»Consul Clients Outside Kubernetes
Consul clients running on non-Kubernetes nodes can join a Consul cluster running within Kubernetes.
»Networking
Within one datacenter, Consul typically requires a fully connected network. This means the IPs of every client and server agent should be routable by every other client and server agent in the datacenter. Clients need to be able to gossip with every other agent and make RPC calls to servers. Servers need to be able to gossip with every other agent. See Architecture for more details.
Consul Enterprise customers may use network segments to enable non-fully-connected topologies. However, out-of-cluster nodes must still be able to communicate with the server pod or host IP addresses.
»Auto-join
The recommended way to join a cluster running within Kubernetes is to use the "k8s" cloud auto-join provider.
The auto-join provider dynamically discovers IP addresses to join using
the Kubernetes API. It authenticates with Kubernetes using a standard
kubeconfig file. This works with all major hosted Kubernetes offerings
as well as self-hosted installations. The token in the kubeconfig file
needs to have permissions to list pods in the namespace where Consul servers
are deployed.
The auto-join string below will join a Consul server cluster that is started using the official Helm chart:
$ consul agent -retry-join 'provider=k8s label_selector="app=consul,component=server"'
Note: This auto-join command only connects on the default gossip port 8301, whether you are joining on the pod network or via host ports. Either a consul server or client that is already a member of the datacenter should be listening on this port for the external client agent to be able to use auto-join.
»Auto-join on the Pod network
In the default Consul Helm chart installation, Consul clients and servers are routable only via their pod IPs for server RPCs and gossip (HTTP API calls to Consul clients can also be made through host IPs). This means any external client agents joining the Consul cluster running on Kubernetes would need to be able to have connectivity to those pod IPs.
In many hosted Kubernetes environments, you will need to explicitly configure your hosting provider to ensure that pod IPs are routable from external VMs. See Azure AKS CNI, AWS EKS CNI and GKE VPC-native clusters.
Given you have the official Helm chart installed with the default values, do the following to join an external client agent.
Make sure the pod IPs of the clients and servers in Kubernetes are routable from the VM and that the VM can access port 8301 (for gossip) and port 8300 (for server RPC) on those pod IPs.
Make sure that the client and server pods running in Kubernetes can route to the VM's advertise IP on its gossip port (default 8301).
Make sure you have the
kubeconfigfile for the Kubernetes cluster in$HOME/.kube/configon the external VM.On the external VM, run:
consul agent \ -advertise="$ADVERTISE_IP" \ -retry-join='provider=k8s label_selector="app=consul,component=server"' -bind=0.0.0.0 \ -hcl='leave_on_terminate = true' \ -hcl='ports { grpc = 8502 }' \ -config-dir=$CONFIG_DIR \ -datacenter=$DATACENTER \ -data-dir=$DATA_DIR \Check if the join was successful by running
consul members. Sample output:/ $ consul members Node Address Status Type Build Protocol DC Segment consul-consul-server-0 10.138.0.43:9301 alive server 1.9.1 2 dc1 <all> external-agent 10.138.0.38:8301 alive client 1.9.0 2 dc1 <default> gke-external-agent-default-pool-32d15192-grs4 10.138.0.43:8301 alive client 1.9.1 2 dc1 <default> gke-external-agent-default-pool-32d15192-otge 10.138.0.44:8301 alive client 1.9.1 2 dc1 <default> gke-external-agent-default-pool-32d15192-vo7k 10.138.0.42:8301 alive client 1.9.1 2 dc1 <default>
»Auto-join via host ports
If your external VMs can't connect to Kubernetes pod IPs, but they can connect to the internal host IPs of the nodes in the Kubernetes cluster, you have the option to expose the clients and server ports on the host IP instead.
Install the official Helm chart with the following values:
client: exposeGossipPorts: true # exposes client gossip ports as hostPorts server: exposeGossipAndRPCPorts: true # exposes the server gossip and RPC ports as hostPorts ports: # Configures the server gossip port serflan: # Note that this needs to be different than 8301, to avoid conflicting with the client gossip hostPort port: 9301This will expose the client gossip ports, the server gossip ports and the server RPC port at
hostIP:hostPort. Note thathostIPis the internal IP of the VM that the client/server pods are deployed on.Make sure the IPs of the Kubernetes nodes are routable from the VM and that the VM can access ports 8301 and 9301 (for gossip) and port 8300 (for server RPC) on those node IPs.
Make sure the client and server pods running in Kubernetes can route to the VM's advertise IP on its gossip port (default 8301).
Make sure you have the
kubeconfigfile for the Kubernetes cluster in$HOME/.kube/configon the external VM.On the external VM, run (note the addition of
host_network=truein the retry-join argument):consul agent \ -advertise="$ADVERTISE_IP" \ -retry-join='provider=k8s host_network=true label_selector="app=consul,component=server"' -bind=0.0.0.0 \ -hcl='leave_on_terminate = true' \ -hcl='ports { grpc = 8502 }' \ -config-dir=$CONFIG_DIR \ -datacenter=$DATACENTER \ -data-dir=$DATA_DIR \Check if the join was successful by running
consul members. Sample output:/ $ consul members Node Address Status Type Build Protocol DC Segment consul-consul-server-0 10.138.0.43:9301 alive server 1.9.1 2 dc1 <all> external-agent 10.138.0.38:8301 alive client 1.9.0 2 dc1 <default> gke-external-agent-default-pool-32d15192-grs4 10.138.0.43:8301 alive client 1.9.1 2 dc1 <default> gke-external-agent-default-pool-32d15192-otge 10.138.0.44:8301 alive client 1.9.1 2 dc1 <default> gke-external-agent-default-pool-32d15192-vo7k 10.138.0.42:8301 alive client 1.9.1 2 dc1 <default>
»Manual join
If you are unable to use auto-join, you can also follow the instructions in
either of the auto-join sections but instead of using a provider key in the
-retry-join flag, you would need to pass the address of at least one
consul server, e.g: -retry-join=$CONSUL_SERVER_IP:$SERVER_SERFLAN_PORT.
However, rather than hardcoding the IP, it's recommended to set up a DNS entry that would resolve to the consul servers' pod IPs (if using the pod network) or host IPs that the server pods are running on (if using host ports).
