2019-07-06 15:50:02 +00:00
|
|
|
---
|
2020-03-20 21:04:10 +00:00
|
|
|
layout: docs
|
2021-10-26 19:10:21 +00:00
|
|
|
page_title: Consul Service Mesh
|
2020-02-06 23:45:31 +00:00
|
|
|
description: >-
|
2021-10-26 19:10:21 +00:00
|
|
|
Learn how to use Nomad with Consul service mesh to enable secure service to service
|
2020-02-06 23:45:31 +00:00
|
|
|
communication
|
2019-07-06 15:50:02 +00:00
|
|
|
---
|
|
|
|
|
2021-10-26 19:10:21 +00:00
|
|
|
# Consul Service Mesh
|
2019-07-06 15:50:02 +00:00
|
|
|
|
2021-10-26 19:10:21 +00:00
|
|
|
~> **Note:** Nomad's service mesh integration requires Linux network namespaces.
|
|
|
|
Consul service mesh will not run on Windows or macOS.
|
2020-02-19 17:16:20 +00:00
|
|
|
|
2023-01-25 17:31:14 +00:00
|
|
|
[Consul service mesh](/consul/docs/connect) provides
|
2019-09-04 21:25:06 +00:00
|
|
|
service-to-service connection authorization and encryption using mutual
|
|
|
|
Transport Layer Security (TLS). Applications can use sidecar proxies in a
|
|
|
|
service mesh configuration to automatically establish TLS connections for
|
2021-10-26 19:10:21 +00:00
|
|
|
inbound and outbound connections without being aware of the service mesh at all.
|
2019-07-06 15:50:02 +00:00
|
|
|
|
2021-10-26 19:10:21 +00:00
|
|
|
# Nomad with Consul Service Mesh Integration
|
2019-07-06 15:50:02 +00:00
|
|
|
|
2019-09-04 21:25:06 +00:00
|
|
|
Nomad integrates with Consul to provide secure service-to-service communication
|
2021-10-26 19:10:21 +00:00
|
|
|
between Nomad jobs and task groups. To support Consul service mesh, Nomad
|
2019-09-04 21:25:06 +00:00
|
|
|
adds a new networking mode for jobs that enables tasks in the same task group to
|
|
|
|
share their networking stack. With a few changes to the job specification, job
|
2021-10-26 19:10:21 +00:00
|
|
|
authors can opt into service mesh integration. When service mesh is enabled, Nomad will
|
2019-09-04 21:25:06 +00:00
|
|
|
launch a proxy alongside the application in the job file. The proxy (Envoy)
|
2019-07-06 15:50:02 +00:00
|
|
|
provides secure communication with other applications in the cluster.
|
|
|
|
|
2021-10-26 19:10:21 +00:00
|
|
|
Nomad job specification authors can use Nomad's Consul service mesh integration to
|
2020-09-29 16:48:32 +00:00
|
|
|
implement [service segmentation](https://www.consul.io/use-cases/multi-platform-service-mesh) in a
|
2019-09-04 21:25:06 +00:00
|
|
|
microservice architecture running in public clouds without having to directly
|
|
|
|
manage TLS certificates. This is transparent to job specification authors as
|
2021-10-26 19:10:21 +00:00
|
|
|
security features in service mesh continue to work even as the application scales up
|
2019-09-04 21:25:06 +00:00
|
|
|
or down or gets rescheduled by Nomad.
|
2019-07-06 15:50:02 +00:00
|
|
|
|
2021-10-26 19:10:21 +00:00
|
|
|
For using the Consul service mesh integration with Consul ACLs enabled, see the
|
2023-01-25 17:31:14 +00:00
|
|
|
[Secure Nomad Jobs with Consul Service Mesh](/nomad/tutorials/integrate-consul/consul-service-mesh)
|
2020-04-13 16:05:20 +00:00
|
|
|
guide.
|
|
|
|
|
2021-10-26 19:10:21 +00:00
|
|
|
# Nomad Consul Service Mesh Example
|
2019-07-06 15:50:02 +00:00
|
|
|
|
|
|
|
The following section walks through an example to enable secure communication
|
2019-09-04 23:58:47 +00:00
|
|
|
between a web dashboard and a backend counting service. The web dashboard and
|
|
|
|
the counting service are managed by Nomad. Nomad additionally configures Envoy
|
|
|
|
proxies to run along side these applications. The dashboard is configured to
|
|
|
|
connect to the counting service via localhost on port 9001. The proxy is managed
|
|
|
|
by Nomad, and handles mTLS communication to the counting service.
|
2019-07-06 15:50:02 +00:00
|
|
|
|
|
|
|
## Prerequisites
|
|
|
|
|
|
|
|
### Consul
|
|
|
|
|
2021-10-26 19:10:21 +00:00
|
|
|
The Consul service mesh integration with Nomad requires [Consul 1.6 or
|
2019-09-04 21:30:45 +00:00
|
|
|
later.](https://releases.hashicorp.com/consul/1.6.0/) The Consul agent can be
|
|
|
|
run in dev mode with the following command:
|
|
|
|
|
2022-04-15 20:10:06 +00:00
|
|
|
~> **Note:** Nomad's Consul service mesh integration requires Consul in your `$PATH`
|
2019-07-06 15:50:02 +00:00
|
|
|
|
2020-05-18 20:53:06 +00:00
|
|
|
```shell-session
|
|
|
|
$ consul agent -dev
|
2019-07-06 15:50:02 +00:00
|
|
|
```
|
|
|
|
|
2021-10-26 19:10:21 +00:00
|
|
|
To use service mesh on a non-dev Consul agent, you will minimally need to enable the
|
2019-10-07 14:05:40 +00:00
|
|
|
GRPC port and set `connect` to enabled by adding some additional information to
|
2022-11-21 15:19:09 +00:00
|
|
|
your Consul client configurations, depending on format. Consul agents running TLS
|
|
|
|
and a version greater than [1.14.0](https://releases.hashicorp.com/consul/1.14.0)
|
|
|
|
should set the `grpc_tls` configuration parameter instead of `grpc`. Please see
|
2023-01-25 17:31:14 +00:00
|
|
|
the Consul [port documentation](https://nomadproject.io/consul_ports) for further reference material.
|
2019-10-07 14:05:40 +00:00
|
|
|
|
|
|
|
For HCL configurations:
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
# ...
|
|
|
|
|
|
|
|
ports {
|
2020-03-17 21:31:36 +00:00
|
|
|
grpc = 8502
|
2019-10-07 14:05:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
connect {
|
|
|
|
enabled = true
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
For JSON configurations:
|
|
|
|
|
|
|
|
```javascript
|
|
|
|
{
|
|
|
|
// ...
|
|
|
|
"ports": {
|
|
|
|
"grpc": 8502
|
|
|
|
},
|
|
|
|
"connect": {
|
|
|
|
"enabled": true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2023-01-11 15:34:28 +00:00
|
|
|
#### Consul TLS
|
|
|
|
|
|
|
|
~> **Note:** Consul 1.14+ made a [backwards incompatible change][consul_grpc_tls]
|
|
|
|
in how TLS enabled grpc listeners work. When using Consul 1.14 with TLS enabled users
|
|
|
|
will need to specify additional Nomad agent configuration to work with Connect. The
|
|
|
|
`consul.grpc_ca_file` value must now be configured (introduced in Nomad 1.4.4),
|
|
|
|
and `consul.grpc_address` will most likely need to be set to use the new standard
|
|
|
|
`grpc_tls` port of `8503`.
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
consul {
|
|
|
|
grpc_ca_file = "/etc/tls/consul-agent-ca.pem"
|
|
|
|
grpc_address = "127.0.0.1:8503"
|
|
|
|
ca_file = "/etc/tls/consul-agent-ca.pem"
|
|
|
|
cert_file = "/etc/tls/dc1-client-consul-0.pem"
|
|
|
|
key_file = "/etc/tls/dc1-client-consul-0-key.pem"
|
|
|
|
ssl = true
|
|
|
|
address = "127.0.0.1:8501"
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2022-04-15 20:10:06 +00:00
|
|
|
#### Consul ACLs
|
|
|
|
|
|
|
|
~> **Note:** Starting in Nomad v1.3.0, Consul Service Identity ACL tokens automatically
|
|
|
|
generated by Nomad on behalf of Connect enabled services are now created in [`Local`]
|
|
|
|
rather than Global scope, and are no longer replicated globally.
|
|
|
|
|
|
|
|
To facilitate cross-Consul datacenter requests of Connect services registered by
|
|
|
|
Nomad, Consul agents will need to be configured with [default anonymous][anon_token]
|
|
|
|
ACL tokens with ACL policies of sufficient permissions to read service and node
|
|
|
|
metadata pertaining to those requests. This mechanism is described in Consul [#7414][consul_acl].
|
|
|
|
A typical Consul agent anonymous token may contain an ACL policy such as:
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
service_prefix "" { policy = "read" }
|
|
|
|
node_prefix "" { policy = "read" }
|
|
|
|
```
|
|
|
|
|
2019-07-06 15:50:02 +00:00
|
|
|
### Nomad
|
|
|
|
|
2019-07-08 11:31:07 +00:00
|
|
|
Nomad must schedule onto a routable interface in order for the proxies to
|
|
|
|
connect to each other. The following steps show how to start a Nomad dev agent
|
2021-10-26 19:10:21 +00:00
|
|
|
configured for Consul service mesh.
|
2019-07-06 15:50:02 +00:00
|
|
|
|
2020-05-18 20:53:06 +00:00
|
|
|
```shell-session
|
|
|
|
$ sudo nomad agent -dev-connect
|
2019-07-08 11:31:07 +00:00
|
|
|
```
|
|
|
|
|
2019-07-10 07:13:10 +00:00
|
|
|
### CNI Plugins
|
|
|
|
|
2023-05-04 16:32:06 +00:00
|
|
|
Nomad uses CNI reference plugins to configure the network namespace used to secure the
|
2021-10-26 19:10:21 +00:00
|
|
|
Consul service mesh sidecar proxy. All Nomad client nodes using network namespaces
|
2023-05-04 16:32:06 +00:00
|
|
|
must have these CNI plugins [installed][cni_install].
|
2019-11-01 18:41:21 +00:00
|
|
|
|
2021-10-26 19:10:21 +00:00
|
|
|
## Run the Service Mesh-enabled Services
|
2019-07-06 15:50:02 +00:00
|
|
|
|
2021-10-26 19:10:21 +00:00
|
|
|
Once Nomad and Consul are running, submit the following service mesh-enabled services
|
2023-02-02 17:47:47 +00:00
|
|
|
to Nomad by copying the HCL into a file named `servicemesh.nomad.hcl` and running:
|
|
|
|
`nomad job run servicemesh.nomad.hcl`
|
2019-07-06 15:50:02 +00:00
|
|
|
|
|
|
|
```hcl
|
2019-10-07 14:05:40 +00:00
|
|
|
job "countdash" {
|
|
|
|
datacenters = ["dc1"]
|
|
|
|
|
|
|
|
group "api" {
|
|
|
|
network {
|
|
|
|
mode = "bridge"
|
|
|
|
}
|
|
|
|
|
|
|
|
service {
|
|
|
|
name = "count-api"
|
|
|
|
port = "9001"
|
|
|
|
|
|
|
|
connect {
|
|
|
|
sidecar_service {}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
task "web" {
|
|
|
|
driver = "docker"
|
|
|
|
|
|
|
|
config {
|
2022-06-08 19:06:00 +00:00
|
|
|
image = "hashicorpdev/counter-api:v3"
|
2019-10-07 14:05:40 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
group "dashboard" {
|
|
|
|
network {
|
|
|
|
mode = "bridge"
|
|
|
|
|
|
|
|
port "http" {
|
|
|
|
static = 9002
|
|
|
|
to = 9002
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
service {
|
|
|
|
name = "count-dashboard"
|
2021-09-04 00:34:40 +00:00
|
|
|
port = "http"
|
2019-10-07 14:05:40 +00:00
|
|
|
|
|
|
|
connect {
|
|
|
|
sidecar_service {
|
|
|
|
proxy {
|
|
|
|
upstreams {
|
|
|
|
destination_name = "count-api"
|
|
|
|
local_bind_port = 8080
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
task "dashboard" {
|
|
|
|
driver = "docker"
|
|
|
|
|
|
|
|
env {
|
|
|
|
COUNTING_SERVICE_URL = "http://${NOMAD_UPSTREAM_ADDR_count_api}"
|
|
|
|
}
|
|
|
|
|
|
|
|
config {
|
2022-06-08 19:06:00 +00:00
|
|
|
image = "hashicorpdev/counter-dashboard:v3"
|
2019-10-07 14:05:40 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2019-07-06 15:50:02 +00:00
|
|
|
```
|
|
|
|
|
2019-07-09 12:44:35 +00:00
|
|
|
The job contains two task groups: an API service and a web frontend.
|
2019-07-06 15:50:02 +00:00
|
|
|
|
2019-07-09 12:44:35 +00:00
|
|
|
### API Service
|
|
|
|
|
|
|
|
The API service is defined as a task group with a bridge network:
|
|
|
|
|
|
|
|
```hcl
|
2019-10-07 14:05:40 +00:00
|
|
|
group "api" {
|
|
|
|
network {
|
|
|
|
mode = "bridge"
|
|
|
|
}
|
2019-07-09 12:44:35 +00:00
|
|
|
|
2019-10-07 14:05:40 +00:00
|
|
|
# ...
|
|
|
|
}
|
2019-07-09 12:44:35 +00:00
|
|
|
```
|
|
|
|
|
2021-10-26 19:10:21 +00:00
|
|
|
Since the API service is only accessible via Consul service mesh, it does not define
|
2023-01-30 14:48:43 +00:00
|
|
|
any ports in its network. The service block enables service mesh.
|
2019-07-09 12:44:35 +00:00
|
|
|
|
|
|
|
```hcl
|
2019-10-07 14:05:40 +00:00
|
|
|
group "api" {
|
|
|
|
|
|
|
|
# ...
|
2019-07-09 12:44:35 +00:00
|
|
|
|
2019-10-07 14:05:40 +00:00
|
|
|
service {
|
|
|
|
name = "count-api"
|
|
|
|
port = "9001"
|
2019-07-09 12:44:35 +00:00
|
|
|
|
2019-10-07 14:05:40 +00:00
|
|
|
connect {
|
|
|
|
sidecar_service {}
|
|
|
|
}
|
|
|
|
}
|
2019-07-09 12:44:35 +00:00
|
|
|
|
2019-10-07 14:05:40 +00:00
|
|
|
# ...
|
|
|
|
|
|
|
|
}
|
2019-07-09 12:44:35 +00:00
|
|
|
```
|
|
|
|
|
2023-01-30 14:48:43 +00:00
|
|
|
The `port` in the service block is the port the API service listens on. The
|
2019-07-09 12:44:35 +00:00
|
|
|
Envoy proxy will automatically route traffic to that port inside the network
|
2021-03-26 18:43:29 +00:00
|
|
|
namespace. Note that currently this cannot be a named port; it must be a
|
|
|
|
hard-coded port value. See [GH-9907].
|
2019-07-09 12:44:35 +00:00
|
|
|
|
|
|
|
### Web Frontend
|
|
|
|
|
|
|
|
The web frontend is defined as a task group with a bridge network and a static
|
|
|
|
forwarded port:
|
2019-07-06 15:50:02 +00:00
|
|
|
|
|
|
|
```hcl
|
2019-10-07 14:05:40 +00:00
|
|
|
group "dashboard" {
|
|
|
|
network {
|
|
|
|
mode = "bridge"
|
|
|
|
|
|
|
|
port "http" {
|
|
|
|
static = 9002
|
|
|
|
to = 9002
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
# ...
|
|
|
|
|
|
|
|
}
|
2019-07-06 15:50:02 +00:00
|
|
|
```
|
|
|
|
|
2019-07-09 12:44:35 +00:00
|
|
|
The `static = 9002` parameter requests the Nomad scheduler reserve port 9002 on
|
|
|
|
a host network interface. The `to = 9002` parameter forwards that host port to
|
|
|
|
port 9002 inside the network namespace.
|
|
|
|
|
|
|
|
This allows you to connect to the web frontend in a browser by visiting
|
2019-09-05 16:20:34 +00:00
|
|
|
`http://<host_ip>:9002` as show below:
|
2019-09-04 22:00:49 +00:00
|
|
|
|
|
|
|
[![Count Dashboard][count-dashboard]][count-dashboard]
|
2019-07-09 12:44:35 +00:00
|
|
|
|
2021-10-26 19:10:21 +00:00
|
|
|
The web frontend connects to the API service via Consul service mesh.
|
2019-07-09 12:44:35 +00:00
|
|
|
|
|
|
|
```hcl
|
2019-10-07 14:05:40 +00:00
|
|
|
service {
|
|
|
|
name = "count-dashboard"
|
2021-09-04 00:34:40 +00:00
|
|
|
port = "http"
|
2019-10-07 14:05:40 +00:00
|
|
|
|
|
|
|
connect {
|
|
|
|
sidecar_service {
|
|
|
|
proxy {
|
|
|
|
upstreams {
|
|
|
|
destination_name = "count-api"
|
|
|
|
local_bind_port = 8080
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2019-07-09 12:44:35 +00:00
|
|
|
```
|
|
|
|
|
2023-01-30 14:48:43 +00:00
|
|
|
The `upstreams` block defines the remote service to access (`count-api`) and
|
2019-07-09 12:44:35 +00:00
|
|
|
what port to expose that service on inside the network namespace (`8080`).
|
|
|
|
|
|
|
|
The web frontend is configured to communicate with the API service with an
|
|
|
|
environment variable:
|
|
|
|
|
|
|
|
```hcl
|
2019-10-07 14:05:40 +00:00
|
|
|
env {
|
|
|
|
COUNTING_SERVICE_URL = "http://${NOMAD_UPSTREAM_ADDR_count_api}"
|
|
|
|
}
|
2019-07-09 12:44:35 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
The web frontend is configured via the `$COUNTING_SERVICE_URL`, so you must
|
|
|
|
interpolate the upstream's address into that environment variable. Note that
|
|
|
|
dashes (`-`) are converted to underscores (`_`) in environment variables so
|
|
|
|
`count-api` becomes `count_api`.
|
|
|
|
|
|
|
|
## Limitations
|
|
|
|
|
2022-04-15 20:10:06 +00:00
|
|
|
- The minimum Consul version to use Connect with Nomad is Consul v1.8.0.
|
2020-02-06 23:45:31 +00:00
|
|
|
- The `consul` binary must be present in Nomad's `$PATH` to run the Envoy
|
|
|
|
proxy sidecar on client nodes.
|
2021-10-26 19:10:21 +00:00
|
|
|
- Consul service mesh using network namespaces is only supported on Linux.
|
2020-12-03 21:48:06 +00:00
|
|
|
- Prior to Consul 1.9, the Envoy sidecar proxy will drop and stop accepting
|
|
|
|
connections while the Nomad agent is restarting.
|
2020-02-06 23:45:31 +00:00
|
|
|
|
2023-02-02 20:20:26 +00:00
|
|
|
## Troubleshooting
|
|
|
|
|
|
|
|
If the sidecar service is not running correctly, you can investigate
|
|
|
|
potential `envoy` failures in the following ways:
|
|
|
|
|
|
|
|
* Task logs in the associated `connect-*` task
|
|
|
|
* Task secrets (may contain sensitive information):
|
|
|
|
* envoy CLI command: `secrets/.envoy_bootstrap.cmd`
|
|
|
|
* environment variables: `secrets/.envoy_bootstrap.env`
|
|
|
|
* An extra Allocation log file: `alloc/logs/envoy_bootstrap.stderr.0`
|
|
|
|
|
|
|
|
For example, with an allocation ID starting with `b36a`:
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
nomad alloc status -short b36a # to get the connect-* task name
|
|
|
|
nomad alloc logs -task connect-proxy-count-api -stderr b36a
|
|
|
|
nomad alloc exec -task connect-proxy-count-api b36a cat secrets/.envoy_bootstrap.cmd
|
|
|
|
nomad alloc exec -task connect-proxy-count-api b36a cat secrets/.envoy_bootstrap.env
|
|
|
|
nomad alloc fs b36a alloc/logs/envoy_bootstrap.stderr.0
|
|
|
|
```
|
|
|
|
|
|
|
|
Note: If the alloc is unable to start successfully, debugging files may
|
|
|
|
only be accessible from the host filesystem. However, the sidecar task secrets
|
|
|
|
directory may not be available in systems where it is mounted in a temporary
|
|
|
|
filesystem.
|
|
|
|
|
2020-02-06 23:45:31 +00:00
|
|
|
[count-dashboard]: /img/count-dashboard.png
|
2022-04-15 20:10:06 +00:00
|
|
|
[consul_acl]: https://github.com/hashicorp/consul/issues/7414
|
2021-03-31 13:43:17 +00:00
|
|
|
[gh-9907]: https://github.com/hashicorp/nomad/issues/9907
|
2023-01-25 17:31:14 +00:00
|
|
|
[`Local`]: /consul/docs/security/acl/acl-tokens#token-attributes
|
|
|
|
[anon_token]: /consul/docs/security/acl/acl-tokens#special-purpose-tokens
|
|
|
|
[consul_ports]: /consul/docs/agent/config/config-files#ports
|
2023-01-30 14:48:43 +00:00
|
|
|
[consul_grpc_tls]: /consul/docs/upgrading/upgrade-specific#changes-to-grpc-tls-configuration
|
2023-05-04 16:32:06 +00:00
|
|
|
[cni_install]: /nomad/docs/install#post-installation-steps
|