We are using several technologies that bring their own service mesh (Openshift, Mulesoft, Pivotal Cloud Foundry, AWS) and are looking to implement mTLS across the environment. One option is to try and rip out all the other meshes and drop in consul, but that requires higher effort and cost. Has anyone come up with clean solutions for a hybrid mesh solution? Has anyone ripped out these other meshes and tried dropping in consul? Any successes/challenges?
Thanks,
Bob
Hi Bob,
I can speak to your first question about hybrid mesh solutions.
At the moment there is not a straightforward way to establish mTLS communication between different service mesh solutions. However, last year HashiCorp collaborated with VMware to build a proof-of-concept demo of service mesh interoperability between Consul and NSX Service Mesh.
The underlying service mesh federation specification is open source. Details can be found at https://github.com/vmware/hamlet, and this recording from April 2020 of a presentation on Hamlet given by VMware at the CNCF’s SMI community meeting (youtube.com/watch?v=TJBWRrM0O1Y). It contains a bit more info on the specification than is outlined in the blog or GitHub repo.
If this spec were to be adopted by other service meshes, then it would enable the inter-operation and mTLS trust been service meshes that it sounds like you are looking for.
Absent this interoperability, you could use Consul ingress and egress/terminating gateways which were released in 1.8.0 to facilitate communication to/from services running outside of Consul in the other service mesh environments.