Consul: Namespaces for service registration

@stevendborrelli The way forward on this is via the ACL system. With 0.5 it was extended to support service registration, to restrict who can register services. With 0.6 it will be extended to discovery as well. So you could create a "dev" ACL policy that only allows registering and discovering a subset of instances, etc. Hope that helps!

This is also made infinitely nicer using the shiny new prepared queries. The Consul 0.6 release is just around the corner and this is one of the tentpole features for it. Check it out, and let us know if that satisfies your use case!

@ryanuber how do prepared query improve this? Can you elaborate please?

@armon so you're saying instead of namespace, make it so that consumers can only see some nodes? What if I want to configure an haproxy for multiple services that share the same name with a different namespace?

@raphink Basically the ACL system can be used to provide users with a partial view of the system. Instead of seeing all the services, you can restrict what is visible. Its not the same as a namespace, but can be used to segregate teams and services.

@armon I get the idea, but it doesn't allow to have multiple services with the same name on a given proxy.

++ for the feature.

+1 as well

This is quite similar to #290

Basically, I have a similar problem. I have a simple datacenter with different environment within. We want each environment to register services with no naming restrictions between environments, but a given environment should only be able to access the services it registered.

We want also at a global scope to be able to access all the services from all environments to monitor them.

Basically, we need some kind of namespace before the service name. The service name uniqueness would only be guaranteed across the same namespace, and the default value for the namespace when registering a service for example would be provided by the nomad agent. And we need to have ACL to be able to filter services based on this namespace. A default namespace should be able to be specified in the agent configuration for the DNS interface.

Until then, I suppose the only option to have separate environments that doesn't share services is to run multiple different clusters.

any updates on it?

Can service tags help you with this?

+1 for a feature

This is needed for Kubernetes and how services are synchronnize from kuberntes to consul, right now services with the same name gets flattened to a single service name in consul with no way to differentiate it.

@filintod are you using consul in kubernetes or trying to bridge to external services as say part of a migration to k8s?

we are migrating services to kubernetes and installing it on kubernetes, but we will have a mix environment VM/k8s for a while. We need to expose services that are on multiple namespaces, the workaround is to put the namespace as part of the name, but this is not a very clean multi-tenancy solution. The consul-k8s sync agent cannot do much other than the workaround mentioned as consul does not support multiple-namespaces.

makes sense, we ended up just using headless services to point to external services but it's not a complete solution especially if your VM's are very elastic. If you are using AWS AS groups you could just throw a NLB between K8s and your VM's and just point the headless services at the NLB.

I am happy to let you know this issue is solved, now that namespaces arrived in Consul 1.7.0 Enterprise: https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#170-february-11-2020.