Consul Connect integration with Kubernetes

Reading Time: 5 minutes

Hello, Readers hope all are doing well and liked my previous blogs on various DevOps tools and practices. If you have not gone through these blogs you can click here for them. Now in this blog, we will be on the journey of understanding consul connect as service mesh and consul connect integration with Kubernetes.

So before we start our journey of consul Connect integration with Kubernetes we will first understand something about service mesh and its uses.

What is a Service Mesh?

Today, software applications are typically architected as distributed collections of microservices. Each collection of microservices performing some discrete business function in these architectures should have a dedicated infrastructure layer that allows you to transparently add capabilities like observability, traffic management, and security, without adding them to your own code. This can be achieved by a ‘service mesh’.

service mesh is a dedicated layer that provides secure service-to-service communication for on-prem, cloud, or multi-cloud infrastructure. Service meshes are often used in conjunction with the microservice architectural pattern, but can provide value in any scenario where complex networking is involved.

In a Kubernetes-based system as the size and complexity of deployment of microservices grows it requires some important functionality to manage it like discovery, load balancing, failure recovery, metrics, and monitoring. In this scenario, service comes into the picture.

For More Details: Click here

Features of service mesh

Features of service mesh are divided into three categories as listed below:

  • Traffic management: Dynamic service discovery, Routing, Traffic shadowing, and traffic splitting.
  • Security: Traffic encryption by mutual TLS (MTLS), Authentication through certificate validation, Authorization through access policies, and network segmentation.
  • Observability: Distributed tracing, and access logs.
Consul Connect integration with Kubernetes

When it comes to service mesh adoption, Consul connect is a well-known name for service mesh. Now we will go through the details of consul connect and consul connect integration with Kubernetes.

What is Consul Connect?

Consul is a multi-networking tool that offers a fully-featured service mesh solution that solves the networking and security challenges of operating microservices and cloud infrastructure (multi-cloud and hybrid cloud).

The adoption of microservices architectures and cloud infrastructure is requiring new approaches to networking. There are many vendors and tools, each attempting to solve the problem in different ways. The Consul service mesh solution makes no assumptions about the underlying network and uses a pure software approach with a focus on simplicity and broad compatibility.

Consul as service mesh simplifies service discovery in complex networking environments and streamlines deploying applications into a zero-trust network.

Architecture

The architecture of the consul mostly suits those applications that have requirements for strong network security. With Consul Connect you get an extra layer of security on top of the built-in security of a Cloud VPC. Consul Connect uses mutual TLS to automatically encrypt communications between containers.

In the image we have taken an example in the AWS EKS cluster, Consul agents are running in worker nodes. Agents connect to a central Consul server as task trackers that are running in the cluster. Consul agents discover the tasks also. Each task running in the cluster made up of an application container and a Consul Connect sidecar container. On startup, the Consul Connect sidecar registers the application container’s IP address into Consul via the Consul agent.

The Consul Connect sidecar configured as the local proxy provider. In this way, it serves as a secure network channel to another application container. Suppose, if Container A wants to talk to Container B then Consul Connect listens for traffic on a local port. When Container A opens a connection to that local port Consul Connect looks up the location of Container B and its sidecar proxy, then opens a secured TLS connection to Container B via its Consul Connect sidecar.

Installation of Consul Connect

Here, we are going to run consul connect directly in Kubernetes as both server and client mode. We can deploy consul connect in two ways:

We will go with the helm chart installation method.

Prerequisites:

  • Kubernetes Cluster
  • Helm 3

Let’s start the setup
First, we will add the consul connect Helm Repository:

helm repo add hashicorp https://helm.releases.hashicorp.com

helm search repo hashicorp/consul

Now, we will make a namespace with the name consul in the cluster

kubectl create namespace consul

Now, We will install the helm chart in the cluster

helm install consul hashicorp/consul --set global.name=consul --create-namespace -n consul --values config.yaml

Config.YAML file.

global:
  name: consul
connectInject:
  enabled: true
  default: true
  namespaceSelector: |
    matchLabels:
      connect-inject : enabled
controller:
  enabled: true

Enable Consul Service Mesh on namespaces in which we will deploy the test application, here we have deployed the test application in the default namespace.

Now we will restrict the enablement of a consul service mesh to a subset of namespaces by specifying a namespace selector that matches a label attached to each namespace denoting whether to enable a Consul service mesh. In order to default to enabling service mesh on select namespaces by label, the connect insect.default the value must be set to true. We are doing this because consul connect by default enables on each namespace.

kubectl label namespace default connect-inject=enabled

We have deployed a test application in default namespaces. In this image, we can see each pod of the test application are having 2 containers running which consul service mesh enabled in each microservices.

Consul UI

Now, we will check the consul UI. For this, we have to port-forward the consul server or we can attach a load balancer in cloud env. We can customize the consul connect UI for this we can refer below URL.

https://www.consul.io/docs/connect/observability/ui-visualization

kubectl port-forward service/consul-server -n consul 8500:8500

Conclusion

In the blog, we saw the importance of the Consul Connect service mesh in the Kubernetes cluster and how we can integrate it into the Kubernetes cluster. That’s pretty much it for this blog. In the upcoming blog on consul connect we will see how can we customize consul connect UI and more features of consul connect till then stay connected with us. If you have any feedback or queries, please do let me know in the comments. If you liked the article, please give me a thumbs up and I will keep writing blogs like this for you in the future as well.

Keep reading and Keep growing

Written by 

Abhishek Dwivedi is a DevOps Professional working in Knoldus Inc as Senior Software Consultant. Abhishek loves to juggle devops tools and learn everyday new things in new techonologies. He believes in by sharing knowledge we can gain more knowledge.

Leave a Reply