2019-12-19 02:02:26 +00:00
---
2020-04-07 18:55:19 +00:00
layout: docs
2022-09-23 21:11:23 +00:00
page_title: Join External Servers to Consul on Kubernetes
description: >-
Client agents that run on Kubernetes pods can join existing clusters whose server agents run outside of k8s. Learn how to expose gossip ports and bootstrap ACLs by configuring the Helm chart.
2019-12-19 02:02:26 +00:00
---
2022-09-23 21:11:23 +00:00
# Join External Servers to Consul on Kubernetes
2019-12-19 02:02:26 +00:00
2022-03-15 23:13:58 +00:00
If you have a Consul cluster already running, you can configure your
2022-11-18 17:33:02 +00:00
Consul on Kubernetes installation to join this existing cluster.
2022-03-15 23:13:58 +00:00
2022-09-09 20:56:33 +00:00
The below `values.yaml` file shows how to configure the Helm chart to install
2022-11-18 17:33:02 +00:00
Consul so that it joins an existing Consul server cluster.
2022-03-15 23:13:58 +00:00
The `global.enabled` value first disables all chart components by default
so that each component is opt-in. This allows us to _only_ setup the client
agents. We then opt-in to the client agents by setting `client.enabled` to
`true`.
2022-11-18 17:33:02 +00:00
Next, configure `externalServers` to point it to Consul servers.
The `externalServers.hosts` value must be provided and should be set to a DNS, an IP,
or an `exec=` string with a command returning Consul IPs. Please see [this documentation](https://github.com/hashicorp/go-netaddrs)
on how the `exec=` string works.
Other values in the `externalServers` section are optional. Please refer to
2023-01-25 16:52:43 +00:00
[Helm Chart configuration](/consul/docs/k8s/helm#h-externalservers) for more details.
2019-12-19 02:02:26 +00:00
2022-09-09 20:56:33 +00:00
<CodeBlockConfig filename="values.yaml">
2021-07-31 01:37:33 +00:00
2019-12-19 02:02:26 +00:00
```yaml
global:
enabled: false
2022-11-18 17:33:02 +00:00
externalServers:
hosts: [<consul server DNS, IP or exec= string>]
2019-12-19 02:02:26 +00:00
```
2021-07-31 01:37:33 +00:00
</CodeBlockConfig>
2022-11-18 17:33:02 +00:00
**Note:** To join Consul on Kubernetes to an existing Consul server cluster running outside of Kubernetes,
2023-01-25 16:52:43 +00:00
refer to [Consul servers outside of Kubernetes](/consul/docs/k8s/deployment-configurations/servers-outside-kubernetes).
2020-05-11 18:26:10 +00:00
2022-11-18 17:33:02 +00:00
## Configuring TLS
2020-05-11 18:26:10 +00:00
2020-08-13 19:04:34 +00:00
-> **Note:** Consul on Kubernetes currently does not support external servers that require mutual authentication
for the HTTPS clients of the Consul servers, that is when servers have either
2022-03-18 10:46:58 +00:00
`tls.defaults.verify_incoming` or `tls.https.verify_incoming` set to `true`.
2023-01-25 16:52:43 +00:00
As noted in the [Security Model](/consul/docs/security#secure-configuration),
2020-08-13 19:04:34 +00:00
that setting isn't strictly necessary to support Consul's threat model as it is recommended that
all requests contain a valid ACL token.
2022-11-18 17:33:02 +00:00
If the Consul server has TLS enabled, you need to provide the CA certificate so that Consul on Kubernetes can communicate with the server. Save the certificate in a Kubernetes secret and then provide it in your Helm values, as demonstrated in the following example:
2020-05-11 18:26:10 +00:00
2022-09-09 20:56:33 +00:00
<CodeBlockConfig filename="values.yaml" highlight="2-8">
2021-07-31 01:37:33 +00:00
2020-05-11 18:26:10 +00:00
```yaml
global:
tls:
enabled: true
2022-11-18 17:33:02 +00:00
caCert:
secretName: <CA certificate secret name>
secretKey: <CA Certificate secret key>
2020-05-11 18:26:10 +00:00
externalServers:
enabled: true
2022-11-18 17:33:02 +00:00
hosts: [<consul server DNS, IP or exec= string>]
2020-05-11 18:26:10 +00:00
```
2021-07-31 01:37:33 +00:00
</CodeBlockConfig>
2022-11-18 17:33:02 +00:00
If your HTTPS port is different from Consul's default `8501`, you must also set
2020-05-11 18:26:10 +00:00
`externalServers.httpsPort`.
## Configuring ACLs
If you are running external servers with ACLs enabled, there are a couple of ways to configure the Helm chart
to help initialize ACL tokens for Consul clients and consul-k8s components for you.
### Manually Bootstrapping ACLs
2023-01-25 16:52:43 +00:00
If you would like to call the [ACL bootstrapping API](/consul/api-docs/acl#bootstrap-acls) yourself or if your cluster has already been bootstrapped with ACLs,
2020-05-11 18:26:10 +00:00
you can provide the bootstrap token to the Helm chart. The Helm chart will then use this token to configure ACLs
for Consul clients and any consul-k8s components you are enabling.
First, create a Kubernetes secret containing your bootstrap token:
```shell
kubectl create secret generic bootstrap-token --from-literal='token=<your bootstrap token>'
```
Then provide that secret to the Helm chart:
2022-09-09 20:56:33 +00:00
<CodeBlockConfig filename="values.yaml" highlight="4-6">
2021-07-31 01:37:33 +00:00
2020-05-11 18:26:10 +00:00
```yaml
global:
acls:
manageSystemACLs: true
bootstrapToken:
secretName: bootstrap-token
secretKey: token
```
2021-07-31 01:37:33 +00:00
</CodeBlockConfig>
2020-05-11 18:26:10 +00:00
The bootstrap token requires the following minimal permissions:
2020-05-11 21:15:59 +00:00
- `acl:write`
- `operator:write` if enabling Consul namespaces
- `agent:read` if using WAN federation over mesh gateways
2020-05-11 18:26:10 +00:00
Next, configure external servers. The Helm chart will use this configuration to talk to the Consul server's API
2023-01-25 16:52:43 +00:00
to create policies, tokens, and an auth method. If you are [enabling Consul Connect](/consul/docs/k8s/connect),
2020-05-11 18:26:10 +00:00
`k8sAuthMethodHost` should be set to the address of your Kubernetes API server
2023-01-25 16:52:43 +00:00
so that the Consul servers can validate a Kubernetes service account token when using the [Kubernetes auth method](/consul/docs/security/acl/auth-methods/kubernetes)
2020-05-11 18:26:10 +00:00
with `consul login`.
2022-09-09 20:56:33 +00:00
<CodeBlockConfig filename="values.yaml">
2021-07-31 01:37:33 +00:00
2020-05-11 18:26:10 +00:00
```yaml
externalServers:
enabled: true
2022-11-18 17:33:02 +00:00
hosts: [<consul server DNS, IP or exec= string>]
2020-05-11 21:15:59 +00:00
k8sAuthMethodHost: 'https://kubernetes.example.com:443'
2020-05-11 18:26:10 +00:00
```
2021-07-31 01:37:33 +00:00
</CodeBlockConfig>
2020-05-11 18:26:10 +00:00
Your resulting Helm configuration will end up looking similar to this:
2022-09-09 20:56:33 +00:00
<CodeBlockConfig filename="values.yaml">
2021-07-31 01:37:33 +00:00
2020-05-11 18:26:10 +00:00
```yaml
global:
enabled: false
acls:
manageSystemACLs: true
bootstrapToken:
secretName: bootstrap-token
secretKey: token
externalServers:
enabled: true
2022-11-18 17:33:02 +00:00
hosts: [<consul server DNS, IP or exec= string>]
2020-05-11 21:15:59 +00:00
k8sAuthMethodHost: 'https://kubernetes.example.com:443'
2020-05-11 18:26:10 +00:00
```
2021-07-31 01:37:33 +00:00
</CodeBlockConfig>
2020-05-11 18:26:10 +00:00
### Bootstrapping ACLs via the Helm chart
If you would like the Helm chart to call the bootstrapping API and set the server tokens for you, then the steps are similar.
The only difference is that you don't need to set the bootstrap token. The Helm chart will save the bootstrap token as a Kubernetes secret.
2022-09-09 20:56:33 +00:00
<CodeBlockConfig filename="values.yaml">
2021-07-31 01:37:33 +00:00
2020-05-11 18:26:10 +00:00
```yaml
global:
enabled: false
acls:
manageSystemACLs: true
externalServers:
enabled: true
2022-11-18 17:33:02 +00:00
hosts: [<consul server DNS, IP or exec= string>]
2020-05-11 21:15:59 +00:00
k8sAuthMethodHost: 'https://kubernetes.example.com:443'
2020-05-11 18:26:10 +00:00
```
2021-07-31 01:37:33 +00:00
</CodeBlockConfig>