Consul 1.4: Multi-Data Center Service Mesh

We are excited to announce the general availability of HashiCorp Consul 1.4. Consul is a distributed service mesh to connect, secure, and configure services across any runtime platform and public or private cloud. This release introduces a completely redesigned ACL system and the first enterprise Consul Connect feature with multi-data center support. A special thanks to our active community members for their valuable feedback during the RC period.

»Consul Connect General Availability (GA)

We introduced the Connect feature in June this year, which enabled Consul to segment traffic and use a TLS-based approach to do zero trust networking. Since the initial release, the Consul team has focused on production hardening and expanding the ecosystem integration. We are pleased to announce the general availability of Connect in this release.

»ACL Redesign

The ACL system in Consul has been redesigned to simplify operations and management. This change covered several different areas.

»Tokens & Policies

Tokens can now be retrieved and modified using public accessor IDs, which are different than the secret ID (token in API interactions) used for authorizing requests to Consul. This allows for more secure management of ACL tokens.

A policy data model was also added, which can be applied to many tokens and managed centrally. This gives operators a central place to update a specific policy for a set of applications, business unit, or other groupings that will apply to all tokens created under that policy.

»UI

The Consul web UI allows for full management of tokens and policies.

»CLI

The new ACL system includes a new CLI to manage tokens, policies, and upgrades. This can be used in automation or for manual management.

In this example, a new policy is created, followed by a token which is attached to that policy.

$ consul acl policy create -name "example" -description "Example policy" -rules @rules.hcl
ID:           ca44555b-a2d8-94de-d763-88caffdaf11f
Name:         example
Description:  Example policy
Datacenters: 
Rules:
service_prefix "marketing-" {
   policy = "read"
}

$ consul acl token create -description "www-app" -policy-id ca44555b
AccessorID:   986193b5-e2b5-eb26-6264-b524ea60cc6d
SecretID:     ec15675e-2999-d789-832e-8c4794daa8d7
Description:  www-app
Local:        false
Create Time:  2018-10-22 15:33:39.01789 -0400 EDT
Policies:
   ca44555b-a2d8-94de-d763-88caffdaf11f - example

Visit the ACL command documentation for a full set of examples and all the commands available.

»Upgrading

We've designed this new system to allow for in-place upgrades coming from the old ACL system that will automatically migrate while retaining compatibility for current API tokens for clusters where ACLs are enabled. Read the full upgrade guide.

»Multi-Data Center Service Segmentation

Update: This feature has been renamed as "Intention and certificate replication" and moved to open source from Consul 1.6.0.

Consul Enterprise added a new major feature to extend Connect's capabilities beyond the single cluster use case. Consul Connect now supports replication of intentions and federated certificate management between data centers. This allows secure, authorized connections between source and destination services in any data center. The real-time replication of intentions also ensures that consistent security policies are applied to a service regardless of where it resides or migrates to.

»Other Enhancements

In addition to the new UI, this release also delivers new features, enhancements and bug fixes. Some of the major features include:

• A new consul debug command which gathers information about the target agent and cluster to help resolve incidents and debug issues
• DNS supports prefix lookups, such as lb-* to match services lb-001 or lb-service-007

»Learn More

For more information, please visit the Consul project page. We hope you enjoy Consul 1.4!