喜大普奔：HashiCorp Consul 1.3：Envoy发布！

喜大普奔：HashiCorp Consul 1.3：Envoy发布！

OCT 11 2018 MITCHELL HASHIMOTO

We are excited to announce the release of HashiCorp Consul 1.3. This release extends Consul to support Envoy as a proxy for Connect and enables automatic sidecar injection in Kubernetes for secure pod communication.

Connect enables secure service-to-service communication with automatic TLS encryption and identity-based authorization. Since the initial release of Connect in June, the Consul team has focused on hardening Connect in production and expanding platform integrations to enable a global service mesh. This release delivers major improvements in both categories: Envoy is a high-performance, feature-rich, and production hardened proxy for Connect. And the Kubernetes integrations enable automatic secure pod communications across services both in and out of Kubernetes.

Configuring and Running Envoy

You can now define sidecars directly within an existing service definition and run Envoy with a single command. Consul automatically configures Envoy according to the service definition and runs Envoy. This command configures and executes envoy from your executable path.

$ consul connect envoy -sidecar-for=redis ...

Along with the local Consul agent, this is all that is necessary to run a sidecar proxy for any service on any platform. You don't need to run a multitude of related dependencies to use Connect. One Consul binary, one command, anywhere.

The redis service definition from the example above can now nest its associated sidecar. The sidecar service is itself a full service definition and can contain its own health checks, tags, and more. This is the same service definition model Consul users are familiar with. Sidecars are populated with reasonable defaults so many services will just have an empty sidecar definition.

service { name = "redis" port = 6379 connect { sidecar_service {} } }

The Envoy proxy also supports an advanced configuration option to pass arbitrary Envoy configuration. This can be used to manually configure features such as Layer 7 routing. We will be extending the support for more types of Envoy configuration later.

For development environments or systems that don't support Envoy, you can use the built-in proxy using a similarly simple command:

$ consul connect proxy -sidecar-for=redis ...

Connect supports heterogeneous proxy deployments: any two proxy implementations can communicate and any service instance can run any proxy implementation. This allows the operator to choose the correct proxy for the environment. We are working with partners to support more proxy solutions in the future.

Automatic Sidecars in Kubernetes

The Connect sidecar running Envoy can be automatically injected into pods in your Kubernetes cluster, making configuration for Kubernetes automatic.

For properly annotated pods, Envoy is automatically configured and started in the pod and can both accept and establish connections using Connect. This allows the pod to communicate with clients and dependencies exclusively over authorized and encrypted connections.

An example Redis server is shown below with Connect configured to accept inbound connections. Notice that the pod would still be fully functional without Connect. Minimal to zero modifications are required to pod specifications to enable Connect in Kubernetes.

apiVersion: apps/v1 kind: Deployment metadata: name: redis spec: replicas: 1 selector: matchLabels: app: redis template: metadata: labels: app: redis annotations: "consul.hashicorp.com/connect-inject": "true" spec: containers: - name: redis image: "redis:4.0-alpine3.8" args: [ "--port", "6379" ] ports: - containerPort: 6379 name: tcp

The next example deployment configures an open source Redis UI to connect to Redis via Connect. Notice that again only minimal modifications are necessary: the UI has to be configured to talk to a localhost port to connect through the proxy. The injector also injects environment variables into all containers to make this dynamic, such as REDIS_CONNECT_SERVICE_HOST and REDIS_CONNECT_SERVICE_PORT, though these aren't used in the example below.

apiVersion: apps/v1 kind: Deployment metadata: name: redis-ui spec: replicas: 1 selector: matchLabels: app: redis-ui template: metadata: labels: app: redis-ui annotations: "consul.hashicorp.com/connect-inject": "true" "consul.hashicorp.com/connect-service-upstreams": "redis:1234" spec: containers: - name: redis-ui image: rediscommander/redis-commander env: - name: REDIS_HOSTS value: "local:127.0.0.1:1234" - name: K8S_SIGTERM value: "1" ports: - name: http containerPort: 8081

The Kubernetes Connect injector can be run within Kubernetes using the Helm chart. It also requires that every client agent has gRPC enabled for the Envoy proxies.

connectInject: enabled: true client: grpc: true

To learn more, please see the full reference documentation on Connect sidecar injection on Kubernetes.

Next

Consul 1.3 with Envoy support and the Connect injector are available immediately. Installing the Connect injector process with the official Helm chart requires version 0.3.0 or later of the Consul Helm chart. To learn more about these features, please see the resources listed below:

Consul and Envoy Consul Sidecar Service registration Consul and Kubernetes Automatic Connect Sidecar

There are many more improvements planned for Consul in the coming months. We're improving Consul to support an easier to use and more expressive ACL system, powerful new UI features, simpler TLS configuration, and much more.

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。