Skip to content

A Hashicorp Consul example with an app server (httpkit) and database (apache derby).

Notifications You must be signed in to change notification settings

jamesnyika/hashi

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

83 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Hashicorp

Hashicorp Consul Example

A prospect is interested in establishing mutual TLS between applications or services

  • Demonstrate consul connect establishing connectivity and service segmentation between a Tomcat app or another app and a database.
  • Demonstrate denying access from the app to the database using intentions toggle approval or denial of connectivity (live demo)
  • Describe the solution, slides, Consul UI, etc
  • Be ready to answer technical questions about the solution, compared to GTM, etc

Proposed solution

Hashicorp's Consul is a fantastic way to connect existing/legacy applications and services using TLS connections WITHOUT retrofitting them to perform SSL. It is quick and easy to configure and can deliver the following benefits

  • Out of the box health checking. The consul agent automatically checks if services are up and running and allows you to react if services are down and since it is done locally, it is all distributed

  • Updates are only sent to healthy hosts meaning that faulty nodes will not be needlessly sent traffic they cannot handle.

  • Secure communications between services without incurring the cost of new development to add TLS encryption between applications for very little extra footprint

  • Can eliminate the cost of additional load balancers since it has healthchecks and a DNS resolution service

  • Can be used across datacenters, securing links cross them while having configuration specific to each datacenter captured in its KV store.

  • Visibility through the consul web application improves the user experience in seeing and managing services, including adding/removing intentions.

..and lot more

How it was done


image credit: Unsplash Photo by Daniel Gonzalez

If you would like to go directly to the solution description then go here

How to run it


Running The Code


  1. Start Derby. From a terminal, change into the hashi directory and run the startdb.sh script
$ cd hashi
$ ./startdb.sh
  1. Start the web application server
$ lein clean; lein run
  1. Start the consul agent
./startcon.sh

This basically executes

## kick off agent with a node name
consul agent -dev -enable-script-checks -config-dir=../consul -node aurelius

which is

  • dev mode enabled
  • script checking prevents arbitrary malicious execution of code by the agent
  • supply a configuration directory
  • name this consul agent node because my machine does not have a friendly name - i want it easy!
  1. Start the proxies
./startproxies.sh

This will background the proxies for both the app server and database server.

  1. Check out the web UI and you should see something like the following

services

and health checks should show healthy sidecar proxies and services

health

You should also see your ports setup as follows

health

  1. To access the site unencrypted you can hit

    http://localhost:8080/ or http://localhost:8080/list-posts

    however, you can now access the service mesh by connecting to the proxies

    http://localhost:9090/ or http://localhost:9090/list-posts which uses consul

    See below

    t1

    and with database access

    t2

  2. Add an intention to allow or deny access to the db server as shown below

int

When set to deny then you cannot access the database listing

t3

About

A Hashicorp Consul example with an app server (httpkit) and database (apache derby).

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published