Spruce VS consul

The CI/CD has a service account with permissions to all envs, and during deployment it renders the config files and inserts the "real" values by pulling it from Vault/KMS. Something very simple is Spruce, which is actually a powerful general templating tool but I've seen it only used for vault secrets so far.

I use spruce for many thing but it's ability to merge y'all files smartly is very useful. Think global yaml merged with one of [prod, staging, dev].yaml, merged with override.yaml creating a deployment yaml. https://github.com/geofffranks/spruce

A service mesh provides features to help with common distributed microservice challenges. Like service discovery, routing, load balancing, and so on. Today we will be using Istio, one of the most popular service mesh solutions available. Istio is tailored for distributed application architectures, especially those you might run in Kubernetes. Istio plays nicely with Kubernetes, so nicely that you might think that it's part of the Kubernetes platform itself. Istio isn't the only service mesh around; we also have platforms like Linkerd and Consul, which are also quite popular.

We knew that we needed a way, at runtime, to start and stop these queue consumers. Although we could have reached for other configuration management tools like Hashicorp Consul or AWS AppConfig, we already use LaunchDarkly at Knock to control the runtime behavior of our frontend and backend applications. LaunchDarkly feature flags seemed like a great way to control this starting and stopping process without adding new dependencies or complexity to our stack.

Since all of your apps are in the same environment, one possibility is to use a service registry like Consul or etcd. As a container comes up it registers itself by making a REST call to declare “I’m the Rabbit server!”. Then other apps call out to etcd with a REST query to ask “Where’s the Rabbit server?” and get the name of the Rabbit container. If you decide to start playing with HA or clustering, this can be extended so the service registry returns the name of the current primary node, or spreads traffic across multiple nodes by returning different responses based on rules you set up.

[Unit] Description="HashiCorp Consul - A service mesh solution" Documentation=https://www.consul.io/ Requires=network-online.target After=network-online.target ConditionFileNotEmpty=/etc/consul.d/consul.hcl [Service] EnvironmentFile=-/etc/consul.d/consul.env User=consul Group=consul ExecStart=/usr/bin/consul agent -config-dir=/etc/consul.d/ ExecReload=/bin/kill --signal HUP $MAINPID KillMode=process KillSignal=SIGTERM Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target

When interconnecting private services that need symmetric flow, any service has to be able to initiate a connection with another service. Service discovery is a prerequisite for connectivity. Services have to know how to connect to downstream services. Once that problem is resolved (using DNS, or Consul etc.), there are two primary ways to interconnect services:

Consul Agent (www.consul.io - DNS and Service Discovery)

You actually have to deliberately dig a bit to find the "service mesh" keywords on the current product homepage, it's definitely not a top-billing feature.