consul/connect: add initial support for ingress gateways

[shoenig]

This PR adds initial support for running Consul Connect Ingress Gateways (CIGs) in Nomad. These gateways are declared as part of a task group level service definition within the connect stanza.

service {
  connect {
    gateway {
      proxy {
        // envoy proxy configuration
      }
      ingress {
        // ingress-gateway configuration entry
      }
    }
  }
}

A gateway can be run in bridge or host networking mode, with the caveat that host networking necessitates manually specifying the Envoy admin listener (which cannot be disabled) via the service port value.

Currently Envoy is the only supported gateway implementation in Consul, and Nomad only supports running Envoy as a gateway using the docker driver.

When the gateway.ingress field is set, Nomad will write/update the Configuration Entry into Consul on job submission. Because Configurations are global in Consul scope and there may be more than one Nomad cluster communicating with Consul, there is an assumption that any ingress gateway defined in Nomad for a particular service will be the same among Nomad clusters. Consul may provide a mechanism for more fine-grained control over Configuration Entries in the future.

Gateways require Consul 1.8.0+, checked by an additional constraint.

Aims to address #8294 and tangentially #8647

[shoenig]

Still TODO

• e2e testing
• confirm consul ACLs interop
• add examples to nomad-connect-demos
  • https://github.com/hashicorp/nomad-connect-examples/pull/6/files
• changelog

[schmichael]

Will finish up tomorrow

[schmichael]

If we can use the "pick a random port and write it to a file" trick then we can mention that filename here in a note instead of this big warning.

[schmichael]

Since this is bound on localhost we don't have to reserve a port and instead could bind to 127.0.0.1:0, let the OS pick a free port, and have Envoy write that to a file with -admin-address-path: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#cmdoption-admin-address-path

[schmichael]

Suggested change

	var bindAddresses map[string]*structs.ConsulGatewayBindAddress = nil
	var bindAddresses map[string]*structs.ConsulGatewayBindAddress

[schmichael]

Is there a risk of this getting emitted at shutdown?

I can try to determine that but need to stop for the day.

Update: Ah, it will get emitted to the remote caller which is useful! I was worried it would spew error messages to the agent's log at shutdown which gets scary and confusing for operators.

[nickethier]

I think the implementation here looks solid!

[nickethier]

Suggested change

	"-admin-bind", e.envoyAdminBind, // bleh
	"-admin-bind", e.envoyAdminBind,

[nickethier]

Should this be a WithTimeout? I guess the consul client may already have a built in timeout, just thinking about blocking job submission forever if Consul is not responding.

[schmichael]

Yeah, even if it's high (30 seconds? 1 minute?), dying with a 500 seems preferable to hanging until the user presses Ctrl-C and wonders what state things are in.

[nickethier]

might be able to remove this

[nickethier]

Suggested change

	//// config blocks. Interprets nil and {} as the same.
	// config blocks. Interprets nil and {} as the same.

[waszi]

I have tried to setup ingress gateway with wildcard, but I get error:

job "ingress" {
  datacenters = ["dc1"]

  constraint {
    attribute = "${attr.unique.hostname}"
    operator = "regexp"
    value = "^lb0[0-9]$"
  }

  group "ingress-group" {
    network {
      mode = "bridge"
      port "inbound" {
        static = 8080
      }
    }

    service {
      name = "ingress-service"
      port = "8080"

      connect {
        gateway {
          proxy {
            connect_timeout = "500ms"
          }
          ingress {
            tls {
              enabled = false
            }
            listener {
              port = 8080
              protocol = "http"
              service {
                name = "*"
              }
            }
          }
        }
      }
    }
  }
}

Error submitting job: Unexpected response code: 500 (rpc error: rpc error: 1 error occurred:
	* Task group ingress-group validation failed: 1 error occurred:
	* Task group service validation failed: 1 error occurred:
	* Service[0] ingress-service validation failed: 1 error occurred:
	* Consul Ingress Service requires one or more hosts when using HTTP protocol

My goal is to have similar configuration to traefik/fabio.

1. "Export" everything using wildcard SERVICE.mydomain.com -> SERVICE
   or
2. Configure each service individually but configuration should be in each job separately.

[shoenig]

Hi @waszi, sorry I just noticed this. We're you able to resolve the problem? Or if not, could you open a new issue to report it?

[github-actions]

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.