Full transparency: Consul 1.10 introduces less-prescriptive traffic handling

Full transparency: Consul 1.10 introduces less-prescriptive traffic handling

Work on version 1.10 of service networking project HashiCorp Consul is done, and the result is generally available to infrastructure folks.

Consul 1.10 is the first version to contain a transparent proxy — an addition meant to allow sidecar proxies to infer a destination based on service intentions. Before its introduction, users had to explicitly define upstreams for a service as a local listener on the sidecar proxy, dial the local listener to reach a stream, and set intentions to allow communication between selected services. 

Transparent proxies can be enabled per service, namespace or throughout the cluster via pod annotation, namespace label, or setting the appropriate Helm value respectively. To make the whole concept work, traffic needs to be redirected through inbound and outbound listeners on the sidecar. This can be set up using the new command consul connect redirect-traffic

Teams need to be aware, however, that traffic redirection interferes with Kubernetes HTTP health probes. To keep these working, Consul includes Helm values and pod annotations to point probes into the right direction. Explicit setting will stay an option, so don’t worry if you prefer the prescriptive approach to the transparent proxy one.

Consul’s UI has been redesigned to make navigation easier, so you might have to reacquaint yourself with the layout of the sidebar. Users wanting to integrate monitoring platform Prometheus with Consul’s Service Visualization UI can do so quickly by deploying Prometheus via the Consul Helm chart — though this isn’t advised for production purposes just yet. Somewhat related, there’s now the option of exposing Pod and Envoy metrics to Prometheus through annotations via a single endpoint, so teams don’t have to choose between the two anymore.

Other than that, Consul 1.10 comes with streaming for the service health HTTP endpoint enabled by default. It will also automatically use xDS version 3 and Incremental xDS for all supported Envoy proxy versions bootstrapped by v1.10 of the Consul CLI, just to avoid using the outdated collection. Details are available on the announcement blog.

Consul Terraform Sync was updated as well and is now available in version 0.2. The tool looks to integrate the network topology of a Consul cluster with a user’s network infrastructure to secure and connect services dynamically. It runs alongside Consul, using the networking project to get information about services. Terraform comes into play to execute infrastructure automation tasks with the values retrieved from the Consul service catalog. 

The new release introduces task run conditions in which users can specify the events that need to take place before a task should be executed. It also allows teams to filter services by values in other fields and not just the service tags, integrates with Citrix ADC, and has been upgraded to work with Terraform 0.15.