mirror of https://github.com/hashicorp/consul
Backport of Docs: change connect to SM for mTLS page into release/1.14.x (#16137)
* backport of commitpull/16151/headfa27ddb1d6
* backport of commitbf5a4ed6e3
--------- Co-authored-by: Nicholas Richu <105801716+nrichu-hcp@users.noreply.github.com>
parent
757aab81be
commit
70c5a92a38
|
@ -2,7 +2,7 @@
|
||||||
layout: docs
|
layout: docs
|
||||||
page_title: Service Mesh - How it Works
|
page_title: Service Mesh - How it Works
|
||||||
description: >-
|
description: >-
|
||||||
Consul's service mesh enforces secure service communication using mutual TLS (mTLS) encryption and explicit authorization. Learn how the service mesh certificate authorities, intentions, and agents work together in the ""Connect"" subsystem to provide Consul’s service mesh capabilities.
|
Consul's service mesh enforces secure service communication using mutual TLS (mTLS) encryption and explicit authorization. Learn how the service mesh certificate authorities, intentions, and agents work together to provide Consul’s service mesh capabilities.
|
||||||
---
|
---
|
||||||
|
|
||||||
# How Service Mesh Works
|
# How Service Mesh Works
|
||||||
|
@ -11,21 +11,20 @@ This topic describes how many of the core features of Consul's service mesh func
|
||||||
It is not a prerequisite,
|
It is not a prerequisite,
|
||||||
but this information will help you understand how Consul service mesh behaves in more complex scenarios.
|
but this information will help you understand how Consul service mesh behaves in more complex scenarios.
|
||||||
|
|
||||||
Consul Connect is the component shipped with Consul that enables service mesh functionality. The terms _Consul Connect_ and _Consul service mesh_ are used interchangeably throughout this documentation.
|
Consul Service Mesh is the component shipped with Consul that enables service mesh functionality.
|
||||||
|
|
||||||
To try service mesh locally, complete the [Getting Started with Consul service
|
To try service mesh locally, complete the [Getting Started with Consul service
|
||||||
mesh](https://learn.hashicorp.com/tutorials/consul/service-mesh?utm_source=docs)
|
mesh](https://learn.hashicorp.com/tutorials/consul/service-mesh?utm_source=docs)
|
||||||
tutorial.
|
tutorial.
|
||||||
|
|
||||||
## Mutual Transport Layer Security (mTLS)
|
## Mutual Transport Layer Security (mTLS)
|
||||||
|
|
||||||
The core of Connect is based on [mutual TLS](https://en.wikipedia.org/wiki/Mutual_authentication).
|
The core of Consul service mesh is based on [mutual TLS](https://en.wikipedia.org/wiki/Mutual_authentication).
|
||||||
|
|
||||||
Connect provides each service with an identity encoded as a TLS certificate.
|
Consul Service Mesh provides each service with an identity encoded as a TLS certificate.
|
||||||
This certificate is used to establish and accept connections to and from other
|
This certificate is used to establish and accept connections to and from other
|
||||||
services. The identity is encoded in the TLS certificate in compliance with
|
services. The identity is encoded in the TLS certificate in compliance with
|
||||||
the [SPIFFE X.509 Identity Document](https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md).
|
the [SPIFFE X.509 Identity Document](https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md).
|
||||||
This enables Connect services to establish and accept connections with
|
This enables Consul Service Mesh services to establish and accept connections with
|
||||||
other SPIFFE-compliant systems.
|
other SPIFFE-compliant systems.
|
||||||
|
|
||||||
The client service verifies the destination service certificate
|
The client service verifies the destination service certificate
|
||||||
|
@ -50,24 +49,24 @@ requires no other dependencies, and
|
||||||
also ships with built-in support for [Vault](/docs/connect/ca/vault). The PKI system is designed to be pluggable
|
also ships with built-in support for [Vault](/docs/connect/ca/vault). The PKI system is designed to be pluggable
|
||||||
and can be extended to support any system by adding additional CA providers.
|
and can be extended to support any system by adding additional CA providers.
|
||||||
|
|
||||||
All APIs required for Connect typically respond in microseconds and impose
|
All APIs required for Consul Service Mesh typically respond in microseconds and impose
|
||||||
minimal overhead to existing services. To ensure this, Connect-related API calls
|
minimal overhead to existing services. To ensure this, Consul Service Mesh-related API calls
|
||||||
are all made to the local Consul agent over a loopback interface, and all [agent
|
are all made to the local Consul agent over a loopback interface, and all [agent
|
||||||
Connect endpoints](/api-docs/agent/connect) implement local caching, background
|
Consul Service Mesh endpoints](/api-docs/agent/connect) implement local caching, background
|
||||||
updating, and support blocking queries. Most API calls operate on purely local
|
updating, and support blocking queries. Most API calls operate on purely local
|
||||||
in-memory data.
|
in-memory data.
|
||||||
|
|
||||||
## Agent Caching and Performance
|
## Agent Caching and Performance
|
||||||
|
|
||||||
To enable fast responses on endpoints such as the [agent Connect
|
To enable fast responses on endpoints such as the [agent Connect
|
||||||
API](/api-docs/agent/connect), the Consul agent locally caches most Connect-related
|
API](/api-docs/agent/connect), the Consul agent locally caches most Consul Service Mesh-related
|
||||||
data and sets up background [blocking queries](/api-docs/features/blocking) against
|
data and sets up background [blocking queries](/api-docs/features/blocking) against
|
||||||
the server to update the cache in the background. This allows most API calls
|
the server to update the cache in the background. This allows most API calls
|
||||||
such as retrieving certificates or authorizing connections to use in-memory
|
such as retrieving certificates or authorizing connections to use in-memory
|
||||||
data and respond very quickly.
|
data and respond very quickly.
|
||||||
|
|
||||||
All data cached locally by the agent is populated on demand. Therefore, if
|
All data cached locally by the agent is populated on demand. Therefore, if
|
||||||
Connect is not used at all, the cache does not store any data. On first request,
|
Consul Service Mesh is not used at all, the cache does not store any data. On first request,
|
||||||
the data is loaded from the server and cached. The set of data cached is: public
|
the data is loaded from the server and cached. The set of data cached is: public
|
||||||
CA root certificates, leaf certificates, intentions, and service discovery
|
CA root certificates, leaf certificates, intentions, and service discovery
|
||||||
results for upstreams. For leaf certificates and intentions, only data related
|
results for upstreams. For leaf certificates and intentions, only data related
|
||||||
|
@ -79,9 +78,9 @@ may see data it shouldn't from the cache. This results in higher memory usage
|
||||||
for cached data since it is duplicated per ACL token, but with the benefit
|
for cached data since it is duplicated per ACL token, but with the benefit
|
||||||
of simplicity and security.
|
of simplicity and security.
|
||||||
|
|
||||||
With Connect enabled, you'll likely see increased memory usage by the
|
With Consul Service Mesh enabled, you'll likely see increased memory usage by the
|
||||||
local Consul agent. The total memory is dependent on the number of intentions
|
local Consul agent. The total memory is dependent on the number of intentions
|
||||||
related to the services registered with the agent accepting Connect-based
|
related to the services registered with the agent accepting Consul Service Mesh-based
|
||||||
connections. The other data (leaf certificates and public CA certificates)
|
connections. The other data (leaf certificates and public CA certificates)
|
||||||
is a relatively fixed size per service. In most cases, the overhead per
|
is a relatively fixed size per service. In most cases, the overhead per
|
||||||
service should be relatively small: single digit kilobytes at most.
|
service should be relatively small: single digit kilobytes at most.
|
||||||
|
@ -116,7 +115,7 @@ be set in the secondary datacenter server's configuration.
|
||||||
|
|
||||||
## Certificate Authority Federation
|
## Certificate Authority Federation
|
||||||
|
|
||||||
The primary datacenter also acts as the root Certificate Authority (CA) for Connect.
|
The primary datacenter also acts as the root Certificate Authority (CA) for Consul Service Mesh.
|
||||||
The primary datacenter generates a trust-domain UUID and obtains a root certificate
|
The primary datacenter generates a trust-domain UUID and obtains a root certificate
|
||||||
from the configured CA provider which defaults to the built-in one.
|
from the configured CA provider which defaults to the built-in one.
|
||||||
|
|
||||||
|
@ -124,7 +123,7 @@ Secondary datacenters fetch the root CA public key and trust-domain ID from the
|
||||||
primary and generate their own key and Certificate Signing Request (CSR) for an
|
primary and generate their own key and Certificate Signing Request (CSR) for an
|
||||||
intermediate CA certificate. This CSR is signed by the root in the primary
|
intermediate CA certificate. This CSR is signed by the root in the primary
|
||||||
datacenter and the certificate is returned. The secondary datacenter can now use
|
datacenter and the certificate is returned. The secondary datacenter can now use
|
||||||
this intermediate to sign new Connect certificates in the secondary datacenter
|
this intermediate to sign new Consul Service Mesh certificates in the secondary datacenter
|
||||||
without WAN communication. CA keys are never replicated between datacenters.
|
without WAN communication. CA keys are never replicated between datacenters.
|
||||||
|
|
||||||
The secondary maintains watches on the root CA certificate in the primary. If the
|
The secondary maintains watches on the root CA certificate in the primary. If the
|
||||||
|
|
Loading…
Reference in New Issue