Using Consul-Helm to create mTLS infrastructure.

Creating a consul service mesh using consul-helm.

Consul does many things, one of the things it does is to create mTLS tunnels between your microservices. Being an intrepid explorer I attempted to get consul connect working in Kubernetes using consul-helm. I hit several roadblocks along the way, and needed some help from the developers to get it working. This article explains how I got it to work, and hopefully make other peoples experience easier.


  • helm 3.0 installed on this machine
  • kubectl configured and pointed to the k8s cluster you want to test with.
  • These scripts will work on osx and linux as is. On a windows client just examine any of the simple scripts and run the appropriate commands.
  • git installed and able to clone projects from GitHub
  • I have only tested this with a 3 node cloud based k8s cluster. I’ve tested with AKS and will soon test AWS. I don’t think this is a project where testing on miniKube or MicroK8s has a lot of relevance. The default install of consul needs a cluster of machines (normally 3 minimum), so the compromises of running on miniKube seem too much.
  • The consul-helm requests 10gb storage on each server node by default. You will need to have sufficient storages on your nodes.
git clone
cd consul-inject-demo
git clone

PreReq: Create Kubernetes Cluster

Create a basic starter 3 node Kubernetes Cluster on your favorite cloud provider and get kubectl working against it.

az group create --name consulDemo --location westusaz aks create --resource-group consulDemo  --name consulDemo \
--kubernetes-version 1.15.7 --location westus \
--node-count 3 --generate-ssh-keys \
--node-osdisk-size 50 | tee clusterinfo.json
az aks get-credentials --resource-group consulDemo \
--name consulDemo

Running the Helm Chart

First clone the consul-helm chart.

#CD to git folder
cd consul-inject-demo
git clone
helm install consul -f values-standalone.yaml ./consul-helm
A Working Consul Installation
kubectl get secret consul-consul-bootstrap-acl-token -o json \
| jq -r '.data.token' | base64 -D

Starting the demonstration server

kubectl apply -f demo-server.yaml

The Service Definition
  • The Annotation “”: “true” explicitly tells consul-inject to expose this service. Depending on how you deployed consul-inject the default may be All-in, or Opt-in.
kubectl describe pods --selector=app=consul-inject-demo-server

Start the Client

kubectl apply -f demo-client.yaml




Cloud Architect and Automation specialist. Specializing in AWS, Hashicorp and DevOps.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Steve Dillon

Cloud Architect and Automation specialist. Specializing in AWS, Hashicorp and DevOps.