consul icon indicating copy to clipboard operation
consul copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Sidecarless model for Consul Service Mesh

Open EtienneBruines opened this issue 2 years ago • 4 comments
trafficstars

Feature Description

Next to support for Envoy for Consul Connect, it'd be nice if it supported eBPF. This has the advantage of not having to run an envoy-sidecar for every single service (and for every single port https://github.com/hashicorp/consul/issues/5388).

Resources

  • https://www.youtube.com/watch?v=ThtRT8dhu8c

Use Case(s)

All instances where one would now use a sidecar. Especially useful for highly-optimized microservices. My envoy proxies take up the majority of the RAM on my servers.

Ideally, this support then also becomes available in Nomad, once Consul can generate the config for it.

This will be quite the difficult-to-do thing, and there can be quite some discussion on whether this is something Consul itself should be able to handle or whether this is something that fits the Nomad or the Envoy projects better.

EtienneBruines avatar Dec 29 '22 08:12 EtienneBruines

That wolud be a dream with nomad and consul. The only way to do it with not less effort is integrate cillium with nomad. i think the community would appreciate it as most wanted feature in Nomad/Consul world.

suikast42 avatar Jan 05 '23 14:01 suikast42

@EtienneBruines thanks for filing this feature request. It sounds like the ask here is to support a sidecar-less model for Consul as that is the main challenge at hand. My understanding is that eBPF is a library that can potentially help with building networking at the L3/L4 layer with observability benefits, but is strictly not needed for building sidecar-less support.

david-yu avatar Feb 02 '23 17:02 david-yu

@david-yu A sidecar-less model describes it quite well.

Whether that functionality is then handled by the kernel (or a kernel module, as is the case with eBPF) or by the Consul Agent itself, or by utilizing iptables or anything like that (or any combination of those) - that might be up for experimentation as to what works best.

Conceptually, are some similarities with the Transparent Proxy that is offered on Kubernetes. A sidecar-less model that doesn't require modifications to the app itself, it just provides fancy routing for requests through mTLS with the added service-discovery and ACL benefits.

EtienneBruines avatar Feb 02 '23 21:02 EtienneBruines

Any progress on this?

suikast42 avatar Jun 08 '24 23:06 suikast42