connect: use heuristic to detect sidecar task driver

[shoenig]

This PR adds a heuristic to detect whether to use the podman task driver
for the connect sidecar proxy. The podman driver will be selected if there
is at least one task in the task group configured to use podman, and there
are zero tasks in the group configured to use docker. In all other cases
the task driver defaults to docker.

After this change, we should be able to run typical Connect jobspecs
(e.g. nomad job init [-short] -connect) on Clusters configured with the
podman task driver, without modification to the job files.

Closes #17042

[shoenig]

Spot check

nomad agent config

server {
  enabled = true
}

client {
  enabled = true

  options = {
    driver.allowlist = "podman"
  }
}

plugin_dir = "/home/shoenig/Go/podman/build"

plugin "nomad-driver-podman" {
}

job file

job "podcon" {

  group "api" {
    network {
      mode = "bridge"
    }

    service {
      name = "count-api"
      port = "9001"

      connect {
        sidecar_service {}
      }
    }

    task "web" {
      driver = "podman"

      config {
        image = "docker.io/hashicorpdev/counter-api:v3"
      }
    }
  }

  group "dashboard" {
    network {
      mode = "bridge"

      port "http" {
        static = 9002
        to     = 9002
      }
    }

    service {
      name = "count-dashboard"
      port = "9002"

      connect {
        sidecar_service {
          proxy {
            upstreams {
              destination_name = "count-api"
              local_bind_port  = 8080
            }
          }
        }
      }
    }

    task "dashboard" {
      driver = "podman"

      env {
        COUNTING_SERVICE_URL = "http://${NOMAD_UPSTREAM_ADDR_count_api}"
      }

      config {
        image = "docker.io/hashicorpdev/counter-dashboard:v3"
      }
    }
  }
}

start nomad and consul

➜ consul agent -dev
➜ sudo nomad agent -dev-connect -config=/home/shoenig/Work/agent.mix.hcl

plan is ok

➜ nomad job plan podcon.hcl
+ Job: "podcon"
+ Task Group: "api" (1 create)
  + Task: "connect-proxy-count-api" (forces create)
  + Task: "web" (forces create)

+ Task Group: "dashboard" (1 create)
  + Task: "connect-proxy-count-dashboard" (forces create)
  + Task: "dashboard" (forces create)

Scheduler dry-run:
- All tasks successfully allocated.

Job Modify Index: 0
To submit the job with version verification run:

nomad job run -check-index 0 podcon.hcl

When running the job with the check-index flag, the job will only be run if the
job modify index given matches the server-side version. If the index has
changed, another user has modified the job and the plan's results are
potentially invalid.

deployment ok

➜ nomad job run podcon.hcl
==> 2023-05-02T21:15:18Z: Monitoring evaluation "859d0de3"
    2023-05-02T21:15:18Z: Evaluation triggered by job "podcon"
    2023-05-02T21:15:19Z: Evaluation within deployment: "35a39ae8"
    2023-05-02T21:15:19Z: Allocation "7ff9e075" created: node "4d26c0cf", group "api"
    2023-05-02T21:15:19Z: Allocation "b3b163c5" created: node "4d26c0cf", group "dashboard"
    2023-05-02T21:15:19Z: Evaluation status changed: "pending" -> "complete"
==> 2023-05-02T21:15:19Z: Evaluation "859d0de3" finished with status "complete"
==> 2023-05-02T21:15:19Z: Monitoring deployment "35a39ae8"
  ✓ Deployment "35a39ae8" successful

    2023-05-02T21:15:30Z
    ID          = 35a39ae8
    Job ID      = podcon
    Job Version = 0
    Status      = successful
    Description = Deployment completed successfully

    Deployed
    Task Group  Desired  Placed  Healthy  Unhealthy  Progress Deadline
    api         1        1       1        0          2023-05-02T21:25:29Z
    dashboard   1        1       1        0          2023-05-02T21:25:29Z

[lgfa29]

After this change, we should be able to run typical Connect jobspecs
(e.g. nomad job init [-short] -connect) on Clusters configured with the
podman task driver, without modification to the job files.

🥳

[lgfa29]

It's a simple function, so I hate to bikeshed on it 😅

But I found this logic a bit confusing to grok at first. I think we could instead have a task driver counter map and then something like this so it more explicitly matches the function docstring:

if numTasks["podman"] > 1 && numTasks["docker"] == 0 {
  return "podman"
}

return "docker"

[shoenig]

How about

func groupConnectGuessTaskDriver(g *structs.TaskGroup) string {
    drivers := set.FromFunc(g.Tasks, func(t *structs.Task) string {
        return t.Driver
    })
    if drivers.Contains("podman") && !drivers.Contains("docker") {
        return "podman"
    }
    return "docker"
}

[lgfa29]

Would it be worth adding a docsting to connectSidecarDriverConfig() to note that it should be compatible with Docker and Podman?

Or maybe even pass the driver choice here. It can be ignored in the current implementation, but may be handy if there are conflicting configs between the drivers or we add support for other plugins.

[shoenig]

Added a comment; with a note about passing in the parameter one day if needed

[schmichael]

Is there a doc we could update? Maybe https://developer.hashicorp.com/nomad/docs/integrations/consul-connect or https://developer.hashicorp.com/nomad/docs/job-specification/sidecar_task ?

[shoenig]

Is there a doc we could update

yeah, let me cover that in another PR along with an e2e test