Consul offers teams more autonomy, introduces namespaces

Consul service mesh

A preview of HashiCorp’s service networking platform Consul 1.7 is now available, bringing namespaces and a new snapshot store to Enterprise users, while the rest will have to do with some Connect improvements.

Version 1.7 will be the first to allow Consul Enterprise customers to create isolated environments in shared clusters. Those namespaces are meant to help companies in following through with their DevOps strategy, since it facilitates teams managing their own services without too much coordination with others.

In earlier versions, Consul always used “a single, global scope for resources within an environment” which meant departments sharing an environment had to make sure they, for example, wouldn’t use the same names for their services. Now environments can be divided up and admins get a way of dispensing privileges to individual teams. Within a namespace, users will be able to register and discover services, as well as create, update, delete and list sessions, and entries in the key value store. 

Operators can manage namespaces via the Consul API, CLI, and UI, with options to create, update, delete, and list ACL tokens, roles, policies, authentication methods, and binding rules for all namespaces. With the new additions also comes a central configuration feature, so that users can define “site-wide or service specific Connect proxy configurations via the API”.

Once they made the jump to version 1.7, Consul Enterprise customers will have the opportunity to store snapshots of their Consul servers on the Google Cloud Platform. Previously, only Amazon S3 and Azure Storage could be used for such backups.

Apart from that, HashiCorp reworked Consul in such a way that it now accepts the management of Connect certificates via AWS ACM Private CA. It also allows for the setting of an upstream connections limit in Envoy. MacOS 10.15+ users will be happy to learn that they won’t run into errors when trying to start the Consul command line interface anymore, since upcoming releases “ will be signed and notarized according to Apple’s requirements”.

Users that want to prepare a system upgrade should be aware that the HTTP API “no longer accepts JSON fields that are unknown to it” and PTR queries return answers containing the Consul datacenter label, which could render setups making use of the old behaviours broken. 

A full list of changes that made their way into the beta is available via the project’s repository.