luxolus/open-nomad
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity
open-nomad/website/pages/docs/job-specification/connect.mdx
Seth Hoenig 4d71f22a11 consul/connect: add support for running connect native tasks 
This PR adds the capability of running Connect Native Tasks on Nomad,
particularly when TLS and ACLs are enabled on Consul.

The `connect` stanza now includes a `native` parameter, which can be
set to the name of task that backs the Connect Native Consul service.

There is a new Client configuration parameter for the `consul` stanza
called `share_ssl`. Like `allow_unauthenticated` the default value is
true, but recommended to be disabled in production environments. When
enabled, the Nomad Client's Consul TLS information is shared with
Connect Native tasks through the normal Consul environment variables.
This does NOT include auth or token information.

If Consul ACLs are enabled, Service Identity Tokens are automatically
and injected into the Connect Native task through the CONSUL_HTTP_TOKEN
environment variable.

Any of the automatically set environment variables can be overridden by
the Connect Native task using the `env` stanza.

Fixes #6083
2020-06-22 14:07:44 -05:00

194 lines
4.4 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: connect Stanza - Job Specification
sidebar_title: connect
description: The "connect" stanza allows specifying options for Consul Connect integration
---
# `connect` Stanza
<Placement groups={['job', 'group', 'service', 'connect']} />
The `connect` stanza allows configuring various options for
[Consul Connect](/docs/integrations/consul-connect). It is
valid only within the context of a service definition at the task group
level. For using `connect` when Consul ACLs are enabled, be sure to read through
the [Secure Nomad Jobs with Consul Connect](https://learn.hashicorp.com/nomad/consul-integration/nomad-connect-acl)
guide.
```hcl
job "countdash" {
datacenters = ["dc1"]
group "api" {
network {
mode = "bridge"
}
service {
name = "count-api"
port = "9001"
connect {
sidecar_service {}
}
}
task "web" {
driver = "docker"
config {
image = "hashicorpnomad/counter-api:v2"
}
}
}
}
```
## `connect` Parameters
- `native` - `(string: "")` - If non-empty, this indicates the task represented
by this service, for use with [Connect Native](https://www.consul.io/docs/connect/native)
applications. Incompatible with `sidecar_service` and `sidecar_task`.
- `sidecar_service` - <code>([sidecar_service][]: nil)</code> - This is used to configure the sidecar
service injected by Nomad for Consul Connect. Incompatible with `native`.
- `sidecar_task` - <code>([sidecar_task][]:nil)</code> - This modifies the configuration of the Envoy
proxy task. Incompatible with `native`.
## `connect` Examples
### Using Sidecar Service
The following example is a minimal connect stanza with defaults and is
sufficient to start an Envoy proxy sidecar for allowing incoming connections
via Consul Connect.
```hcl
connect {
sidecar_service {}
}
```
The following example includes specifying [`upstreams`][upstreams].
```hcl
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "count-api"
local_bind_port = 8080
}
}
}
}
```
The following is the complete `countdash` example. It includes an API service
and a frontend Dashboard service which connects to the API service as a Connect
upstream. Once running, the dashboard is accessible at `localhost:9002`.
```hcl
job "countdash" {
datacenters = ["dc1"]
group "api" {
network {
mode = "bridge"
}
service {
name = "count-api"
port = "9001"
connect {
sidecar_service {}
}
check {
expose = true
type = "http"
name = "api-health"
path = "/health"
interval = "10s"
timeout = "3s"
}
}
task "web" {
driver = "docker"
config {
image = "hashicorpnomad/counter-api:v2"
}
}
}
group "dashboard" {
network {
mode = "bridge"
port "http" {
static = 9002
to = 9002
}
}
service {
name = "count-dashboard"
port = "9002"
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "count-api"
local_bind_port = 8080
}
}
}
}
}
task "dashboard" {
driver = "docker"
env {
COUNTING_SERVICE_URL = "http://${NOMAD_UPSTREAM_ADDR_count_api}"
}
config {
image = "hashicorpnomad/counter-dashboard:v2"
}
}
}
}
```
### Using Connect Native
The following example is a minimal connect stanza for a
[Consul Connect Native](https://www.consul.io/docs/connect/native)
application with task name `myTask`.
```hcl
connect {
native = "myTask"
}
```
### Limitations
[Nomad variable interpolation][interpolation] is _not_ yet supported.
[job]: /docs/job-specification/job 'Nomad job Job Specification'
[group]: /docs/job-specification/group 'Nomad group Job Specification'
[task]: /docs/job-specification/task 'Nomad task Job Specification'
[interpolation]: /docs/runtime/interpolation 'Nomad interpolation'
[sidecar_service]: /docs/job-specification/sidecar_service 'Nomad sidecar service Specification'
[sidecar_task]: /docs/job-specification/sidecar_task 'Nomad sidecar task config Specification'
[upstreams]: /docs/job-specification/upstreams 'Nomad sidecar service upstreams Specification'
[native]: https://www.consul.io/docs/connect/native.html
Reference in a new issue View git blame Copy permalink