Consul-Kubernetes

ishustava · March 20, 2020, 6:25pm

Thanks for creating this topic and welcome to the discussion forum!

You don’t need to manually pass tokens for Connect. The connect injector uses the Consul’s kubernetes auth method to retrieve individual service tokens before the container starts up. What you need to do is the following:

Create a kubernetes service account to be used for the auth method. You could take a look at how we’re doing it in the Helm chart:
ServiceAccount
ClusterRole
ClusterRoleBinding

Create an ACL auth method to be used by the injector. For example, using the Consul CLI, here is the command you could use (you can get the CA cert and token contents from the service account secret created for the service account):

 consul acl auth-method create -type "kubernetes" \
          -name "my-k8s" \
          -description "This is an example kube method" \
          -kubernetes-host "https://<kubernetes service cluster IP>:443" \
          -kubernetes-ca-file /path/to/kube.ca.crt \
          -kubernetes-service-account-jwt "<jwt token contents of the service account from step 1>"

Set the auth method name connectInject.overrideAuthMethodName as a value in the Helm chart and re-install. This should instruct the connect injector to now use this auth method to get the service token for each service that uses sidecar injection.

Hope this helps!

Topic		Replies	Views
Consul on k8s, how to provide ACL to service? Consul	2	356	February 1, 2021
Acls errors, k8s-consul servers outside kubernetes Consul k8s	2	613	May 24, 2021
Passing ACL token while starting a Consul client Consul	1	369	September 19, 2020
Found no secret Consul consul-k8s	0	283	August 29, 2023
Enable ACL in consul helm chart Consul k8s , acl	0	209	October 23, 2023

Consul-Kubernetes

Related topics