
HashiCorp Consul 1.2: Service Mesh - onnimonni
https://www.hashicorp.com/blog/consul-1-2-service-mesh
======
syllogism
If you're using Consul for web services, I really recommend the Traefik web
server: [https://traefik.io](https://traefik.io)

Traefik replaces Nginx: it's the reverse proxy that maps the incoming requests
to your various services, which are advertising on some arbitrary localhost
port.

The amazing thing is that Traefik integrates with Consul: you only need to
point it to your Consul endpoint, and it can automatically publish your
services! You can also do other dynamic configuration of Traefik, e.g. by
publishing a service via a REST API, via Kubernetes, etc.

I've struggled for years to get Nginx configured correctly, and it's been
frustrating to have no alternative. In Nginx, dynamic binding is a premium
feature. In the free version, you have to rewrite the config and restart the
service. That's not fun if you expect services to come and go as part of your
natural life-cycle.

Traefik's still pretty young. Notably, the docs are shit. But the application
is well-designed, and it compiles as a single self-contained binary (as it's
written in Go).

~~~
hellcow
Traefik isn't worth the trouble. We used it in production over the course of 2
years, and it was consistently our only source of downtime due to rediculous
bugs: not closing file descriptors, breaking changes, and silent failures with
no log output, panic or exit even with debug logs enabled.

As you mentioned, the docs are terrible. What makes that worse are the
undocumented breaking changes between each release. They don't even pretend to
follow semver, so v1.5 broke v1.4, and v1.6 broke v1.5. Each update you pray
that it doesn't take your whole setup down. If anything goes wrong, since
nothing is documented and there's often no logs explaining what went wrong,
you might be down for an extended period while you make 100 best-guess changes
to the config that worked in staging, but for whatever reason isn't working in
production. May the odds be ever in your favor.

Last I checked, Traefik was 988,000 (!!!) lines of code. That's 20x the size
of my very complex web application. I replaced it with 500 lines of go
providing all the essential features for me. Higher reliability, way fewer
bugs, no breaking changes.

~~~
emilevauge
Traefik creator here. Wow, that's harsh!

You may encountered issues while using Traefik so giving your opinion is
totally fine, but I don't think that's fair to overreact.

Many users (and I mean big companies) have been using Traefik in production
for years without issue. I'm not saying there is not bug, which software can
claim this, I'm just saying that many users have a good opinion on Traefik
stability.

We follow semver, there shouldn't be any breaking change between 2 minor
versions. But, yes, it can happen, sometimes, we may have forgot to check a
specific use case. But hey, again, let's be fair, we don't want it. We are
just human. And no, this does not happen at every minor version and this is
pretty uncommon...

Finally, on Traefik size. You are including Traefik dependencies, in vendor/,
which is a bit weird. In go, the convention is to push the dependencies in
your repository to get reproducible builds, so that's not a good way to count.
If you exclude vendor/:

golocc --no-vendor ./...

Lines of Code: 58532 (2987 CLOC, 55545 NCLOC)

Which is rather tiny.

So all in all, I regret you had such a bad experience with Traefik, but I just
wanted to express the fact that many users are using it without any issue :) I
would be happy to discuss further on this.

~~~
shaklee3
Thanks for clearing all that up.

------
mochtar
If you want to try the new Connect feature from Consul yourself, we've put up
an interactive tutorial on our Instruqt learning platform, together with the
nice folks at HashiCorp:
[https://play.instruqt.com/hashicorp/tracks/connect](https://play.instruqt.com/hashicorp/tracks/connect)

~~~
thepumpkin1979
this instruqt thingy is pretty cool, it's actually addictive. I started with
the Connect course and I'm not going for Istio:

> Please wait while we setup a Kubernetes cluster with Istio preinstalled. In
> the meantime, browse through these notes to learn more about the sample
> application.

damn

~~~
mochtar
Thanks!

We also like apps and services that start faster better ;-)

~~~
thepumpkin1979
Oh what I meant to say is, it's a real kubernetes cluster, it's a good thing.

------
chuhnk
I've been using Consul as part of micro
([https://github.com/micro/micro](https://github.com/micro/micro)) for 3 years
now. It's a great mechanism for service discovery. This additional feature is
going to be seamlessly integrated. They've done a fantastic job of pushing
forward Consul as a whole.

------
esseti
If I use Kubernetes, this service is superfluous, right? Instead, it's useful
if you use Docker containers in other fashion since services should
communicate with each other.

~~~
paultyng
I think the answer is yes and no depending on your needs. I don't have a lot
of experience with the Kubernetes NetworkPolicy which does support selector
based allow/block of communication between pods, but I believe it does not
encrypt the traffic itself (although you could always do so on top of the
network layer). It also is constrained to only controlling communications
within Kubernetes and requires an actual controller to implement the
networking. Consul Connect does use a sidecar proxy for intra cluster
communication, but in addition to just the authorization it also does a mutual
TLS and can allow that secure communication to endpoints outside the cluster.
It now occupies a space very similar to Istio:
[https://www.consul.io/intro/vs/istio.html](https://www.consul.io/intro/vs/istio.html)

Disclaimer: I work for HC but not on Consul

------
Already__Taken
sidebar: I'm quite fond of hcl[0] I hope it worms its way through more systems
as a config format option

[0]: [https://github.com/hashicorp/hcl](https://github.com/hashicorp/hcl)

~~~
alecthomas
Agreed, it's a great format. I wish it would kill YAML.

~~~
vesak
I wish Hashicorp will seriously maim many of the other devops solutions. Their
stuff has grew on me slowly, but I'm appreciating the hell out of their
focused tools. Smells like Unix spirit.

------
jrs95
Damn, this is nice. If this had been around a few months ago I don't think I'd
be using Kubernetes right now.

------
kamura
Could someone care to elaborate what are the main differences between Consul
and Istio? What would be the primary reasons to choose one service mesh over
the other?

~~~
cube2222
Consul is not a service mesh. At its core it's a distributed key-value store
which is commonly used for service discovery, configuration management and
healthchecks.

~~~
lifty
Consul just became a service mesh. It’s in the release notes.

