Consul
Consul Dataplane CLI reference
The consul-dataplane command interacts with the binary for simplified service mesh with Consul Dataplane. Use this command to install Consul Dataplane, configure its Envoy proxies, and secure Dataplane deployments.
Usage
Usage: consul-dataplane [options]
Requirements
Consul Dataplane requires servers running Consul version v1.14+. To find a specific version of Consul, refer to HashiCorp's Official Release Channels.
Startup
The following options are required when starting consul-dataplane with the CLI:
Command Options
-addresses- Consul server gRPC addresses. Can be a DNS name or an executable command. Accepted environment variable isDP_CONSUL_ADDRESSES. Refer to go-netaddrs for details and examples.-ca-certs- The path to a file or directory containing CA certificates used to verify the server's certificate. Accepted environment variable isDP_CA_CERTS.-consul-dns-bind-addr- The address bound to the Consul DNS proxy. Default is"127.0.0.1". Accepted environment variable isDP_CONSUL_DNS_BIND_ADDR.-consul-dns-bind-port- The port that the Consul DNS proxy listens on. Default is-1, which disables the DNS proxy. Accepted environment variable isDP_CONSUL_DNS_BIND_PORT.-credential-type- The type of credentials used to authenticate with Consul servers, either"static"or"login". Accepted environment variable isDP_CREDENTIAL_TYPE.-envoy-admin-bind-address- The address the Envoy admin server is available on. Default is"127.0.0.1". Accepted environment variable isDP_ENVOY_ADMIN_BIND_ADDRESS.-envoy-admin-bind-port- The port the Envoy admin server is available on. Default is19000. Accepted environment variable isDP_ENVOY_ADMIN_BIND_PORT.-envoy-concurrency- The number of worker threads that Envoy uses. Default is2. Accepted environment variable isDP_ENVOY_CONCURRENCY.-envoy-ready-bind-address- The address Envoy's readiness probe is available on. Accepted environment variable isDP_ENVOY_READY_BIND_ADDRESS.-envoy-ready-bind-port- The port Envoy's readiness probe is available on. Accepted environment variable isDP_ENVOY_READY_BIND_PORT.-graceful-port- The port to serve HTTP endpoints for graceful operations. Accepted environment variable isDP_GRACEFUL_PORT.-graceful-shutdown-path- The HTTP path to serve the graceful shutdown endpoint. Accepted environment variable isDP_GRACEFUL_SHUTDOWN_PATH.-grpc-port- The Consul server gRPC port to whichconsul-dataplaneconnects. Default is8502. Accepted environment variable isDP_CONSUL_GRPC_PORT.-log-json- Enables log messages in JSON format. Default isfalse. Accepted environment variable isDP_LOG_JSON.-log-level- Log level of the messages to print. Available log levels are"trace","debug","info","warn", and"error". Default is"info". Accepted environment variable isDP_LOG_LEVEL.-login-auth-method- The auth method used to log in. Accepted environment variable isDP_CREDENTIAL_LOGIN_AUTH_METHOD.-login-bearer-token- The bearer token presented to the auth method. Accepted environment variable isDP_CREDENTIAL_LOGIN_BEARER_TOKEN.-login-bearer-token-path- The path to a file containing the bearer token presented to the auth method. Accepted environment variable isDP_CREDENTIAL_LOGIN_BEARER_TOKEN_PATH.-login-datacenter- The datacenter containing the auth method. Accepted environment variable isDP_CREDENTIAL_LOGIN_DATACENTER.-login-meta- A set of key/value pairs to attach to the ACL token. Each pair is formatted as<key>=<value>. This flag may be passed multiple times. Accepted environment variables areDP_CREDENTIAL_LOGIN_META{1..9}.-login-namespaceEnterprise - The Consul Enterprise namespace containing the auth method. Accepted environment variable isDP_CREDENTIAL_LOGIN_NAMESPACE.-login-partitionEnterprise - The Consul Enterprise partition containing the auth method. Accepted environment variable isDP_CREDENTIAL_LOGIN_PARTITION.-proxy-service-id- The proxy service instance's ID. Accepted environment variable isDP_PROXY_SERVICE_ID.-proxy-service-id-path- The path to a file containing the proxy service instance's ID. Accepted environment variable isDP_PROXY_SERVICE_ID_PATH.-server-watch-disabled- Preventconsul-dataplanefrom consuming the server update stream. Use this flag when Consul servers are behind a load balancer. Default isfalse. Accepted environment variable isDP_SERVER_WATCH_DISABLED.-service-namespaceEnterprise - The Consul Enterprise namespace in which the proxy service instance is registered. Accepted environment variable isDP_SERVICE_NAMESPACE.-service-node-id- The ID of the Consul node to which the proxy service instance is registered. Accepted environment variable isDP_SERVICE_NODE_ID.-service-node-name- The name of the Consul node to which the proxy service instance is registered. Accepted environment variable isDP_SERVICE_NODE_NAME.-service-partitionEnterprise - The Consul Enterprise partition in which the proxy service instance is registered. Accepted environment variable isDP_SERVICE_PARTITION.-shutdown-drain-listeners- Wait for proxy listeners to drain before terminating the proxy container. Accepted environment variable isDP_SHUTDOWN_DRAIN_LISTENERS.-shutdown-grace-period-seconds- Amount of time to wait after receiving a SIGTERM signal before terminating the proxy. Accepted environment variable isDP_SHUTDOWN_GRACE_PERIOD_SECONDS.-static-token- The ACL token used to authenticate requests to Consul servers when-credential-typeis set to"static". Accepted environment variable isDP_CREDENTIAL_STATIC_TOKEN.-telemetry-prom-ca-certs-path- The path to a file or directory containing CA certificates used to verify the Prometheus server's certificate. Accepted environment variable isDP_TELEMETRY_PROM_CA_CERTS_PATH.-telemetry-prom-cert-file- The path to the client certificate used to serve Prometheus metrics. Accepted environment variable isDP_TELEMETRY_PROM_CERT_FILE.-telemetry-prom-key-file- The path to the client private key used to serve Prometheus metrics. Accepted environment variable isDP_TELEMETRY_PROM_KEY_FILE.-telemetry-prom-merge-port- The local port used to serve merged Prometheus metrics. Default is20100. If your service instance uses the same default port, this flag must be set to a different port in order to avoid a port conflict. Accepted environment variable isDP_TELEMETRY_PROM_MERGE_PORT.-telemetry-prom-retention-time- The duration for Prometheus metrics aggregation. Default is1m0s. Accepted environment variable isDP_TELEMETRY_PROM_RETENTION_TIME. Refer toprometheus_retention_timefor details on setting this value.-telemetry-prom-scrape-path- The URL path where Envoy serves Prometheus metrics. Default is"/metrics". Accepted environment variable isDP_TELEMETRY_PROM_SCRAPE_PATH.-telemetry-prom-service-metrics-url- The URL where your service instance serves Prometheus metrics. If this is set, the metrics at this URL are included in Consul Dataplane's merged Prometheus metrics. Accepted environment variable isDP_TELEMETRY_PROM_SERVICE_METRICS_URL.-telemetry-use-central-config- Controls whether the proxy applies the central telemetry configuration. Default istrue. Accepted environment variable isDP_TELEMETRY_USE_CENTRAL_CONFIG.-tls-cert- The path to a client certificate file. This flag is required iftls.grpc.verify_incomingis enabled on the server. Accepted environment variable isDP_TLS_CERT.-tls-disabled- Communicate with Consul servers over a plaintext connection. Useful for testing, but not recommended for production. Default isfalse. Accepted environment variable isDP_TLS_DISABLED.-tls-insecure-skip-verify- Do not verify the server's certificate. Useful for testing, but not recommended for production. Default isfalse.DP_TLS_INSECURE_SKIP_VERIFY.-tls-key- The path to a client private key file. This flag is required iftls.grpc.verify_incomingis enabled on the server. Accepted environment variable isDP_TLS_KEY.-tls-server-name- The hostname to expect in the server certificate's subject. This flag is required if-addressesis not a DNS name. Accepted environment variable isDP_TLS_SERVER_NAME.-version- Print the current version ofconsul-dataplane.-xds-bind-addr- The address the Envoy xDS server is available on. Default is"127.0.0.1". Accepted environment variable isDP_XDS_BIND_ADDR.-xds-bind-port- The port on which the Envoy xDS server is available. Default is0. When set to0, an available port is selected at random. Accepted environment variable isDP_XDS_BIND_PORT.
Examples
DNS
Consul Dataplane resolves a domain name to discover Consul server IP addresses.
$ consul-dataplane -addresses my.consul.example.com
Executable Command
Consul Dataplane runs a script that, on success, returns one or more IP addresses separated by whitespace.
$ ./my-script.sh
172.20.0.1
172.20.0.2
172.20.0.3
$ consul-dataplane -addresses "exec=./my-script.sh"
Go Discover Nodes for Cloud Providers
The go-discover binary is included in the hashicorp/consul-dataplane image for use with this mode of server discovery, which functions in
a way similar to Cloud Auto-join. The
following example demonstrates how to use the go-discover binary with Consul Dataplane.
$ consul-dataplane -addresses "exec=discover -q addrs provider=aws region=us-west-2 tag_key=consul-server tag_value=true"
Static token
A static ACL token is passed to Consul Dataplane.
$ consul-dataplane -credential-type "static"` -static-token "12345678-90ab-cdef-0000-12345678abcd"
Auth method login
Consul Dataplane logs in to one of Consul's supported auth methods.
$ consul-dataplane -credential-type "login"
-login-auth-method <method> \
-login-bearer-token <token> \ ## Or -login-bearer-token-path
-login-datacenter <datacenter> \
-login-meta key1=val1 -login-meta key2=val2 \
Consul Servers Behind a Load Balancer
When Consul servers are behind a load balancer, you must pass -server-watch-disabled to Consul
Dataplane.
$ consul-dataplane -server-watch-disabled
By default, Consul Dataplane opens a server watch stream to a Consul server, which enables the server to inform Consul Dataplane of new or different Consul server addresses. However, if Consul Dataplane is connecting through a load balancer, then it must ignore the Consul server addresses that are returned from the server watch stream.