-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Global ACL tokens are required for Consul Connect when using local mesh gateways #7381
Comments
Hi, just found out about this opening hashicorp/nomad#8063 , would it be possible to fix at least the local mode of gateways right now? We're using connect with nomad and we're thinking about federating our consul clusters but we don't want nomad to stop working (can't start new allocations) if the primary DC is not reachable. Nomad right now when starting new allocations request a global token to consul. |
@jorgemarey There are two things at work in secondary DCs to make the primary DCs unreachability less of a concern. First is that you can enable token replication in the secondary DC ( Second is that client agents and servers without token replication enabled will cache the results of token resolution. How long they live depends on the value of the The core problem here is that the mesh-gateway setup requires making RPC requests to the other DCs to discover other mesh-gateways running in those DCs. Local tokens such as those created by auth-methods and We have been exploring alternative ways of doing multi-dc federation especially for ACLs to get around these problems. Right now there isn't anything to report on those efforts but the problem is something the team is aware of and trying to find a solution for. |
Hi folks, Consul Kubernetes PM here doing some research on this feature request related to using Mesh Gateways in local mode for cross datacenter service communication. I would love to chat with you about your use case for mesh gateways, feedback around ACLs, and would also love to understand the architecture of your Consul deployment. |
Hi, any updates on this? Just saw this comment on the nomad issue: hashicorp/nomad#8063 (comment) |
Overview of the Issue
A sidecar proxy using a local ACL token will not be able to route to another dc's connect service even if mesh gateways are in local mode.
The following will be logged on the Consul client:
This is a particular issue in Kubernetes because we use
consul login
to create our tokens and this always returns a local token.Reproduction Steps
Suggested Solution
We should short-circuit where we iterate over the upstreams and start blocking queries:
consul/agent/proxycfg/state.go
Lines 263 to 317 in e83fb18
Instead we should check if we're using local gateways and not make these calls. The results of these calls are discarded later if using local mesh gateways so we don't need them.
Future
In order to use mesh gateways in remote mode or to use tokens from
consul login
to make cross-dc calls, we need another solution. We could make theconsul login
tokens global, but then login would require the primary DC to be available. A better long-term solution would be to federate trust such that locally minted tokens can be trusted globally.The text was updated successfully, but these errors were encountered: