Securely connect your services with Consul service mesh

10min
|
Consul

Deployment

In this tutorial, you will deploy HashiCups, a demo application, and integrate it with Consul service mesh. After deploying HashiCups, you will explore service-to-service traffic permissions with intentions.

You will use the resources created in this tutorial in the following tutorials to enable external traffic ingress with Consul API Gateway and explore service mesh observability.

In this tutorial, you will:

Deploy the demo application HashiCups
View Consul services
Test the demo application
Configure service-to-service traffic permissions with intentions

Prerequisites

Deploy the demo application

In this section, you will deploy the demo application HashiCups that will let you explore Consul's service mesh features.

Consul uses Envoy proxy sidecars to provide service mesh capabilities to your applications. In this case, each HashiCups Kubernetes deployment spec contains the consul.hashicorp.com/connect-inject: "true" Kubernetes annotation. This annotation deploys an Envoy proxy sidecar alongside the application.

Sample service with annotation

hashicups/v1/frontend.yaml

## ...
apiVersion: apps/v1
kind: Deployment
## ...
spec:
  replicas: 1
  ## ...
  template:
    metadata:
      labels:
        service: frontend
        app: frontend
      annotations:
        consul.hashicorp.com/connect-inject: "true"
    spec:
      serviceAccountName: frontend
      containers:
        - name: frontend
        ## ...

Deploy the HashiCups application.

$ kubectl apply --filename hashicups/v1/

Check the pods to confirm they are all running.

$ kubectl get pods --namespace default
NAMESPACE            NAME                                           READY   STATUS    RESTARTS   AGE
default              frontend-5d7f97456b-4h7mj                      2/2     Running   0          67s
default              nginx-7445d8d8c4-nmht9                         2/2     Running   0          67s
default              payments-6888957c45-r5lks                      2/2     Running   0          68s
default              product-api-7fcf6cd96f-brdvf                   2/2     Running   0          67s
default              product-api-db-855dbcc787-4pv9k                2/2     Running   0          67s
default              public-api-7b985f985c-8hwwf                    2/2     Running   0          67s

Tip

The initial HashiCups deployment will take about 1-2 minutes to complete.

The diagram below shows the services running in your Kubernetes cluster. This includes the service mesh layer and HashiCups microservice application pods.

Application Architecture Diagram

View Consul services

In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh.

In your terminal, run the CLI command consul catalog services to return the list of services registered in Consul. Notice each service has a corresponding sidecar proxy.

$ consul catalog services
consul
frontend
frontend-sidecar-proxy
nginx
nginx-sidecar-proxy
payments
payments-sidecar-proxy
product-api
product-api-db
product-api-db-sidecar-proxy
product-api-sidecar-proxy
public-api
public-api-sidecar-proxy

This configuration deployed Consul in secure mode with ACLs set to a default deny policy and is automatically managed by Consul and Kubernetes. This means that the only allowed service-to-service communications are the ones explicitly specified by intentions.

Run the CLI command consul intention list to return the list of intentions defined in Consul.

$ consul intention list
There are no intentions.

Since you have not defined any intentions yet, at this time Consul will deny all service-to-service traffic.

Output the HCP Consul Dedicated URL value to your terminal and paste it in your browser.

$ export $CONSUL_HTTP_ADDR
learn-hcp-eks-cluster.public.consul.00000000-0000-0000-0000-000000000000.aws.hashicorp.cloud

Output the token value to your terminal and copy the value to your clipboard. You will use this ACL token to authenticate in the Consul UI.

$ echo $CONSUL_HTTP_TOKEN
fe0dd5c3-f2e1-81e8-cde8-49d26cee5efc

On the left navigation pane, click the Services tab to review your deployed services. Notice how Consul automatically created services for each HashiCups service.

Consul UI Services Page

In the left navigation pane, click the Intentions tab. Since you deployed Consul with ACLS and have not defined any intentions, this shows no intentions and Consul will deny all service-to-service traffic.

Consul UI Intentions

In your terminal, run the following curl command to return the list of services registered in Consul.

$ curl -k \
    --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
    $CONSUL_HTTP_ADDR/v1/catalog/services

Sample output:

{"consul":[],"frontend":[],"frontend-sidecar-proxy":[],"nginx":[],"nginx-sidecar-proxy":[],"payments":[],"payments-sidecar-proxy":[],"product-api":[],"product-api-db":[],"product-api-db-sidecar-proxy":[],"product-api-sidecar-proxy":[],"public-api":[],"public-api-sidecar-proxy":[]}

Run the following curl command to return the list of intentions defined in Consul.

$ curl -k \
    --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
    $CONSUL_HTTP_ADDR/v1/connect/intentions

Sample output:

[]

Since you have not defined any intentions yet, at this time Consul will deny all service-to-service traffic.

In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh.

In your terminal, run the CLI command consul catalog services to return the list of services registered in Consul. Notice each service has a corresponding sidecar proxy.

$ consul catalog services
consul
frontend
frontend-sidecar-proxy
nginx
nginx-sidecar-proxy
payments
payments-sidecar-proxy
product-api
product-api-db
product-api-db-sidecar-proxy
product-api-sidecar-proxy
public-api
public-api-sidecar-proxy

$ consul intention list
There are no intentions.

Output the HCP Consul Dedicated URL value to your terminal and paste it in your browser.

$ export $CONSUL_HTTP_ADDR
learn-hcp-aks-cluster.public.consul.00000000-0000-0000-0000-000000000000.azure.hashicorp.cloud

Output the token value to your terminal and copy the value to your clipboard. You will use this ACL token to authenticate in the Consul UI.

$ echo $CONSUL_HTTP_TOKEN
fe0dd5c3-f2e1-81e8-cde8-49d26cee5efc

On the left navigation pane, click the Services tab to review your deployed services. Notice how Consul automatically created services for each HashiCups service.

Consul UI Services Page

Consul UI Intentions

In your terminal, run the following curl command to return the list of services registered in Consul.

$ curl -k \
    --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
    $CONSUL_HTTP_ADDR/v1/catalog/services

Sample output:

{"consul":[],"frontend":[],"frontend-sidecar-proxy":[],"nginx":[],"nginx-sidecar-proxy":[],"payments":[],"payments-sidecar-proxy":[],"product-api":[],"product-api-db":[],"product-api-db-sidecar-proxy":[],"product-api-sidecar-proxy":[],"public-api":[],"public-api-sidecar-proxy":[]}

Run the following curl command to return the list of intentions defined in Consul.

$ curl -k \
    --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
    $CONSUL_HTTP_ADDR/v1/connect/intentions

Sample output:

[]

Since you have not defined any intentions yet, at this time Consul will deny all service-to-service traffic.

Test the demo application

Open a separate terminal window and expose the HashiCups UI with kubectl port-forward using the nginx service name as the target.

$ kubectl port-forward svc/nginx --namespace default 8080:80

Open http://localhost:8080 in your browser. Notice that while you can reach the nginx instance because of the port forwarding, the nginx service is unable to access its upstreams and the connection is refused. This is expected behavior since you have not defined any intentions yet.

HashiCups Connection Error

Create intentions

To see how intentions affect communication between the services in your service mesh, you will create intentions following the "least-privilege" principle that allow communication between your services.

Open hashicups/intentions/allow.yaml to review the intentions configuration file. This file defines multiple intentions that will allow the HashiCups services to interact with each other.

hashicups/intentions/allow.yaml

---
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
 name: frontend
 namespace: default
# Allow traffic from nginx to frontend
spec:
 destination:
   name: frontend
 sources:
   - name: nginx
     action: allow
---
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceIntentions
metadata:
 name: public-api
 namespace: default
# Allow traffic from nginx to public-api
spec:
 destination:
   name: public-api
 sources:
   - name: nginx
     action: allow
## ...

Deploy the service intentions to allow the HashiCups services to interact with each other.

$ kubectl apply --filename hashicups/intentions/allow.yaml

Confirm applied intentions

Open a separate terminal window and expose the HashiCups UI with kubectl port-forward using the nginx service name as the target.

$ kubectl port-forward svc/nginx --namespace default 8080:80

Check out the HashiCups UI at http://localhost:8080. Notice that the application is now fully functional.

HashiCups UI

Next steps

In this tutorial, you deployed the demo application HashiCups into your Consul service mesh. After deploying HashiCups, you used intentions to control communication between services in your service mesh.

In the next tutorial, you will deploy a Consul API Gateway to control ingress into your service mesh applications.

For more information about the topics covered in this tutorial, refer to the following resources:

Deploy Consul on Kubernetes

Enable external traffic ingress