These are chat archives for spring-cloud/spring-cloud

18th
Sep 2018
Ingo Griebsch
@ingogriebsch
Sep 18 2018 06:37
@marcingrzejszczak Thanks for the fast reply. Hope to read some news about soon! :)
Marcin Grzejszczak
@marcingrzejszczak
Sep 18 2018 06:40
Np
Mate Lang
@matelang
Sep 18 2018 14:32

Hi.

My company and myself would like to start using Consul Connect (Service Mesh) in order to be able to efficiently and securely communicate between our microservices, ensuring that inter-service communication is encrypted, and we can store a communication Access Control List (ACL) somewhere central (Consul) that defines which internal service consumer can consume other internal services.

We'd like to avoid using the Consul Connect Sidecar Proxy, so we thought about implementing autoconfiguration and support for having a org.springframework.boot.web.server.SslStoreProvider implementation which loads certificates from Consul Connect by using their HTTP API to retrieve (and cache) the CA Root. This would essentially configure all supported servlet containers to require and trust certificates signed by Consul's CA.

This would solve the "service" side.

On the consumer side though we are using Cloud Discovery & Ribbon(which would probably be obsolete with such configuration).

So we'd like to implement a generic extension to retrieve "service leaf certificate" (https://www.consul.io/api/agent/connect.html#service-leaf-certificate) and set it on a HTTP Client connection factory of your chosing (e.g. Apache HttpClient) when issueing calls to dependencies.

PS: This is my first time contribution to the ecosystem besides a forgotten and still open PR on Hystrix (Netflix/Hystrix#1809), so if it is not appropriate to post here maybe you can point me somewhere else.

Spencer Gibb
@spencergibb
Sep 18 2018 20:54
@matelang I've wondered how we might integrate with consul connect. How about opening a github issue spring-cloud-consul where we can share ideas and keep a record.