Implementing mutual TLS
The communication between services is encrypted through sidecar proxies using mutual TLS. Each service is provided an identity through the SPIFFE X.509 certificate (please refer to Chapter 5, Service Mesh Interface and SPIFFE, for a discussion on SPIFFE). Since the services are not tied to fixed IP addresses, the SPIFFE-based identity can be used to connect and accept requests between SPIFFE-compliant services.
Consul has a built-in Certificate Authority, through which it assigns leaf certificates to sidecar proxies. These sidecar proxies can be configured for upstream configuration to specify alternate data centers that services can access for high availability. The CA federation can be enabled between multiple data ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access