These are chat archives for spring-cloud/spring-cloud
My company and myself would like to start using Consul Connect (Service Mesh) in order to be able to efficiently and securely communicate between our microservices, ensuring that inter-service communication is encrypted, and we can store a communication Access Control List (ACL) somewhere central (Consul) that defines which internal service consumer can consume other internal services.
We'd like to avoid using the Consul Connect Sidecar Proxy, so we thought about implementing autoconfiguration and support for having a
org.springframework.boot.web.server.SslStoreProvider implementation which loads certificates from Consul Connect by using their HTTP API to retrieve (and cache) the CA Root. This would essentially configure all supported servlet containers to require and trust certificates signed by Consul's CA.
This would solve the "service" side.
On the consumer side though we are using Cloud Discovery & Ribbon(which would probably be obsolete with such configuration).
So we'd like to implement a generic extension to retrieve "service leaf certificate" (https://www.consul.io/api/agent/connect.html#service-leaf-certificate) and set it on a HTTP Client connection factory of your chosing (e.g. Apache HttpClient) when issueing calls to dependencies.
PS: This is my first time contribution to the ecosystem besides a forgotten and still open PR on Hystrix (Netflix/Hystrix#1809), so if it is not appropriate to post here maybe you can point me somewhere else.