Do DNS discovery and consul to k8s service sync still enforce mTLS?

agniveshadhikari · August 23, 2020, 3:49pm

I’m using consul strictly within my cluster, for microservice to microservice communication.
I’ve currently set it up the connect way. ie, I’m making calls to localhost:<some-port> to reach other microservices. I understand that this will ensure TLS using proxying.

However, I want to leverage consul’s DNS based service discovery. To do this, I see two approaches:

The CoreDNS corefile way, enabling <service-name>.service.consul discovery
The service sync way, enabling <service-name> discovery

However, I don’t want to lose TLS in doing so.

Can you tell me if/which of these options would still give me TLS? I read the docs, but couldn’t figure out, feel free to point me to relevant sections if you think I missed something.

blake · August 24, 2020, 4:27pm

Hi @agniveshadhikari,

There’s an open feature request to add this functionality.

Related to that, we are also looking to add support for transparent proxying which will allow applications to address services by their configured hostname (e.g., api.example.com) and have that request automatically re-routed to the sidecar proxy.

In the interim, you will need to make calls to localhost as you have identified.