` - The address the Envoy xDS server is available on. Default is `"127.0.0.1"`.
## Examples
### DNS
Consul Dataplane resolves a domain name to discover Consul server IP addresses.
The [`go-discover`](https://github.com/hashicorp/go-discover) binary is included in the `hashicorp/consul-dataplane` image for use with this mode of server discovery, which functions in
a way similar to [Cloud Auto-join](/consul/docs/install/cloud-auto-join). The
following example demonstrates how to use the `go-discover` binary with Consul Dataplane.