【譯】Consul 1.4：多數據中心服務網絡

NOV 14 2018 THE CONSUL TEAM

咱們很高興地宣佈HashiCorp Consul1.4 將將可普遍使用。Consul 是一個分佈式服務網格, 可用於在任何運行平臺以及公共或私有云之間的鏈接、安全和配置服務。此版本引入了一個徹底從新設計的 ACL系統和第一個具備多數據中心支持的企業級Consul Connect 功能。特別感謝咱們積極的社區成員在 RC期間提供的寶貴反饋。

當即下載

Consul Connect 將可普遍使用 (GA)

咱們在今年6月推出了Connect功能, 使Consul 可以對流量進行細分, 並使用基於 TLS 的方法構建零信任網絡。自最初發布以來, Consul團隊一直專一於 production hardening 和擴展生態系統整合。咱們很高興地宣佈Connect在此版本中將可普遍使用。

ACL 從新設計

對 Consul 的 ACL 系統進行了從新設計, 以簡化操做和管理。這一變化涵蓋了幾個不一樣的領域。

Tokens 和 政策

如今可使用公共存儲器 ID 檢索和修改 Token, 這些 ID 不一樣於用於受權向 Consul 發出請求的祕密 ID ( API 交互中token)。這樣能夠更安全地管理 ACL Token。

還添加了一個策略數據模型, 該模型可應用於許多Token並可集中管理。這使操做員一箇中心位置。能夠爲一組應用程序、業務單元或其餘分組更新特定策略, 而且本次更新將應用於在該策略下建立的全部 Token。

UI

Consul web UI 容許對 Token 和策略進行全面管理。

CLI

新的 ACL 系統包括一個新的 CLI 來管理 Token、策略和升級。這便可用於自動化也可用於手動管理。

在此示例中, 將建立一個新策略, 而後是附加到該策略的 Token。

$ consul acl policy create -name "example" -description "Example policy" -rules @rules.hcl
ID:           ca44555b-a2d8-94de-d763-88caffdaf11f
Name:         example
Description:  Example policy
Datacenters: 
Rules:
service_prefix "marketing-" {
   policy = "read"
}

$ consul acl token create -description "www-app" -policy-id ca44555b
AccessorID:   986193b5-e2b5-eb26-6264-b524ea60cc6d
SecretID:     ec15675e-2999-d789-832e-8c4794daa8d7
Description:  www-app
Local:        false
Create Time:  2018-10-22 15:33:39.01789 -0400 EDT
Policies:
   ca44555b-a2d8-94de-d763-88caffdaf11f - example
複製代碼

訪問 ACL command 文檔, 瞭解完整的示例及全部可用命令。

升級

咱們設計了這個新系統, 容許來自舊 ACL 系統的就地升級, 舊系統將在自動遷移的同時爲啓用 ACL 的 clusters 的當前 API Token 保留兼容性。閱讀完整的升級指南.

多數據中心服務細分 (企業版功能)

Consul 企業版增長了一個新的主要功能, 以擴展 connect 的功能, 使其超出單個羣集用例的範圍。Consul connect 如今支持在數據中心之間的意圖複製和聯合證書管理。這容許在任何數據中心的源服務和目標服務之間進行安全、受權的鏈接。意圖的實時複製還可確保將一致的安全策略應用於服務, 不管服務駐留在原地或遷移到何處。

其餘加強功能

除了新的 UI外, 此版本還提供了新的特性、加強功能和bug修復。其中一些主要功能特性包括:

• 新的consul debug命令, 該命令收集有關目標代理和羣集的信息, 以幫助解決 incidents 和調試問題
• dns 支持前綴查找, 例如lb-*以匹配服務lb-001或lb-service-007

瞭解更多信息

欲瞭解更多信息, 請訪問 Consul 項目頁面。咱們但願你喜歡 Consul 1.4!

---

【原文】Consul 1.4: Multi-Data Center Service Mesh

NOV 14 2018 THE CONSUL TEAM

We are excited to announce the general availability of HashiCorp Consul 1.4. Consul is a distributed service mesh to connect, secure, and configure services across any runtime platform and public or private cloud. This release introduces a completely redesigned ACL system and the first enterprise Consul Connect feature with multi-data center support. A special thanks to our active community members for their valuable feedback during the RC period.

Download Now

Consul Connect General Availability (GA)

We introduced the Connect feature in June this year, which enabled Consul to segment traffic and use a TLS-based approach to do zero trust networking. Since the initial release, the Consul team has focused on production hardening and expanding the ecosystem integration. We are pleased to announce the general availability of Connect in this release.

ACL Redesign

The ACL system in Consul has been redesigned to simplify operations and management. This change covered several different areas.

Tokens & Policies

Tokens can now be retrieved and modified using public accessor IDs, which are different than the secret ID (token in API interactions) used for authorizing requests to Consul. This allows for more secure management of ACL tokens.

A policy data model was also added, which can be applied to many tokens and managed centrally. This gives operators a central place to update a specific policy for a set of applications, business unit, or other groupings that will apply to all tokens created under that policy.

UI

The Consul web UI allows for full management of tokens and policies.

image

CLI

The new ACL system includes a new CLI to manage tokens, policies, and upgrades. This can be used in automation or for manual management.

In this example, a new policy is created, followed by a token which is attached to that policy.

$ consul acl policy create -name "example" -description "Example policy" -rules @rules.hcl
ID:           ca44555b-a2d8-94de-d763-88caffdaf11f
Name:         example
Description:  Example policy
Datacenters: 
Rules:
service_prefix "marketing-" {
   policy = "read"
}

$ consul acl token create -description "www-app" -policy-id ca44555b
AccessorID:   986193b5-e2b5-eb26-6264-b524ea60cc6d
SecretID:     ec15675e-2999-d789-832e-8c4794daa8d7
Description:  www-app
Local:        false
Create Time:  2018-10-22 15:33:39.01789 -0400 EDT
Policies:
   ca44555b-a2d8-94de-d763-88caffdaf11f - example
複製代碼

Visit the ACL command documentation for a full set of examples and all the commands available.

Upgrading

We've designed this new system to allow for in-place upgrades coming from the old ACL system that will automatically migrate while retaining compatibility for current API tokens for clusters where ACLs are enabled. Read the full upgrade guide.

Multi-Data Center Service Segmentation (Enterprise Feature)

Consul Enterprise added a new major feature to extend Connect's capabilities beyond the single cluster use case. Consul Connect now supports replication of intentions and federated certificate management between data centers. This allows secure, authorized connections between source and destination services in any data center. The real-time replication of intentions also ensures that consistent security policies are applied to a service regardless of where it resides or migrates to.

Other Enhancements

In addition to the new UI, this release also delivers new features, enhancements and bug fixes. Some of the major features include:

• A new consul debug command which gathers information about the target agent and cluster to help resolve incidents and debug issues
• DNS supports prefix lookups, such as lb-* to match services lb-001 or lb-service-007

Learn More

For more information, please visit the Consul project page. We hope you enjoy Consul 1.4!