Add support for Consul Connect enabled services

[artyomturkin]

Allow dynamic exposure of Connect enabled services (with proxy or native) to clients that do not or can not support Connect themselves.

As it is should be the best practice to set wildcard intention to deny, exposed services can be sourced from intents that allow fabio to connect to a specific service. Additional meta data can be then discovered as usual.

[aaronhurt]

I'm not exactly sure what you are wanting fabio to do with Connect enabled services. Are you wanting them to be added as straight TCP proxy targets?

[artyomturkin]

connect helps us to secure services with mTLS that do not use TLS themselves. But because of this Fabio can not connect to them to expose them.

Right now the work around is to run connect alongside Fabio and manually configure all the services locally in connect and Fabio. One of the best parts of Fabio is autoconfiguration from discovery systems, but this does not work with connect enabled services.

If Fabio is natively connect enabled, automatic configuration will be possible and connection from Fabio to backend service will be highly secure.

As to how to expose (tcp or http) them can be determined as usual through consul tags or metadata.

[nutbunnies]

Our shop would like to use connect to avoid having to update each service to use TLS as well. Anyone working on this or have an implementation design in mind? I have some free cycles to code a solution or test someone's branch.

[aaronhurt]

@nutbunnies @artyomturkin I definitely think this is something we want to support and after doing more reading on connect I can see the benefit, especially in public cloud environments.

I believe there is also overlap at some level between this request and #566

[aaronhurt]

The Consul has been updated to v1.4.0 (first release with connect out of beta) in #571. If anyone is wanting to work on adding this support it should now be available in the current vendored library version.

[zaquestion]

@leprechau have there been any new developments? Looking to use fabio as the public ingress for a consul connect based service mesh. As @artyomturkin mentions working around isn't that bad, but a native integration is preferred. I'm happy to help out as integration should be fairly straightforward.

The heavy lifting can be done using https://www.consul.io/docs/connect/native/go.html and hopefully makes this largely a wiring problem. Any guidance to kick off development would be appreciated (I have admittedly limited fabio exposure until recently, but excited to get away from nginx ;) )

[fagurto]

is there any example about the "workaround" to be able to fabio loadblance connect based services ? looking to do the same as @zaquestion

[danlsgiga]

Also interested in the "workaround"!

[artyomturkin]

Workaround:

• start consul connect and bind required upstream services to ports (ex: service-a :8000)
• start fabio with manual routes (ex: route add service-a /product http://localhost:8000)

P.S. I did not try this with fabio, I used this trick with Traefik.

[tristanmorgan]

Would it be possible to use connect native integration like what the https://github.com/hashicorp/nomad-connect-examples/ does? we would need to add it as another target type.

[evandam]

Are there any updates with this issue? I'm looking to expose services using Consul Connect to Fabio but there doesn't seem to be a good way to do this.

[ketzacoatl]

@evandam, looking over the list of branches and pull requests in the repo, I don't see anything about Consul Connect, so I would guess there isn't an existing effort under development. If this is important to you, perhaps you would be interested in creating a PR for that, or funding a developer to do so for you?