We are excited to announce the general availability of HashiCorp Consul 1.4. Consul is a distributed service mesh to connect, secure, and configure services across any runtime platform and public or private cloud. This release introduces a completely redesigned ACL system and the first enterprise Consul Connect feature with multi-data center support. A special thanks to our active community members for their valuable feedback during the RC period.
We introduced the Connect feature in June this year, which enabled Consul to segment traffic and use a TLS-based approach to do zero trust networking. Since the initial release, the Consul team has focused on production hardening and expanding the ecosystem integration. We are pleased to announce the general availability of Connect in this release.
The ACL system in Consul has been redesigned to simplify operations and management. This change covered several different areas.
Tokens can now be retrieved and modified using public accessor IDs, which are different than the secret ID (token
in API interactions) used for authorizing requests to Consul. This allows for more secure management of ACL tokens.
A policy data model was also added, which can be applied to many tokens and managed centrally. This gives operators a central place to update a specific policy for a set of applications, business unit, or other groupings that will apply to all tokens created under that policy.
The Consul web UI allows for full management of tokens and policies.
The new ACL system includes a new CLI to manage tokens, policies, and upgrades. This can be used in automation or for manual management.
In this example, a new policy is created, followed by a token which is attached to that policy.
$ consul acl policy create -name "example" -description "Example policy" -rules @rules.hcl
ID: ca44555b-a2d8-94de-d763-88caffdaf11f
Name: example
Description: Example policy
Datacenters:
Rules:
service_prefix "marketing-" {
policy = "read"
}
$ consul acl token create -description "www-app" -policy-id ca44555b
AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d
SecretID: ec15675e-2999-d789-832e-8c4794daa8d7
Description: www-app
Local: false
Create Time: 2018-10-22 15:33:39.01789 -0400 EDT
Policies:
ca44555b-a2d8-94de-d763-88caffdaf11f - example
Visit the ACL command documentation for a full set of examples and all the commands available.
We've designed this new system to allow for in-place upgrades coming from the old ACL system that will automatically migrate while retaining compatibility for current API tokens for clusters where ACLs are enabled. Read the full upgrade guide.
Update: This feature has been renamed as "Intention and certificate replication" and moved to open source from Consul 1.6.0.
Consul Enterprise added a new major feature to extend Connect's capabilities beyond the single cluster use case. Consul Connect now supports replication of intentions and federated certificate management between data centers. This allows secure, authorized connections between source and destination services in any data center. The real-time replication of intentions also ensures that consistent security policies are applied to a service regardless of where it resides or migrates to.
In addition to the new UI, this release also delivers new features, enhancements and bug fixes. Some of the major features include:
consul debug
command which gathers information about the target agent and cluster to help resolve incidents and debug issueslb-*
to match services lb-001
or lb-service-007
For more information, please visit the Consul project page. We hope you enjoy Consul 1.4!
Do cloud right with The Infrastructure Cloud from HashiCorp. Unlock developer potential while controlling cloud costs and risk.
A recap of HashiCorp infrastructure and security news and developments from Google Cloud Next, from scaling infrastructure as code to fighting secrets sprawl and more.
Try this example method for transitioning from Consul service discovery to service mesh without affecting uptimes or development teams.