luxolus
/
open-nomad
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Consul connect guide update (#6268) 

* formatting paragraphs

* remove reference to consul 1.6-beta and update nomad agent command

* remove tech preview status and update limitations

* remove beta tag in navigation

* add screenshot of count dashboard

* update example summary and remove redis references

* capitalize Consul

* minor corrections

* hcl formatting
* demo is on localhost not host ip
* clarify consul on PATH

* mention variable interpolation limitation
This commit is contained in:
Omar Khawaja 2019-09-05 12:29:47 -04:00 committed by GitHub
parent 1a69911237 77464b700b
commit 43363f9337
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 48 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
website/source/assets/images/count-dashboard.png (Stored with Git LFS) Normal file
View File

Binary file not shown.

94
website/source/guides/integrations/consul-connect/index.html.md
View File

@ -8,50 +8,47 @@ description: |-
# Consul Connect # Consul Connect
~> **Note** This guide describes a new feature available in the [Nomad 0.10.0 [Consul Connect](https://www.consul.io/docs/connect/index.html) provides
Connect Technology Preview release][download] of Nomad for [Hashiconf EU service-to-service connection authorization and encryption using mutual
2019][hashiconfeu]. This is not intended for production use and has many known Transport Layer Security (TLS). Applications can use sidecar proxies in a
[limitations](#limitations). service mesh configuration to automatically establish TLS connections for
inbound and outbound connections without being aware of Connect at all.
[download]: https://releases.hashicorp.com/nomad/0.10.0-connect1/
[hashiconfeu]: https://hashiconfeu.hashicorp.com/schedule/service-mesh-with-consul-connect-and-nomad-0.10
[Consul Connect](https://www.consul.io/docs/connect/index.html) provides service-to-service connection
authorization and encryption using mutual Transport Layer Security (TLS). Applications can use sidecar proxies in a service mesh
configuration to automatically establish TLS connections for inbound and outbound connections
without being aware of Connect at all.
# Nomad with Consul Connect Integration # Nomad with Consul Connect Integration
Nomad integrates with Consul to provide secure service-to-service communication between Nomad integrates with Consul to provide secure service-to-service communication
Nomad jobs and task groups. In order to support Consul Connect, Nomad adds a new networking between Nomad jobs and task groups. In order to support Consul Connect, Nomad
mode for jobs that enables tasks in the same task group to share their networking stack. With adds a new networking mode for jobs that enables tasks in the same task group to
a few changes to the job specification, job authors can opt into Connect integration. When Connect share their networking stack. With a few changes to the job specification, job
is enabled, Nomad will launch a proxy alongside the application in the job file. The proxy (Envoy) authors can opt into Connect integration. When Connect is enabled, Nomad will
launch a proxy alongside the application in the job file. The proxy (Envoy)
provides secure communication with other applications in the cluster. provides secure communication with other applications in the cluster.
Nomad job specification authors can use Nomad's Consul Connect integration to implement Nomad job specification authors can use Nomad's Consul Connect integration to
[service segmentation](https://www.consul.io/segmentation.html) in a implement [service segmentation](https://www.consul.io/segmentation.html) in a
microservice architecture running in public clouds without having to directly manage microservice architecture running in public clouds without having to directly
TLS certificates. This is transparent to job specification authors as security features manage TLS certificates. This is transparent to job specification authors as
in Connect continue to work even as the application scales up or down or gets rescheduled by Nomad. security features in Connect continue to work even as the application scales up
or down or gets rescheduled by Nomad.
# Nomad Consul Connect Example # Nomad Consul Connect Example
The following section walks through an example to enable secure communication The following section walks through an example to enable secure communication
between a web application and a Redis container. The web application and the between a web dashboard and a backend counting service. The web dashboard and
Redis container are managed by Nomad. Nomad additionally configures Envoy the counting service are managed by Nomad. Nomad additionally configures Envoy
proxies to run along side these applications. The web application is configured proxies to run along side these applications. The dashboard is configured to
to connect to Redis via localhost and Redis's default port (6379). The proxy is connect to the counting service via localhost on port 9001. The proxy is managed
managed by Nomad, and handles mTLS communication to the Redis container. by Nomad, and handles mTLS communication to the counting service.
## Prerequisites ## Prerequisites
### Consul ### Consul
Connect integration with Nomad requires [Consul 1.6-beta1 or Connect integration with Nomad requires [Consul 1.6 or
later.](https://releases.hashicorp.com/consul/1.6.0-beta1/) The later.](https://releases.hashicorp.com/consul/1.6.0/) The Consul agent can be
Consul agent can be run in dev mode with the following command: run in dev mode with the following command:
**Note**: Nomad's Connect integration requires Consul in your `$PATH`
```sh ```sh
$ consul agent -dev $ consul agent -dev
@ -64,15 +61,7 @@ connect to each other. The following steps show how to start a Nomad dev agent
configured for Connect. configured for Connect.
```sh ```sh
$ go get -u github.com/hashicorp/go-sockaddr/cmd/sockaddr $ sudo nomad agent -dev-connect
$ export DEFAULT_IFACE=$(sockaddr eval 'GetAllInterfaces | sort "default" | unique "name" | attr "name"')
$ sudo nomad agent -dev -network-interface $DEFAULT_IFACE
```
Alternatively if you know the network interface Nomad should use:
```sh
$ sudo nomad agent -dev -network-interface eth0
``` ```
### CNI Plugins ### CNI Plugins
@ -91,7 +80,7 @@ $ sudo tar -C /opt/cni/bin -xzf cni-plugins.tgz
## Run the Connect-enabled Services ## Run the Connect-enabled Services
Once Nomad and Consul are running submit the following Connect-enabled services Once Nomad and Consul are running, submit the following Connect-enabled services
to Nomad by copying the HCL into a file named `connect.nomad` and running: to Nomad by copying the HCL into a file named `connect.nomad` and running:
`nomad run connect.nomad` `nomad run connect.nomad`
@ -122,7 +111,7 @@ to Nomad by copying the HCL into a file named `connect.nomad` and running:
group "dashboard" { group "dashboard" {
network { network {
mode ="bridge" mode = "bridge"
port "http" { port "http" {
static = 9002 static = 9002
to = 9002 to = 9002
@ -222,7 +211,9 @@ a host network interface. The `to = 9002` parameter forwards that host port to
port 9002 inside the network namespace. port 9002 inside the network namespace.
This allows you to connect to the web frontend in a browser by visiting This allows you to connect to the web frontend in a browser by visiting
`http://<host_ip>:9002`. `http://<host_ip>:9002` as show below:
[![Count Dashboard][count-dashboard]][count-dashboard]
The web frontend connects to the API service via Consul Connect: The web frontend connects to the API service via Consul Connect:
@ -263,13 +254,16 @@ dashes (`-`) are converted to underscores (`_`) in environment variables so
## Limitations ## Limitations
Prior to Nomad 0.10.0's final release, the Consul Connect integration has - The `consul` binary must be present in Nomad's `$PATH` to run the Envoy
several limitations that have yet to be addressed: proxy sidecar on client nodes.
- Consul Connect Native is not yet supported.
- Jobs with a `connect` stanza may not update properly. Workaround this by - Consul Connect HTTP and gRPC checks are not yet supported.
stopping and starting Connect-enabled jobs. - Consul ACLs are not yet supported.
- Only the Docker, exec, and raw exec drivers support network namespaces and - Only the Docker, exec, and raw exec drivers support network namespaces and
Connect. Connect.
- Not all Connect configuration options in Consul are available in Nomad. - Variable interpolation for group services and checks are not yet supported.
- The Envoy proxy is not yet configurable and is hardcoded to use 100 MHz of
cpu and 300 MB of memory.
[count-dashboard]: /assets/images/count-dashboard.png
[download]: https://releases.hashicorp.com/nomad/0.10.0-connect1/
[hashiconfeu]: https://hashiconfeu.hashicorp.com/schedule/service-mesh-with-consul-connect-and-nomad-0.10

2
website/source/layouts/guides.erb
View File

@ -51,7 +51,7 @@
<a href="/guides/integrations/consul-integration/index.html">Consul</a> <a href="/guides/integrations/consul-integration/index.html">Consul</a>
</li> </li>
<li<%= sidebar_current("guides-integrations-consul-connect") %>> <li<%= sidebar_current("guides-integrations-consul-connect") %>>
<a href="/guides/integrations/consul-connect/index.html">Consul Connect <sup>Beta</sup></a> <a href="/guides/integrations/consul-connect/index.html">Consul Connect</a>
</li> </li>
<li<%= sidebar_current("guides-integrations-vault") %>> <li<%= sidebar_current("guides-integrations-vault") %>>
<a href="/guides/integrations/vault-integration/index.html">Vault</a> <a href="/guides/integrations/vault-integration/index.html">Vault</a>