Do DNS discovery and consul to k8s service sync still enforce mTLS?

agniveshadhikari · August 23, 2020, 3:49pm

I’m using consul strictly within my cluster, for microservice to microservice communication.
I’ve currently set it up the connect way. ie, I’m making calls to localhost:<some-port> to reach other microservices. I understand that this will ensure TLS using proxying.

However, I want to leverage consul’s DNS based service discovery. To do this, I see two approaches:

The CoreDNS corefile way, enabling <service-name>.service.consul discovery
The service sync way, enabling <service-name> discovery

However, I don’t want to lose TLS in doing so.

Can you tell me if/which of these options would still give me TLS? I read the docs, but couldn’t figure out, feel free to point me to relevant sections if you think I missed something.

blake · August 24, 2020, 4:27pm

Hi @agniveshadhikari,

There’s an open feature request to add this functionality.

Related to that, we are also looking to add support for transparent proxying which will allow applications to address services by their configured hostname (e.g., api.example.com) and have that request automatically re-routed to the sidecar proxy.

In the interim, you will need to make calls to localhost as you have identified.

Topic		Replies	Views
Docs clarification: transparent proxy and service name Consul connect	2	485	November 23, 2021
Kubernetes Service Discovery for External services Consul k8s	0	317	August 3, 2023
Does k8s consul connect work without connect-service-upstreams? Consul	2	567	December 20, 2020
Consul Connect, Federation, and TCP/ZeroMQ Consul connect	1	423	August 4, 2023
K8S Consul Connect to Nomad Consul Connect - Connectivity issues Consul connect , consul-k8s , nomad	3	340	July 25, 2023

Do DNS discovery and consul to k8s service sync still enforce mTLS?

Related topics