A new platform for documentation and tutorials is launching soon.

We are migrating Consul documentation into HashiCorp Developer, our new developer experience.

Join Now
Type '/' to Search

»Uninstall Consul on Kubernetes

You can uninstall Consul using Helm commands or the Consul K8s CLI.

»Consul K8s CLI

Issue the consul-k8s uninstall command to remove Consul on Kubernetes. You can specify the installation name, namespace, and data retention behavior using the applicable options. By default, the uninstall preserves the secrets and PVCs that are provisioned by Consul on Kubernetes.

$ consul-k8s uninstall <OPTIONS>

$ consul-k8s uninstall <OPTIONS>

In the following example, Consul will be uninstalled and the data removed without prompting you to verify the operations:

$ consul-k8s uninstall -auto-approve=true -wipe-data=true

$ consul-k8s uninstall -auto-approve=true -wipe-data=true

Refer to the Consul K8s CLI reference topic for details.

»Helm commands

Run the helm uninstall and manually remove resources that Helm does not delete.

  1. Although the Helm chart automates the deletion of CRDs upon uninstall, sometimes the finalizers tied to those CRDs may not complete because the deletion of the CRDs rely on the Consul K8s controller running. Ensure that previously created CRDs for Consul on Kubernetes are deleted, so subsequent installs of Consul on Kubernetes on the same Kubernetes cluster do not get blocked.

    $ kubectl delete crd --selector app=consul

    $ kubectl delete crd --selector app=consul

  2. (Optional) If Consul is installed in a dedicated namespace, set the kubeConfig context to the consul namespace. Otherwise, subsequent commands will need to include --namespace consul.

    $ kubectl config set-context --current --namespace=consul

    $ kubectl config set-context --current --namespace=consul

  3. Run the helm uninstall <release-name> command and specify the release name you've installed Consul with, e.g.,:

    $ helm uninstall consul
release "consul" uninstalled

    $ helm uninstall consul
release "consul" uninstalled

  4. After deleting the Helm release, you need to delete the PersistentVolumeClaim's for the persistent volumes that store Consul's data. A bug in Helm prevents PVCs from being deleted. Issue the following commands:

    $ kubectl get pvc --selector="chart=consul-helm"
NAME                                   STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
data-default-hashicorp-consul-server-0   Bound    pvc-32cb296b-1213-11ea-b6f0-42010a8001db   10Gi       RWO            standard       17m
data-default-hashicorp-consul-server-1   Bound    pvc-32d79919-1213-11ea-b6f0-42010a8001db   10Gi       RWO            standard       17m
data-default-hashicorp-consul-server-2   Bound    pvc-331581ea-1213-11ea-b6f0-42010a8001db   10Gi       RWO            standard       17m

$ kubectl delete pvc --selector="chart=consul-helm"
persistentvolumeclaim "data-default-hashicorp-consul-server-0" deleted
persistentvolumeclaim "data-default-hashicorp-consul-server-1" deleted
persistentvolumeclaim "data-default-hashicorp-consul-server-2" deleted

    $ kubectl get pvc --selector="chart=consul-helm"
NAME                                   STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
data-default-hashicorp-consul-server-0   Bound    pvc-32cb296b-1213-11ea-b6f0-42010a8001db   10Gi       RWO            standard       17m
data-default-hashicorp-consul-server-1   Bound    pvc-32d79919-1213-11ea-b6f0-42010a8001db   10Gi       RWO            standard       17m
data-default-hashicorp-consul-server-2   Bound    pvc-331581ea-1213-11ea-b6f0-42010a8001db   10Gi       RWO            standard       17m

$ kubectl delete pvc --selector="chart=consul-helm"
persistentvolumeclaim "data-default-hashicorp-consul-server-0" deleted
persistentvolumeclaim "data-default-hashicorp-consul-server-1" deleted
persistentvolumeclaim "data-default-hashicorp-consul-server-2" deleted

    NOTE: This will delete all data stored in Consul and it can't be recovered unless you've taken other backups.

  5. If installing with ACLs enabled, you will need to then delete the ACL secrets:

    $ kubectl get secrets --field-selector="type=Opaque" | grep consul
consul-acl-replication-acl-token    Opaque                                1      41m
consul-bootstrap-acl-token          Opaque                                1      41m
consul-client-acl-token             Opaque                                1      41m
consul-connect-inject-acl-token     Opaque                                1      37m
consul-controller-acl-token         Opaque                                1      37m
consul-federation                   Opaque                                4      41m
consul-mesh-gateway-acl-token       Opaque                                1      41m

    $ kubectl get secrets --field-selector="type=Opaque" | grep consul
consul-acl-replication-acl-token    Opaque                                1      41m
consul-bootstrap-acl-token          Opaque                                1      41m
consul-client-acl-token             Opaque                                1      41m
consul-connect-inject-acl-token     Opaque                                1      37m
consul-controller-acl-token         Opaque                                1      37m
consul-federation                   Opaque                                4      41m
consul-mesh-gateway-acl-token       Opaque                                1      41m

  6. Ensure that the secrets you're about to delete are all created by Consul and not created by another user with the word consul.

    $ kubectl get secrets --field-selector="type=Opaque" | grep consul | awk '{print $1}' | xargs kubectl delete secret
secret "consul-acl-replication-acl-token" deleted
secret "consul-bootstrap-acl-token" deleted
secret "consul-client-acl-token" deleted
secret "consul-connect-inject-acl-token" deleted
secret "consul-controller-acl-token" deleted
secret "consul-federation" deleted
secret "consul-mesh-gateway-acl-token" deleted
secret "consul-gossip-encryption-key" deleted

    $ kubectl get secrets --field-selector="type=Opaque" | grep consul | awk '{print $1}' | xargs kubectl delete secret
secret "consul-acl-replication-acl-token" deleted
secret "consul-bootstrap-acl-token" deleted
secret "consul-client-acl-token" deleted
secret "consul-connect-inject-acl-token" deleted
secret "consul-controller-acl-token" deleted
secret "consul-federation" deleted
secret "consul-mesh-gateway-acl-token" deleted
secret "consul-gossip-encryption-key" deleted

  7. If installing with tls.enabled then, run the following commands to delete the ServiceAccount left behind:

    $ kubectl get serviceaccount consul-tls-init
NAME              SECRETS   AGE
consul-tls-init   1         47m

    $ kubectl get serviceaccount consul-tls-init
NAME              SECRETS   AGE
consul-tls-init   1         47m

    $ kubectl delete serviceaccount consul-tls-init
serviceaccount "consul-tls-init" deleted

    $ kubectl delete serviceaccount consul-tls-init
serviceaccount "consul-tls-init" deleted

  8. (Optional) Delete the namespace (i.e. consul in the following example) that you have dedicated for installing Consul on Kubernetes.

    $ kubectl delete ns consul

    $ kubectl delete ns consul