Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

connect: set consul TLS options on envoy bootstrap #7602

Merged
merged 1 commit into from
Apr 3, 2020
Merged

connect: set consul TLS options on envoy bootstrap #7602

merged 1 commit into from
Apr 3, 2020

Conversation

shoenig
Copy link
Member

@shoenig shoenig commented Apr 2, 2020

Fixes #6594 #6711 #6714 #7567

e2e testing is still TBD in #6502

Before, we only passed the Nomad agent's configured Consul HTTP
address onto the consul connect envoy ... bootstrap command.
This meant any Consul setup with TLS enabled would not work with
Nomad's Connect integration.

This change now sets CLI args and Environment Variables for
configuring TLS options for communicating with Consul when doing
the envoy bootstrap, as described in
https://www.consul.io/docs/commands/connect/envoy.html#usage

@shoenig
connect: set consul TLS options on envoy bootstrap
fb0bd3c 
Fixes #6594 #6711 #6714 #7567

e2e testing is still TBD in #6502

Before, we only passed the Nomad agent's configured Consul HTTP
address onto the `consul connect envoy ...` bootstrap command.
This meant any Consul setup with TLS enabled would not work with
Nomad's Connect integration.

This change now sets CLI args and Environment Variables for
configuring TLS options for communicating with Consul when doing
the envoy bootstrap, as described in
https://www.consul.io/docs/commands/connect/envoy.html#usage
@shoenig
Copy link
Member Author

shoenig commented Apr 2, 2020
edited
Loading

Demo

# consul.hcl

log_level = "INFO"

data_dir = "/tmp/consul"

server = true

bootstrap_expect = 1

advertise_addr = "127.0.0.1"

addresses {
  https = "0.0.0.0"
}

ports {
  http  = -1
  https = 8501
  grpc  = 8502
}

connect {
  enabled = true
}

verify_incoming = true

verify_outgoing = true

verify_server_hostname = true

ca_file = "consul-agent-ca.pem"

cert_file = "dc1-server-consul-0.pem"

key_file = "dc1-server-consul-0-key.pem"

auto_encrypt {
  allow_tls = true
}
# nomad.hcl
log_level = "INFO"
data_dir  = "/tmp/nomad-client"

client {
  enabled = true
}

server {
  enabled          = true
  bootstrap_expect = 1
}

consul {
  ssl        = true
  verify_ssl = false
  address    = "127.0.0.1:8501"
  ca_file    = "consul-agent-ca.pem"
  cert_file  = "dc1-client-consul-0.pem"
  key_file   = "dc1-client-consul-0-key.pem"
}
consul agent -config-file=consul.hcl
sudo nomad agent -dev-connect -config=nomad.hcl
$ nomad job init -connect -short
$ nomad job run example.nomad

The jobs don't die now!

Allocations
ID        Node ID   Task Group  Version  Desired  Status   Created    Modified
43e1856b  6211908b  dashboard   0        run      running  2m57s ago  2m45s ago
870e1426  6211908b  api         0        run      running  2m57s ago  2m45s ago

tgross
tgross approved these changes Apr 3, 2020
View reviewed changes
Copy link
Member

@tgross tgross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@shoenig shoenig merged commit 222886e into master Apr 3, 2020
@shoenig shoenig deleted the b-connect-bootstrap-tls-config branch April 3, 2020 14:50
notnoop pushed a commit that referenced this pull request Apr 9, 2020
@shoenig
Merge pull request #7602 from hashicorp/b-connect-bootstrap-tls-config
96fdfca 
connect: set consul TLS options on envoy bootstrap
picatz added a commit to picatz/terraform-google-nomad that referenced this pull request Jul 27, 2020
@picatz
Add initial Consul integration
0d25584 
Should have Nomad and Consul deployed and configured with mTLS. ACLs are currently not enabled on Consul, only Nomad.

This should provide the minimal working example using mTLS to get the cought dashboard working after a ton of tinkering. 😭

The links I used during my investigation/debugging session:
* hashicorp/nomad#6463
* https://learn.hashicorp.com/nomad/consul-integration/nomad-connect-acl#run-a-connect-enabled-job
* hashicorp/nomad#6594
* hashicorp/nomad#4276
hashicorp/nomad#7715
* https://www.consul.io/docs/agent/options
⭐ * hashicorp/nomad#7602
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@tgross tgross tgross approved these changes

@schmichael schmichael Awaiting requested review from schmichael

@nickethier nickethier Awaiting requested review from nickethier

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Nomad Connect doesn't manage TLS Consul endpoints
2 participants
@shoenig @tgross