Uninstall Consul

Uninstalling Consul requires running helm delete and then manually cleaning up some resources that Helm does not delete.

  1. First, run helm delete:

    1. $ helm delete hashicorp
    2. release "hashicorp" uninstalled

    If using Helm 2, run helm delete --purge hashicorp

  2. After deleting the Helm release, you need to delete the PersistentVolumeClaim‘s for the persistent volumes that store Consul’s data. These are not deleted by Helm due to a bug. To delete, run:

    1. $ kubectl get pvc -l chart=consul-helm
    2. NAME                                   STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
    3. data-default-hashicorp-consul-server-0   Bound    pvc-32cb296b-1213-11ea-b6f0-42010a8001db   10Gi       RWO            standard       17m
    4. data-default-hashicorp-consul-server-1   Bound    pvc-32d79919-1213-11ea-b6f0-42010a8001db   10Gi       RWO            standard       17m
    5. data-default-hashicorp-consul-server-2   Bound    pvc-331581ea-1213-11ea-b6f0-42010a8001db   10Gi       RWO            standard       17m
    7. $ kubectl delete pvc -l chart=consul-helm
    8. persistentvolumeclaim "data-default-hashicorp-consul-server-0" deleted
    9. persistentvolumeclaim "data-default-hashicorp-consul-server-1" deleted
    10. persistentvolumeclaim "data-default-hashicorp-consul-server-2" deleted

    NOTE: This will delete all data stored in Consul and it can’t be recovered unless you’ve taken other backups.

  3. If installing with ACLs enabled, you will need to then delete the ACL secrets:

  1. $ kubectl get secret | grep consul | grep Opaque
  2. consul-acl-replication-acl-token    Opaque                                1      41m
  3. consul-bootstrap-acl-token          Opaque                                1      41m
  4. consul-client-acl-token             Opaque                                1      41m
  5. consul-connect-inject-acl-token     Opaque                                1      37m
  6. consul-controller-acl-token         Opaque                                1      37m
  7. consul-federation                   Opaque                                4      41m
  8. consul-mesh-gateway-acl-token       Opaque                                1      41m

Ensure that the secrets you’re about to delete are all created by Consul and not created by someone else that happen to have the word consul.

  1. $ kubectl get secret | grep consul | grep Opaque | awk '{print $1}' | xargs kubectl delete secret
  2. secret "consul-acl-replication-acl-token" deleted
  3. secret "consul-bootstrap-acl-token" deleted
  4. secret "consul-client-acl-token" deleted
  5. secret "consul-connect-inject-acl-token" deleted
  6. secret "consul-controller-acl-token" deleted
  7. secret "consul-federation" deleted
  8. secret "consul-mesh-gateway-acl-token" deleted
  9. secret "consul-gossip-encryption-key" deleted

  1. If installing with controller.enabled then you will need to delete the webhook certificate:

    1. $ kubectl get secret consul-controller-webhook-cert
    2. NAME                             TYPE                DATA   AGE
    3. consul-controller-webhook-cert   kubernetes.io/tls   2      47m
    1. $ kubectl delete secret consul-controller-webhook-cert
    2. secret "consul-consul-controller-webhook-cert" deleted

  2. If installing with tls.enabled then there will be a ServiceAccount that is left behind:

    1. $ kubectl get serviceaccount consul-tls-init
    2. NAME              SECRETS   AGE
    3. consul-tls-init   1         47m
    1. $ kubectl delete serviceaccount consul-tls-init
    2. serviceaccount "consul-tls-init" deleted