Service mesh solves the networking and security challenges of operating microservices and cloud infrastructure. Consul is a service mesh solution that offers a software-driven approach to routing and segmentation. It also brings additional benefits such as failure handling, retries, and network observability.
Consul "connect", HashiCorp's service mesh feature, provides service-to-service networking and security through connection authorization and encryption using mutual Transport Layer Security (mTLS). Applications deployed with the "connect" feature can use sidecar proxies in a service mesh configuration to establish TLS connections for inbound and outbound connections, without being aware of Consul at all.
This track of five guides will give you a basic introduction to Consul service mesh with a focus on Kubernetes deployments. You will learn how to deploy services in Kubernetes taking advantage of the features provided by Consul.
In this guide, you will learn about the service mesh features of Consul and prepare a Kubernetes cluster for your Consul deployment.
The guides in this track use Shipyard as the default environment. Even though the example commands and output are based on Shipyard, the same command should be applicable to any Kubernetes cluster.
Note, Consul is designed to be compatible with every Kubernetes flavor. If you have an existing Kubernetes cluster, or would like to use MiniKube, you can still follow along with these guides.
To successfully complete the exercises in these guides, you will need:
- A Kubernetes cluster.
- Helm to deploy Consul.
- kubectl to interact with your Kubernetes cluster and deploy services.
If you decide to use Shipyard, you will also need Docker installed in your test machine.
»Discover Consul service mesh benefits
The adoption of microservices architectures and cloud infrastructure is offering new approaches to networking. There are many different vendors and tools, each attempting to solve the problem in different ways. The Consul service mesh solution makes no assumptions about the underlying network and uses a pure software approach with a focus on simplicity and broad compatibility.
Consul addresses the new microservices architecture challenges with service discovery and allowing operators to deploy applications into a zero-trust network.
»Provide service discovery
When new versions of a service/app are constantly deployed and have to exist alongside other instances of the same application, often on different versions, the capability to reflect changes in the service landscape in your network becomes crucial. Consul helps you by offering a service catalog, health checks, automatic load balancing, and geo-failover across multiple instances of the same service.
»Introduce zero-trust security model
The increasing complexity in the deployment scenarios also puts a heavy burden on network security and shows the limitation of any sort of manual configuration. Environments like Kubernetes, or cloud providers, where IP addresses change often or are unknown adds to the overall complexity of the configuration.
Under the hood, a service mesh is made up of proxies deployed locally alongside each service instance, which control network communication between their local instance and other services on the network. A per-service proxy sidecar transparently handles inbound and outbound service connections, automatically verifying and encrptying TLS connections between services.
Consul service mesh uses mutual TLS (mTLS) and will automatically generate and distribute the TLS certificates for every service in the mesh. The certificates are used for both:
- service identity verification
- service communication encryption
»Simplify application security
Once the service sidecar proxies are deployed, it is still necessary to authorize communication between services. Consul helps you secure service communication at the network level by enabling you to manage service-to-service communication permissions using intentions. Intentions define service based access control for services in the Consul service mesh and are used to control which services are allowed or not allowed to establish connections.
»Consul platform compatibility
»First-class Kubernetes support
Consul offers first-class Kubernetes support by providing an official Helm chart for installing, configuring, and upgrading Consul on Kubernetes. The chart helps you automate the installation and configuration of Consul service mesh for Kubernetes.
»Platform agnostic and multi-cluster mesh
While offering a first class integration with Kubernetes, Consul is also compatible with all architectures and cloud providers. The service catalog sync and auto-join features permit you to extend the boundaries of your Kubernetes cluster to include services running outside of Kubernetes.
»Setup a Kubernetes environment with Shipyard
Shipyard enables you quickly deploy a local Kubernetes cluster. It runs on MacOS, Linux, and Windows (with WSL). All applications, including Consul, run in Docker containers so it only requires a recent version of Docker as dependency.
You can configure Shipyard using blueprints. A blueprint is a scenario
configuration which allows you to run cloud native applications on your computer
with Docker. For this guide you will use the
blueprint available in the default blueprint repository.
You can install Shipyard and run the blueprint with a single command. The entire process should last no more than a couple of minutes in modern systems.
curl https://shipyard.run/apply | \ bash -s github.com/shipyard-run/blueprints//learn-consul-service-mesh # ... Installing Shipyard to /usr/local/bin/shipyard # ... To remove Shipyard and all configuration use the command "shipyard uninstall" # ... Running configuration from: github.com/shipyard-run/blueprints//learn-consul-service-mesh # ... Set the following environment variables to interact with this blueprint. export KUBECONFIG="$HOME/.shipyard/config/k8s/kubeconfig.yaml" # ... # Kubernetes dashboard To access the Kubernetes dashboard visit the following location in your browser. Note authentication is disabled, press "Skip" when prompted: http://localhost:18443 # Cleanup Run `shipyard delete` to cleanup all resources
Piping to bash is controversial as it prevents you from reading code that
is about to run on your system. You can also install Shipyard by downloading the
appropriate release from
GitHub and copying the
executable in your
In this guide you learned the basic concepts of a service mesh network and how Consul features can help you implement one in your environment.
In the next guide we will learn how to deploy Consul service mesh in a Kubernetes cluster using the Helm chart.