HashiCorp’s Consul Brings Namespace Management to the Service Mesh

Dec 10th, 2019 1:44pm by Joab Jackson

HashiCorp has updated its Consul services networking platform with the capability to manage service namespaces at an organization-wide level.

Released Tuesday, Consul 1.7 also comes with additional plugins to support a number of application monitoring and management tools, including AppDynamics, Datadog and the NGINX proxy.

HashiCorp presents Consul as a network automation tool for enterprises to connect and secure application services across multiple clouds and on-prem environments, putting all the services on a single communication plane with a shared registry.

The thinking behind Consul is that “you need a namespace service registry for the new, dynamic environment,” noted Amith Nair, Consul vice president of product marketing. With containers and microservices, individual services may appear and disappear, or just move across different nodes too quickly to be assigned permanent IP numbers. Instead service names can act as the unique identifiers.

The new release includes more advanced management tools for namespaces, setting the stage for self-service, governance and operational control of service names and namespaces as a whole.

Name Sprawl

HashiCorp’s core customer base of enterprises have been adopting namespaces model, where each service is assigned a unique identifier, or name, under the global namespace. Until now, every resource in registered in Consul shared a single universal scope.

As the use of Consul grew within organizations, different development teams would have to coordinate to prevent multiple services using the same name. Consul could work with duplicate names, by listing all of them, but it “creates the problem of conflicting names which makes it difficult to connect the mesh and make sure the right services talk with each other,” Nair said. It also limits how the namespace model can used for programmable computing, which requires each resource to have a unique identifier. Alternatively, a central security team could manage the namespace, and dole out official service names when needed, but this would slow development, and be in opposition to good DevOps practices, which dictate that small teams should manage their own resources.

The new technology “allows global operators to create isolated environments in a shared cluster and apply any required service access restrictions for authenticated users,” according to the company. This eliminates the need to for multiple teams to coordinate resource names, as well as the need for a central authority to manage namespaces on a case-by-case basis. It also provides a way to delegate sub-delegate administrative privileges for individual teams, ensuring a finer grain control with access-based security.

In regards to the monitoring support, Consul has a rich set of telemetry data for indicating the health of services. And while it can be easy for the average Consul user to extract the Consul data, the plugins make it much easier for third-party APM tools to start digesting this info. Expect HashiCorp to form more partnerships with more APM and monitoring providers in the future, Nair said.