Consul 1.9 now provides OpenShift support for Kubernetes deployments with a secure-by-default configuration.
As part of the Consul 1.9 release, we are pleased to introduce support for RedHat OpenShift v4 for Consul on Kubernetes. Using the Consul Helm chart, we now provide the capability to easily deploy Consul Enterprise onto OpenShift to provide OpenShift users an enterprise-grade multi-cluster service networking experience.
RedHat OpenShift is a leading enterprise container platform that provides a secure by default experience for container deployments. Historically, RedHat has been one of the most active contributors to Kubernetes and has spearheaded efforts such as RBAC for Kubernetes. In addition, many features within OpenShift have influenced Kubernetes, such as Pod Security Policies which is inspired by OpenShift’s Security Context Constraints.
One of the main advantages that Consul provides is that it is designed to be deployed as a multi-platform and multi-cluster service mesh. For Kubernetes, Consul provides an easy install mechanism using Helm to quickly deploy a new Consul Server Mesh onto an existing Kubernetes cluster for a variety of different deployment models. In addition to deploying both servers and clients on Kubernetes, Consul can be deployed so that Consul servers can be hosted externally and only clients deployed onto Kubernetes. Federation is also designed with multiple platforms in mind, as federation models are provided to easily bridge multiple Kubernetes clusters together, or bridge Kubernetes clusters with VMs.
With the introduction of Helm3, Helm no longer requires a server-side process called Tiller to be installed on Kubernetes. OpenShift v4.4 and above now also supports Helm3 GA and includes Helm by default as part of the installation. Consul Kubernetes now supports installing Consul on Kubernetes securely onto OpenShift using Security Context Constraints, and also ensures that OpenShift users can run Consul containers as non-root. This provides an easy out of the box and secure experience for users of OpenShift, that previously required extensive customizations to our Helm Chart.
First, to install Consul on OpenShift you will need to create a new OpenShift project. Creating a new project creates a Kubernetes namespace for Consul under-the-hood.
$ oc new-project consul
Next, let’s add the HashiCorp Helm releases repository so that you can install Consul Kubernetes via the Official Helm repository.
$ helm repo add hashicorp https://helm.releases.hashicorp.com
After adding the HashiCorp Helm releases repository, you can install the Helm chart into the Consul project. You can do so by either enabling OpenShift through the set override flags, or through the Helm values config file.
$ helm install consul hashicorp/consul \ --namespace consul \ --set global.name=consul \ --set global.openshift.enabled=true
You can also enable OpenShift support by setting the
global.openshift.enabled to true in the Helm values file, and then running Helm install.
global: openshift: enabled: true
Consul for Kubernetes can also be configured to allow external Consul servers to connect to a remote Kubernetes cluster. With OpenShift, the Consul cluster can also run externally so that it can be managed outside of OpenShift. HashiCorp Consul Service on Azure and HashiCorp Cloud Platform on AWS are managed offerings of Consul where you can host your Consul Servers for Consul Clients deployed on Kubernetes. You can find how to get started with HashiCorp Cloud Platform on AWS via a Learn tutorial here, and HashiCorp Consul Service on Azure here. Below is a snippet on how to enable external server support for Consul on Kubernetes as described in our docs:
global: tls: enabled: true enableAutoEncrypt: true externalServers: enabled: true hosts: - 'provider=my-cloud config=val ...'
RedHat OpenShift support is now available as of Consul Helm v0.25 and above. This will allow you to quickly deploy Consul on Kubernetes with the correct security settings that satisfy OpenShift’s requirements. Please go to our OpenShift Learn guide to find out more on how to get started with OpenShift.
This blog is a summary of HashiCorp activities at AWS re:Invent 2020.
Consul 1.9 is now generally available.
We will be organizing a HashiCraft Holidays Hackstravaganza where you and your fellow tinkerers can use your creativity to showcase one or more of our products in creative and unexpected ways.