Kubernetes consul client

Vault
1

Hello,
I’ve installed Consul & Vault by using Helm charts.
How can I check Vault connects to Consul directly or through Consul Client?

Regards

2

AFAIK, consul servers do not accept non-server connections, all communication goes through a client. You could install the consul server/client on the same machine and remotely connect to the client process from vault on another server, but why? The client process is tiny and doesn’t add any overhead.

3

Hello,
Thanks for reply and explanation @aram

My system consists of following pods:

$ k get po -n vault
NAME                                    READY   STATUS    RESTARTS   AGE
vault-0                                 1/1     Running   0          26d
vault-1                                 1/1     Running   0          26d
vault-agent-injector-6dc4b9d657-nvmt7   1/1     Running   0          26d
$ k get po -n consul
NAME                     READY   STATUS    RESTARTS   AGE
consul-consul-4pcj4      1/1     Running   0          26d
consul-consul-l6dfx      1/1     Running   0          26d
consul-consul-server-0   1/1     Running   1          26d
consul-consul-server-1   1/1     Running   1          26d
$

I cannot see “client”, did I miss something? Or does my Vault connect to Consul without client?

Thanks & Regards

4

Clients do not run as pods, exec to consul pod and type consul members, you should the client if they have agents installed.

5

sorry @tsiamer what do you mean?

6

Sorry I didn’t realize this was kubs. No matter, the easiest way to see where the backend of vault is via: vault status:

# vault status
Key                      Value
---                      -----
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    7
Threshold                3
Version                  1.9.1
Storage Type             consul    <<
7

I think @tsiamer means, run:

# kubctl exec -it consul-consul-server-0 -- "consul members"

I’m using VMs, but my output is:

Node                    Address            Status  Type    Build   Protocol  DC                  Segment
consul-server-01        192.168.1.89:8301  alive   server  1.10.4  2         basement-consul-dc  <all>
consul-client-vault-01  192.168.1.80:8301  alive   client  1.10.4  2         basement-consul-dc  <default>

You can see I have 1 server and 1 client.

8

Hello,
This is how my Vault looks like

/ $ vault status
Key                      Value
---                      -----
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    5
Threshold                3
Version                  1.8.4
Storage Type             consul
Cluster Name             vault-cluster-de5ea136
Cluster ID               1f81addd-8f62-d0e0-166c-0a9c05810942
HA Enabled               true
HA Cluster               https://vault-0.vault-internal:8201
HA Mode                  active
Active Since             2021-11-23T22:50:14.577186902Z

if there is a backend, may we assume there is a client?

Regards

9

I meant you dont see clients by just running kubectl pods, you have to:

kubectl exec -it consul-consul-server-0 /bin/sh

then run:

consul members

you should see something like this:

Node Address Status Type Build Protocol DC Segment
consul xxxxxxxxx:8301 alive server 1.10.5 2 test
vault0 xxxxx:8301 alive client 1.10.5 2 test

It depends how you deployed the chart, the pods seems running and ready so there is no issue connecting to storage, not familiar with k8s vault consul deployment.

10

image
image1229×164 29.6 KB

thank you @tsiamer it’s ok now; I see…

11

Good to know. Thanks