We are excited to announce the release of?HashiCorp Consul 1.3. This release extends Consul to support?Envoy?as a proxy for?Connect?and enables automatic sidecar injection in Kubernetes for secure pod communication.
Connect enables secure service-to-service communication with automatic TLS encryption and identity-based authorization. Since the initial?release of Connect in June, the Consul team has focused on hardening Connect in production and expanding platform integrations to enable a global service mesh. This release delivers major improvements in both categories: Envoy is a high-performance, feature-rich, and production hardened proxy for Connect. And the?Kubernetes integrations?enable automatic secure pod communications across services both in and out of Kubernetes.
You can now define sidecars directly within an existing service definition and run Envoy with a single command. Consul automatically configures Envoy according to the service definition and runs Envoy. This command configures and executes?envoy
?from your executable path.
$ consul connect envoy -sidecar-for=redis
...
Along with the local Consul agent, this is all that is necessary to run a sidecar proxy for any service on any platform. You don‘t need to run a multitude of related dependencies to use Connect. One Consul binary, one command, anywhere.
The?redis
?service definition from the example above can now nest its associated sidecar. The sidecar service is itself a full service definition and can contain its own health checks, tags, and more. This is the same service definition model Consul users are familiar with. Sidecars are populated with?reasonable defaults?so many services will just have an empty sidecar definition.
service {
name = "redis"
port = 6379
connect { sidecar_service {} }
}
The Envoy proxy also supports an advanced configuration option to pass arbitrary Envoy configuration. This can be used to manually configure features such as Layer 7 routing. We will be extending the support for more types of Envoy configuration later.
For development environments or systems that don‘t support Envoy, you can use the built-in proxy using a similarly simple command:
$ consul connect proxy -sidecar-for=redis
...
Connect supports heterogeneous proxy deployments: any two proxy implementations can communicate and any service instance can run any proxy implementation. This allows the operator to choose the correct proxy for the environment. We are working with partners to support more proxy solutions in the future.
The Connect sidecar running Envoy can be automatically injected into pods in your Kubernetes cluster, making configuration for Kubernetes automatic.
For properly annotated pods, Envoy is automatically configured and started in the pod and can both accept and establish connections using Connect. This allows the pod to communicate with clients and dependencies exclusively over authorized and encrypted connections.
An example Redis server is shown below with Connect configured to accept inbound connections. Notice that the pod would still be fully functional without Connect. Minimal to zero modifications are required to pod specifications to enable Connect in Kubernetes.
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
annotations:
"consul.hashicorp.com/connect-inject": "true"
spec:
containers:
- name: redis
image: "redis:4.0-alpine3.8"
args: [ "--port", "6379" ]
ports:
- containerPort: 6379
name: tcp
The next example deployment configures an open source Redis UI to connect to Redis via Connect. Notice that again only minimal modifications are necessary: the UI has to be configured to talk to a localhost port to connect through the proxy. The injector also injects environment variables into all containers to make this dynamic, such as?REDIS_CONNECT_SERVICE_HOST
?and?REDIS_CONNECT_SERVICE_PORT
, though these aren‘t used in the example below.
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis-ui
spec:
replicas: 1
selector:
matchLabels:
app: redis-ui
template:
metadata:
labels:
app: redis-ui
annotations:
"consul.hashicorp.com/connect-inject": "true"
"consul.hashicorp.com/connect-service-upstreams": "redis:1234"
spec:
containers:
- name: redis-ui
image: rediscommander/redis-commander
env:
- name: REDIS_HOSTS
value: "local:127.0.0.1:1234"
- name: K8S_SIGTERM
value: "1"
ports:
- name: http
containerPort: 8081
The Kubernetes Connect injector can be run within Kubernetes using the?Helm chart. It also requires that every client agent has gRPC enabled for the Envoy proxies.
connectInject:
enabled: true
client:
grpc: true
To learn more, please see the?full reference documentation on Connect sidecar injection on Kubernetes.
Consul 1.3 with Envoy support and the Connect injector are available immediately. Installing the Connect injector process with the?official Helm chart?requires version 0.3.0 or later of the Consul Helm chart. To learn more about these features, please see the resources listed below:
There are many more improvements planned for Consul in the coming months. We‘re improving Consul to support an easier to use and more expressive ACL system, powerful new UI features, simpler TLS configuration, and much more.
喜大普奔:HashiCorp Consul 1.3:Envoy发布!
原文:http://blog.51cto.com/13883466/2300309