116 lines
5.0 KiB
Plaintext
116 lines
5.0 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Connect - Configuration
|
|
description: >-
|
|
A Connect-aware proxy enables unmodified applications to use Connect. A
|
|
per-service proxy sidecar transparently handles inbound and outbound service
|
|
connections, automatically wrapping and verifying TLS connections.
|
|
---
|
|
|
|
# Service Mesh Configuration
|
|
|
|
There are many configuration options exposed for Consul service mesh. The only option
|
|
that must be set is the `connect.enabled` option on Consul servers to enable Consul service mesh.
|
|
All other configurations are optional and have reasonable defaults.
|
|
|
|
Consul Connect is the component shipped with Consul that enables service mesh functionality. The terms _Consul Connect_ and _Consul service mesh_ are used interchangeably throughout this documentation.
|
|
|
|
-> **Tip:** Service mesh is enabled by default when running Consul in
|
|
dev mode with `consul agent -dev`.
|
|
|
|
## Agent Configuration
|
|
|
|
Begin by enabling Connect for your Consul
|
|
cluster. By default, Connect is disabled. Enabling Connect requires changing
|
|
the configuration of only your Consul _servers_ (not client agents). To enable
|
|
Connect, add the following to a new or existing
|
|
[server configuration file](/docs/agent/config/config-files). In an existing cluster, this configuration change requires a Consul server restart, which you can perform one server at a time to maintain availability. In HCL:
|
|
|
|
|
|
<CodeTabs heading="Enable Consul service mesh" tabs={[ "HCL", "JSON" ]}>
|
|
|
|
```hcl
|
|
connect {
|
|
enabled = true
|
|
}
|
|
```
|
|
|
|
```json
|
|
"connect": {
|
|
"enabled": true
|
|
}
|
|
```
|
|
</CodeTabs>
|
|
|
|
This will enable Connect and configure your Consul cluster to use the
|
|
built-in certificate authority for creating and managing certificates.
|
|
You may also configure Consul to use an external
|
|
[certificate management system](/docs/connect/ca), such as
|
|
[Vault](https://vaultproject.io).
|
|
|
|
Services and proxies may always register with Connect settings, but they will
|
|
fail to retrieve or verify any TLS certificates. This causes all Connect-based
|
|
connection attempts to fail until Connect is enabled on the server agents.
|
|
|
|
Other optional Connect configurations that you can set in the server
|
|
configuration file include:
|
|
|
|
- [certificate authority settings](/docs/agent/config/config-files#connect)
|
|
- [token replication](/docs/agent/config/config-files#acl_tokens_replication)
|
|
- [dev mode](/docs/agent/config/cli-flags#_dev)
|
|
- [server host name verification](/docs/agent/config/config-files#tls_internal_rpc_verify_server_hostname)
|
|
|
|
If you would like to use Envoy as your Connect proxy you will need to [enable
|
|
gRPC](/docs/agent/config/config-files#grpc_port).
|
|
|
|
Additionally if you plan on using the observability features of Connect, it can
|
|
be convenient to configure your proxies and services using [configuration
|
|
entries](/docs/agent/config-entries) which you can interact with using the
|
|
CLI or API, or by creating configuration entry files. You will want to enable
|
|
[centralized service
|
|
configuration](/docs/agent/config/config-files#enable_central_service_config) on
|
|
clients, which allows each service's proxy configuration to be managed centrally
|
|
via API.
|
|
|
|
!> **Security note:** Enabling Connect is enough to try the feature but doesn't
|
|
automatically ensure complete security. Please read the [Connect production
|
|
tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-production-checklist) to understand the additional steps
|
|
needed for a secure deployment.
|
|
|
|
## Centralized Proxy and Service Configuration
|
|
|
|
To account for common Connect use cases where you have many instances of the
|
|
same service, and many colocated sidecar proxies, Consul allows you to customize
|
|
the settings for all of your proxies or all the instances of a given service at
|
|
once using [Configuration Entries](/docs/agent/config-entries).
|
|
|
|
You can override centralized configurations for individual proxy instances in
|
|
their
|
|
[sidecar service definitions](/docs/connect/registration/sidecar-service),
|
|
and the default protocols for service instances in their [service
|
|
registrations](/docs/discovery/services).
|
|
|
|
## Schedulers
|
|
|
|
Consul Connect is especially useful if you are using an orchestrator like Nomad
|
|
or Kubernetes, because these orchestrators can deploy thousands of service instances
|
|
which frequently move hosts. Sidecars for each service can be configured through
|
|
these schedulers, and in some cases they can automate Consul configuration,
|
|
sidecar deployment, and service registration.
|
|
|
|
### Nomad
|
|
|
|
Connect can be used with Nomad to provide secure service-to-service
|
|
communication between Nomad jobs and task groups. The ability to use the dynamic
|
|
port feature of Nomad makes Connect particularly easy to use. Learn about how to
|
|
configure Connect on Nomad by reading the
|
|
[integration documentation](/docs/connect/nomad).
|
|
|
|
### Kubernetes
|
|
|
|
The Consul Helm chart can automate much of Consul Connect's configuration, and
|
|
makes it easy to automatically inject Envoy sidecars into new pods when they are
|
|
deployed. Learn about the [Helm chart](/docs/platform/k8s/helm) in general,
|
|
or if you are already familiar with it, check out its
|
|
[connect specific configurations](/docs/platform/k8s/connect).
|