Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: warn about UID overlap between workload and Envoy tproxy #24291

Merged
merged 1 commit into from
Oct 24, 2024
Merged

docs: warn about UID overlap between workload and Envoy tproxy #24291

merged 1 commit into from
Oct 24, 2024

Conversation

tgross
Copy link
Member

@tgross tgross commented Oct 23, 2024
edited
Loading

When using transparent proxy mode with the connect block, the UID of the workload cannot be the same as the UID of the Envoy sidecar (currently 101 in the default Envoy container image).

Fixes: #23508

I'll follow-up with a second PR for the tutorial. Actually, that doesn't fit in the tutorial format.

@tgross tgross added theme/docs Documentation issues and enhancements theme/consul/connect Consul Connect integration backport/ent/1.8.x+ent Changes are backported to 1.8.x+ent backport/1.8.x backport to 1.8.x release line backport/1.9.x backport to 1.9.x release line labels Oct 23, 2024
gulducat
gulducat approved these changes Oct 23, 2024
View reviewed changes
Copy link
Member

@gulducat gulducat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

website/content/docs/integrations/consul/service-mesh.mdx Outdated
@@ -159,6 +159,7 @@ Using transparent proxy has several important requirements:
`client_addr`).
* The Consul agent must be configured with [`recursors`][] if you want
allocations to make DNS queries for applications outside the service mesh.
* Your workload's task cannot use the same UID as the Envoy sidecar proxy.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

worth linking to the uid parameter on the jobspec page, to connect the dots across documents? it also specifies the default "101" there, which might be a nice detail to know for someone who hits this situation.

@tgross
docs: warn about UID overlap between workload and Envoy tproxy
851e44c 
When using transparent proxy mode with the `connect` block, the UID of the
workload cannot be the same as the UID of the Envoy sidecar (currently 101 in
the default Envoy container image).

Fixes: #23508
@tgross tgross merged commit a1ede97 into main Oct 24, 2024
15 checks passed
@tgross tgross deleted the docs-tproxy-uids branch October 24, 2024 12:45
This was referenced Oct 24, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gulducat gulducat gulducat approved these changes

@aimeeu aimeeu Awaiting requested review from aimeeu

Assignees
No one assigned
Labels
backport/ent/1.8.x+ent Changes are backported to 1.8.x+ent backport/1.8.x backport to 1.8.x release line backport/1.9.x backport to 1.9.x release line theme/consul/connect Consul Connect integration theme/docs Documentation issues and enhancements
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Envoy proxy as main task doesn't work correctly in Consul transparent proxy mode
2 participants
@tgross @gulducat