In this blog we will show you how to use Terraform Helm provider to deploy Consul on Google Kubernetes Engine using Hashicorp's official Helm chart. Consul will be installed with TLS and Gossip key encryption. Helm charts are used for packaging applications on Kubernetes. These charts can be installed using Helm tool but for this blog we will use Terraform for provisioning.
I'm assuming a cluster is already deployed in GKE. First we will prepare self-signed TLS certificates and keys for the use of Consul. We are using self-signed certs here to keep things simple, however in production you will likely want to load your own certificates.
Next we will store these certificate and keys as Kubernetes secret and later we will expose them to Consul.
Now we will generate a random key for Gossip encryption and will store it as Kubernetes secret as well.
At this stage certificates and keys are ready for TLS and Gossip encryption. Next, we will create a separate service account for the use of Helm and apply cluster-admin role to the new SA, the reason for this is the default service account used by Terraform has some permission issues which makes the Helm chart fail.
Helm is now all setup, download Consul Helm chart here in an appropriate location. We will now customize Consul Helm chart as per the requirements.
We have set some of the parameters inside the resource definition, description for each of these parameters is available in the default values.yaml file that comes with the Consul Helm chart. The remaining parameters are defined in a separate file consul_values.yaml.
In the above config we have defined "extraVolumes" which are set to the Kubernetes secrets defined in the start for TLS and Gossip encryption. These volumes are exposed to Consul in the path '/consul/userconfig/'.
Now the Terraform code is ready to deploy, use terraform plan command and review the all the planned changes and then issue terraform apply to deploy Consul. After Terraform is finished making all the changes kubectl can be used to review the deployment.
Consul members status can also be checked using below mentioned command.
If Helm tool is installed locally then the status of newly deployed Helm chart can also be verified using below mentioned command.
Helm makes it really easy to deploy and manage applications on Kubernetes as we just observed in the case of Consul deployment. In order to make this deployment production-grade we have made Consul communication secure by enabling end-to-end TLS for RPC and symmetric key encryption for Gossip protocol. This makes it possible to run Consul on untrusted networks and other shared hosting providers. We have also enabled ACLs with default deny to secure the UI, API, CLI, service and agent communications.