Blog HCP Consul on Azure goes GA, plus more Consul news from HashiConf EU Read more
  • Overview
    • Consul on Kubernetes
    • Control access with Consul API Gateway
    • Discover Services with Consul
    • Enforce Zero Trust Networking with Consul
    • Load Balancing with Consul
    • Manage Traffic with Consul
    • Multi-Platform Service Mesh with Consul
    • Network Infrastructure Automation with Consul
    • Observability with Consul
  • Enterprise
  • Tutorials
  • Docs
  • API
  • CLI
  • Community
GitHub
Download
Try HCP Consul
    • v1.12.x (latest)
    • v1.11.x
    • v1.10.x
    • v1.9.x
    • v1.8.x
    • Overview
      • Overview
      • What is a Service Mesh?
      • Overview
      • Chef, Puppet, etc.
      • Nagios
      • SkyDNS
      • SmartStack
      • Serf
      • Eureka
      • Istio
      • Envoy and Other Proxies
      • Custom Solutions
    • Overview
    • Manual Bootstrap
    • Consul Agent
    • Glossary
    • Required Ports
    • Bootstrapping a Datacenter
    • Cloud Auto-join
    • Server Performance
    • Kubernetes
  • API
  • Commands (CLI)
    • Register Services - Service Definitions
    • Find Services - DNS Interface
    • Monitor Services - Check Definitions
    • Overview
    • How Service Mesh Works
    • Configuration
      • Overview
      • Ingress Gateway
      • Mesh
      • Exported Services
      • Proxy Defaults
      • Service Defaults
      • Service Intentions
      • Service Resolver
      • Service Router
      • Service Splitter
      • Terminating Gateway
      • Overview
      • Envoy
      • Built-in Proxy
      • Proxy Integration
      • Managed (Deprecated)
      • Overview
      • Proxy Service Registration
      • Sidecar Service Registration
    • Service-to-service permissions - Intentions
    • Service-to-service permissions - Intentions (Legacy Mode)
    • Transparent Proxy
      • Overview
      • UI Visualization
      • Overview
      • Discovery Chain
    • Connectivity Tasks
    • Distributed Tracing
      • Overview
        • WAN Federation
        • Enabling Service-to-service Traffic Across Datacenters
        • Enabling Service-to-service Traffic Across Admin Partitions
      • Ingress Gateways
      • Terminating Gateways
      • What is Cluster Peering
      • Create and Manage Peering Connections
      • Cluster Peering on Kubernetes
    • Nomad
    • Kubernetes
      • Overview
      • Go Integration
      • Overview
      • Built-In CA
      • Vault
      • ACM Private CA
    • Develop and Debug
    • Security
    • Overview
    • Installation
    • Technical Specifications
    • Common Errors
    • Upgrades
    • Overview
    • Architecture
      • Installing Consul on Kubernetes
      • Installing Consul K8s CLI
        • Minikube
        • Kind
        • AKS (Azure)
        • EKS (AWS)
        • GKE (Google Cloud)
        • Red Hat OpenShift
        • Self Hosted Kubernetes
        • Consul Clients Outside Kubernetes
        • Consul Servers Outside Kubernetes
        • Single Consul Datacenter in Multiple Kubernetes Clusters
        • Consul Enterprise
        • Overview
        • Federation Between Kubernetes Clusters
        • Federation Between VMs and Kubernetes
        • Overview
        • Systems Integration
          • Overview
          • Bootstrap Token
          • Enterprise License
          • Gossip Encryption Key
          • Partition Token
          • Replication Token
          • Server TLS
          • Service Mesh Certificates
          • Snapshot Agent Config
          • Webhook Certificates
        • WAN Federation
      • Overview
      • Transparent Proxy
      • Ingress Gateways
      • Terminating Gateways
      • Ingress Controllers
      • Configuring a Connect CA Provider
      • Health Checks
        • Metrics
    • Service Sync
      • Overview
      • Upgrade An Existing Cluster to CRDs
    • Annotations and Labels
    • Consul DNS
      • Upgrading Consul on Kubernetes
      • Upgrading Consul K8s CLI
      • Uninstall
      • Certificate Rotation
      • Gossip Encryption Key Rotation
      • Configure TLS on an Existing Cluster
      • Common Error Messages
      • FAQ
    • Compatibility Matrix
    • Helm Chart Configuration
    • Consul K8s CLI Reference
    • Overview
    • Requirements
    • Task Resource Usage
      • Installation
      • Secure Configuration
      • Migrate Existing Tasks
      • Installation
      • Secure Configuration
      • ACL Controller
    • Architecture
    • Consul Enterprise
    • Configuration Reference
    • Overview
    • Register Lambda Functions
    • Invoke Lambda Functions
    • Overview
      • Installation
      • Requirements
      • Configure
      • Run Consul-Terraform-Sync
    • Architecture
      • Overview
      • Status
      • Tasks
      • Health
      • Overview
      • task
      • start
    • Configuration
    • Tasks
    • Terraform Modules
      • Overview
      • License
      • Terraform Cloud Driver
      • Overview
      • Terraform
      • Terraform Cloud
    • Compatibility
    • Consul KV
    • Sessions
    • Watches
    • Overview
      • General
      • CLI Reference
      • Configuration Reference
    • Configuration Entries
    • Telemetry
    • Sentinel
    • RPC
    • Overview
      • ACL System Overview
      • Tokens
      • Policies
      • Roles
      • Rules Reference
      • Legacy Mode
      • Token Migration
      • ACLs in Federated Datacenters
        • Overview
        • Kubernetes
        • JWT
        • OIDC
        • AWS IAM
    • Encryption
      • Overview
      • Core
      • Network Infrastructure Automation
    • Overview
    • Admin Partitions
    • Audit Logging
    • Automated Backups
    • Automated Upgrades
    • Enhanced Read Scalability
    • Single sign-on - OIDC
    • Redundancy Zones
    • Advanced Federation
    • Network Segments
    • Namespaces
    • NIA with TFE
    • Sentinel
      • Overview
      • FAQ
    • Overview
    • Improving Consul Resilience
    • Anti-Entropy
    • Consensus Protocol
    • Gossip Protocol
    • Jepsen Testing
    • Network Coordinates
    • Consul Integration Program
    • NIA Integration Program
    • Vault Integration
    • Proxy Integration
  • Consul Tools
    • Overview
    • Compatibility Promise
    • Specific Version Details
      • Overview
      • General Process
      • Upgrading to 1.2.4
      • Upgrading to 1.6.9
      • Upgrading to 1.8.13
      • Upgrading to 1.10.0
    • Common Error Messages
    • FAQ
    • Overview
      • v1.11.x
      • v1.10.x
      • v1.9.x
      • v0.3.x
      • v0.2.x
      • v0.1.x
      • v0.4.x
      • v0.3.x
      • v0.2.x
      • v0.6.x
      • v0.5.x
    • Overview
    • ACL
  • Guides
Type '/' to Search

»Uninstall Consul

You can uninstall Consul using Helm commands or the Consul K8s CLI.

»Consul K8s CLI

Issue the consul-k8s uninstall command to remove Consul on Kubernetes. You can specify the installation name, namespace, and data retention behavior using the applicable options. By default, the uninstall preserves the secrets and PVCs that are provisioned by Consul on Kubernetes.

$ consul-k8s uninstall <OPTIONS>
$ consul-k8s uninstall <OPTIONS>

In the following example, Consul will be uninstalled and the data removed without prompting you to verify the operations:

$ consul-k8s uninstall -auto-approve=true -wipe-data=true
$ consul-k8s uninstall -auto-approve=true -wipe-data=true

Refer to the Consul K8s CLI reference topic for details.

»Helm commands

Run the helm uninstall and manually remove resources that Helm does not delete.

  1. Although the Helm chart automates the deletion of CRDs upon uninstall, sometimes the finalizers tied to those CRDs may not complete because the deletion of the CRDs rely on the Consul K8s controller running. Ensure that previously created CRDs for Consul on Kubernetes are deleted, so subsequent installs of Consul on Kubernetes on the same Kubernetes cluster do not get blocked.

    $ kubectl delete crd --selector app=consul
    
    $ kubectl delete crd --selector app=consul
    
  2. (Optional) If Consul is installed in a dedicated namespace, set the kubeConfig context to the consul namespace. Otherwise, subsequent commands will need to include --namespace consul.

    $ kubectl config set-context --current --namespace=consul
    
    $ kubectl config set-context --current --namespace=consul
    
  3. Run the helm uninstall <release-name> command and specify the release name you've installed Consul with, e.g.,:

    $ helm uninstall consul
    release "consul" uninstalled
    
    $ helm uninstall consul
    release "consul" uninstalled
    
  4. After deleting the Helm release, you need to delete the PersistentVolumeClaim's for the persistent volumes that store Consul's data. A bug in Helm prevents PVCs from being deleted. Issue the following commands:

    $ kubectl get pvc --selector="chart=consul-helm"
    NAME                                   STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
    data-default-hashicorp-consul-server-0   Bound    pvc-32cb296b-1213-11ea-b6f0-42010a8001db   10Gi       RWO            standard       17m
    data-default-hashicorp-consul-server-1   Bound    pvc-32d79919-1213-11ea-b6f0-42010a8001db   10Gi       RWO            standard       17m
    data-default-hashicorp-consul-server-2   Bound    pvc-331581ea-1213-11ea-b6f0-42010a8001db   10Gi       RWO            standard       17m
    
    $ kubectl delete pvc --selector="chart=consul-helm"
    persistentvolumeclaim "data-default-hashicorp-consul-server-0" deleted
    persistentvolumeclaim "data-default-hashicorp-consul-server-1" deleted
    persistentvolumeclaim "data-default-hashicorp-consul-server-2" deleted
    
    $ kubectl get pvc --selector="chart=consul-helm"
    NAME                                   STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
    data-default-hashicorp-consul-server-0   Bound    pvc-32cb296b-1213-11ea-b6f0-42010a8001db   10Gi       RWO            standard       17m
    data-default-hashicorp-consul-server-1   Bound    pvc-32d79919-1213-11ea-b6f0-42010a8001db   10Gi       RWO            standard       17m
    data-default-hashicorp-consul-server-2   Bound    pvc-331581ea-1213-11ea-b6f0-42010a8001db   10Gi       RWO            standard       17m
    
    $ kubectl delete pvc --selector="chart=consul-helm"
    persistentvolumeclaim "data-default-hashicorp-consul-server-0" deleted
    persistentvolumeclaim "data-default-hashicorp-consul-server-1" deleted
    persistentvolumeclaim "data-default-hashicorp-consul-server-2" deleted
    

    NOTE: This will delete all data stored in Consul and it can't be recovered unless you've taken other backups.

  5. If installing with ACLs enabled, you will need to then delete the ACL secrets:

    $ kubectl get secrets --field-selector="type=Opaque" | grep consul
    consul-acl-replication-acl-token    Opaque                                1      41m
    consul-bootstrap-acl-token          Opaque                                1      41m
    consul-client-acl-token             Opaque                                1      41m
    consul-connect-inject-acl-token     Opaque                                1      37m
    consul-controller-acl-token         Opaque                                1      37m
    consul-federation                   Opaque                                4      41m
    consul-mesh-gateway-acl-token       Opaque                                1      41m
    
    $ kubectl get secrets --field-selector="type=Opaque" | grep consul
    consul-acl-replication-acl-token    Opaque                                1      41m
    consul-bootstrap-acl-token          Opaque                                1      41m
    consul-client-acl-token             Opaque                                1      41m
    consul-connect-inject-acl-token     Opaque                                1      37m
    consul-controller-acl-token         Opaque                                1      37m
    consul-federation                   Opaque                                4      41m
    consul-mesh-gateway-acl-token       Opaque                                1      41m
    
  6. Ensure that the secrets you're about to delete are all created by Consul and not created by another user with the word consul.

    $ kubectl get secrets --field-selector="type=Opaque" | grep consul | awk '{print $1}' | xargs kubectl delete secret
    secret "consul-acl-replication-acl-token" deleted
    secret "consul-bootstrap-acl-token" deleted
    secret "consul-client-acl-token" deleted
    secret "consul-connect-inject-acl-token" deleted
    secret "consul-controller-acl-token" deleted
    secret "consul-federation" deleted
    secret "consul-mesh-gateway-acl-token" deleted
    secret "consul-gossip-encryption-key" deleted
    
    $ kubectl get secrets --field-selector="type=Opaque" | grep consul | awk '{print $1}' | xargs kubectl delete secret
    secret "consul-acl-replication-acl-token" deleted
    secret "consul-bootstrap-acl-token" deleted
    secret "consul-client-acl-token" deleted
    secret "consul-connect-inject-acl-token" deleted
    secret "consul-controller-acl-token" deleted
    secret "consul-federation" deleted
    secret "consul-mesh-gateway-acl-token" deleted
    secret "consul-gossip-encryption-key" deleted
    
  7. If installing with tls.enabled then, run the following commands to delete the ServiceAccount left behind:

    $ kubectl get serviceaccount consul-tls-init
    NAME              SECRETS   AGE
    consul-tls-init   1         47m
    
    $ kubectl get serviceaccount consul-tls-init
    NAME              SECRETS   AGE
    consul-tls-init   1         47m
    
    $ kubectl delete serviceaccount consul-tls-init
    serviceaccount "consul-tls-init" deleted
    
    $ kubectl delete serviceaccount consul-tls-init
    serviceaccount "consul-tls-init" deleted
    
  8. (Optional) Delete the namespace (i.e. consul in the following example) that you have dedicated for installing Consul on Kubernetes.

    $ kubectl delete ns consul
    
    $ kubectl delete ns consul
    
github logoEdit this page
IntroGuidesDocsCommunityPrivacySecurityBrandConsent Manager