Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

consul/connect: Add support for Connect terminating gateways #9829

Merged
merged 3 commits into from
Jan 25, 2021
Merged

consul/connect: Add support for Connect terminating gateways #9829

merged 3 commits into from
Jan 25, 2021

Conversation

shoenig
Copy link
Member

@shoenig shoenig commented Jan 15, 2021

This PR implements Nomad built-in support for running Consul Connect
terminating gateways. Such a gateway can be used by services running
inside the service mesh to access "legacy" services outside the mesh
while still making use of Consul's service identity based networking and
ACL policies.

https://www.consul.io/docs/connect/gateways/terminating-gateway

These gateways are declared as part of a task group level service
definition within the connect stanza.

service {
  connect {
    gateway {
      proxy {
        // envoy proxy configuration
      }
      terminating {
        // terminating-gateway configuration entry
      }
    }
  }
}

Currently Envoy is the only supported gateway implementation in
Consul. The gateway task can be customized by configuring the
connect.sidecar_task block or meta.connect.gateway_image
client attribute.

When the gateway.terminating field is set, Nomad will write/update
the Configuration Entry into Consul on job submission. Because CEs
are global in scope and there may be more than one Nomad cluster
communicating with Consul, there is an assumption that any terminating
gateway defined in Nomad for a particular service will be the same
among Nomad clusters.

Gateways require Consul 1.8.0+, checked by a node constraint.

Closes #9445

@vercel vercel bot temporarily deployed to Preview – nomad-storybook-and-ui January 15, 2021 16:06 Inactive
@shoenig shoenig marked this pull request as ready for review January 15, 2021 17:29
@vercel vercel bot temporarily deployed to Preview – nomad-storybook-and-ui January 21, 2021 14:12 Inactive
drewbailey
drewbailey reviewed Jan 21, 2021
View reviewed changes
nomad/consul.go
return c.setCE(ctx, convertTerminatingCE(service, entry))
}

// also mesh
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// also mesh

tgross
tgross approved these changes Jan 21, 2021
View reviewed changes
Copy link
Member

@tgross tgross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great @shoenig! A heck of a lot of work to plumb this all in!

I've left a few comments and questions, but nothing that should be blocking.

contributing/checklist-jobspec.md
@@ -2,21 +2,25 @@

## Code
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for bringing this up-to-date!

nomad/structs/connect.go Show resolved Hide resolved
api/services.go Show resolved Hide resolved
nomad/job_endpoint.go Outdated
return err
}
}
for service, entry := range entries.Terminating {
fmt.Println("SH JE set terminating CE", service)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like we missed a leftover debug message

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

command/agent/consul/connect.go Show resolved Hide resolved
nomad/job_endpoint_hook_connect.go
// networking is being used the network_mode driver configuration is set here.
func connectGatewayDriverConfig(hostNetwork bool) map[string]interface{} {
m := map[string]interface{}{
"image": envoy.GatewayConfigVar,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like the only value besides the network mode that's different between the gateway task config and the sidecar task config... but the docs suggest that the same sidecar_task {} block is used for either. So I can't figure out where this value is coming from?

Copy link
Member Author

@shoenig shoenig Jan 22, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The config var variables represent meta.sidecar_image and meta.gateway_image for when configuring a sidecar or gateway image through client configuration (leaving room for them to be different). When setting the task in jobspec, sidecar_task serves double duty since only 1 of sidecar_service or gateway can be configured per connect block. In retrospect, sidecar_task would have been better named connect_task or similar . (The other alternative would be duplicating the sidecar_task plumbing just to have another field named gateway_task).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aye, that all makes sense. It's probably worth spelling some of these details out in the documentation before we ship, just so that the relationship between those configuration values is super-clear.

@vercel vercel bot temporarily deployed to Preview – nomad-storybook-and-ui January 22, 2021 16:19 Inactive
@vercel vercel bot temporarily deployed to Preview – nomad January 22, 2021 16:19 Inactive
@vercel vercel bot temporarily deployed to Preview – nomad-storybook-and-ui January 22, 2021 16:41 Inactive
@vercel vercel bot temporarily deployed to Preview – nomad January 22, 2021 16:41 Inactive
nickethier
nickethier approved these changes Jan 25, 2021
View reviewed changes
Copy link
Member

@nickethier nickethier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks really good and I especially like the code cleanup/tidiness done throughout.

One general question I had that shouldn't hold up this PR is if we could show an example of integrating with vault's pki backend to pull the ca and maybe the cert and key too for mutual tls. Maybe thats better saved for a learn guide though. Thoughts?

@vercel vercel bot temporarily deployed to Preview – nomad January 25, 2021 16:34 Inactive
@vercel vercel bot temporarily deployed to Preview – nomad-storybook-and-ui January 25, 2021 16:34 Inactive
@shoenig
consul/connect: Add support for Connect terminating gateways
ceae8ad 
This PR implements Nomad built-in support for running Consul Connect
terminating gateways. Such a gateway can be used by services running
inside the service mesh to access "legacy" services running outside
the service mesh while still making use of Consul's service identity
based networking and ACL policies.

https://www.consul.io/docs/connect/gateways/terminating-gateway

These gateways are declared as part of a task group level service
definition within the connect stanza.

service {
  connect {
    gateway {
      proxy {
        // envoy proxy configuration
      }
      terminating {
        // terminating-gateway configuration entry
      }
    }
  }
}

Currently Envoy is the only supported gateway implementation in
Consul. The gateay task can be customized by configuring the
connect.sidecar_task block.

When the gateway.terminating field is set, Nomad will write/update
the Configuration Entry into Consul on job submission. Because CEs
are global in scope and there may be more than one Nomad cluster
communicating with Consul, there is an assumption that any terminating
gateway defined in Nomad for a particular service will be the same
among Nomad clusters.

Gateways require Consul 1.8.0+, checked by a node constraint.

Closes #9445
@shoenig
consul/connect: remove debug line
37544ca
@shoenig
consul/connect: copy bind address map if empty
74780f0 
This parameter is now supposed to be non-nil even if
empty, and the Copy method should also maintain that
invariant.
@vercel vercel bot temporarily deployed to Preview – nomad-storybook-and-ui January 25, 2021 16:36 Inactive
@vercel vercel bot temporarily deployed to Preview – nomad January 25, 2021 16:36 Inactive
@shoenig
Copy link
Member Author

shoenig commented Jan 25, 2021

Yeah @nickethier we definitely need learn guides around this and also ingress gateways. It's on my list to get some first drafts written around 1.1

@shoenig shoenig merged commit 9db4663 into master Jan 25, 2021
@shoenig shoenig deleted the f-terminating-gateway branch January 25, 2021 16:56
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 30, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@tgross tgross tgross approved these changes

@drewbailey drewbailey drewbailey left review comments

@nickethier nickethier nickethier approved these changes

@schmichael schmichael Awaiting requested review from schmichael

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[feature] Add support (and documentation) for consul terminating gateways
4 participants
@shoenig @nickethier @tgross @drewbailey