# HashiCorp Consul — Service Discovery & Service Mesh

> Consul is a distributed service networking platform providing service discovery, health checking, KV storage, and a full service mesh with mTLS for microservices.

## Install

Save in your project root:

## Quick Use

```bash
# Start a dev server
docker run -d --name consul -p 8500:8500 -p 8600:8600/udp 
  hashicorp/consul:latest agent -server -ui -bootstrap -client=0.0.0.0
```

Open `http://localhost:8500/ui` — Consul Web UI is ready.

## Intro

**Consul** is a distributed, highly available, and data center-aware service networking platform from HashiCorp. It provides service discovery, health checking, key-value storage, and a full service mesh with mTLS — enabling secure, reliable communication between microservices and infrastructure.

With 29.8K+ GitHub stars and BSL license, Consul is a cornerstone of the HashiCorp stack, used by enterprises and startups alike to manage service connectivity in multi-cloud, multi-datacenter environments.

## What Consul Does

- **Service Discovery**: Register services and discover them via DNS or HTTP API
- **Health Checking**: Continuously monitor service health and remove unhealthy instances
- **KV Store**: Distributed key-value storage for dynamic configuration
- **Service Mesh**: Full mTLS service mesh with Envoy sidecar proxies
- **Intentions**: Declarative access control between services
- **Multi-Datacenter**: Federate Consul clusters across regions and clouds
- **Network Segmentation**: Isolate services via Consul Namespaces and Admin Partitions
- **ACL**: Fine-grained access control with tokens and policies
- **Event System**: Trigger events across clusters for coordinated actions

## Architecture

```
┌─────────────────────────────────────────────┐
│  Datacenter 1                               │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐  │
│  │ Consul   │──│ Consul   │──│ Consul   │  │
│  │ Server 1 │  │ Server 2 │  │ Server 3 │  │
│  └──────────┘  └──────────┘  └──────────┘  │
│       ▲             ▲             ▲         │
│       │  Raft Consensus         │         │
│  ┌────┴──────────────┴──────────┴────┐    │
│  │                                    │    │
│  │  ┌─────┐ ┌─────┐ ┌─────┐ ┌─────┐  │    │
│  │  │Agent│ │Agent│ │Agent│ │Agent│  │    │
│  │  │ Web │ │ API │ │ DB  │ │Cache│  │    │
│  │  └─────┘ └─────┘ └─────┘ └─────┘  │    │
│  │          Client Agents             │    │
│  └────────────────────────────────────┘    │
└─────────────────────────────────────────────┘
            │ WAN Federation
            ▼
┌─────────────────────────────────────────────┐
│  Datacenter 2 (Another region/cloud)       │
└─────────────────────────────────────────────┘
```

## Self-Hosting

### Docker Compose (Dev)

```yaml
services:
  consul:
    image: hashicorp/consul:latest
    ports:
      - "8500:8500"        # HTTP API / UI
      - "8600:8600/udp"    # DNS
      - "8600:8600/tcp"
    command: agent -server -ui -bootstrap-expect=1 -client=0.0.0.0
    volumes:
      - consul-data:/consul/data

volumes:
  consul-data:
```

### Production Cluster (3 Servers)

```yaml
services:
  consul-server-1:
    image: hashicorp/consul:latest
    command: agent -server -ui -bootstrap-expect=3 -retry-join=consul-server-2 -retry-join=consul-server-3 -client=0.0.0.0
    volumes:
      - consul-1:/consul/data

  consul-server-2:
    image: hashicorp/consul:latest
    command: agent -server -bootstrap-expect=3 -retry-join=consul-server-1 -retry-join=consul-server-3 -client=0.0.0.0
    volumes:
      - consul-2:/consul/data

  consul-server-3:
    image: hashicorp/consul:latest
    command: agent -server -bootstrap-expect=3 -retry-join=consul-server-1 -retry-join=consul-server-2 -client=0.0.0.0
    volumes:
      - consul-3:/consul/data

volumes:
  consul-1:
  consul-2:
  consul-3:
```

## Service Discovery

### Register a Service

```json
{
  "service": {
    "name": "web",
    "id": "web-1",
    "address": "10.0.1.5",
    "port": 8080,
    "tags": ["primary", "v2"],
    "checks": [
      {
        "http": "http://10.0.1.5:8080/health",
        "interval": "10s",
        "timeout": "5s"
      }
    ]
  }
}
```

```bash
curl -X PUT -d @service.json http://localhost:8500/v1/agent/service/register
```

### Discover Services

```bash
# HTTP API
curl http://localhost:8500/v1/catalog/service/web

# DNS query (SRV record)
dig @localhost -p 8600 web.service.consul SRV

# Only healthy instances
curl http://localhost:8500/v1/health/service/web?passing=true
```

### Integration in Code

```go
// Go example
import "github.com/hashicorp/consul/api"

config := api.DefaultConfig()
client, _ := api.NewClient(config)

// Find web service
services, _, _ := client.Health().Service("web", "", true, nil)
for _, entry := range services {
    fmt.Printf("%s:%d
", entry.Service.Address, entry.Service.Port)
}
```

## KV Store

```bash
# Write
curl -X PUT -d 'production' http://localhost:8500/v1/kv/config/app/environment
curl -X PUT -d '5432' http://localhost:8500/v1/kv/config/db/port

# Read
curl http://localhost:8500/v1/kv/config/app/environment?raw

# List keys
curl http://localhost:8500/v1/kv/config/?keys

# Watch for changes (long polling)
curl "http://localhost:8500/v1/kv/config/app/environment?index=123&wait=5m"
```

## Service Mesh (Connect)

### Enable Connect

```json
{
  "service": {
    "name": "web",
    "port": 8080,
    "connect": {
      "sidecar_service": {
        "proxy": {
          "upstreams": [
            {
              "destination_name": "database",
              "local_bind_port": 9191
            }
          ]
        }
      }
    }
  }
}
```

### Intentions (Access Control)

```bash
# Allow web service to access database
consul intention create web database

# Deny all except explicitly allowed
consul intention create -deny "*" "*"
consul intention create web database
```

## Consul vs Alternatives

| Feature | Consul | Etcd | Eureka | Istio |
|---------|--------|------|--------|-------|
| Service discovery | Yes | Kv only | Yes | Via K8s |
| KV store | Yes | Yes | No | No |
| Health checks | Yes | No | Yes | Yes |
| Service mesh | Yes | No | No | Yes |
| Multi-DC | Yes | Limited | Yes | Complex |
| DNS interface | Yes | No | No | No |
| Language | Go | Go | Java | Go |
| Stack | Any | K8s native | Java focus | K8s focus |

## 常见问题

**Q: Consul 和 etcd 怎么选？**
A: etcd 主要是分布式 KV 存储（K8s 用它存储集群状态）。Consul 是完整的服务网络平台，包含 KV + 服务发现 + 健康检查 + 服务网格。如果你只需要 KV 存储，etcd 更轻量。如果需要服务发现和健康检查，选 Consul。

**Q: Consul 和 Istio 怎么选？**
A: Istio 是 Kubernetes 原生服务网格（只能在 K8s 上用）。Consul 既支持 K8s 也支持 VM 和混合环境。如果你的服务混合部署在 K8s 和传统 VM 上，选 Consul。纯 K8s 环境下 Istio 功能更丰富。

**Q: BSL 许可证影响使用吗？**
A: BSL（Business Source License）允许自由使用和修改，限制是不能作为 Consul 的竞品商业产品。对于绝大多数用户（自托管、内部使用），BSL 等同于开源许可。

## 来源与致谢

- GitHub: [hashicorp/consul](https://github.com/hashicorp/consul) — 29.8K+ ⭐ | BSL
- 官网: [consul.io](https://consul.io)

---
Source: https://tokrepo.com/en/workflows/931a6bb7-352f-11f1-9bc6-00163e2b0d79
Author: AI Open Source