Skip to content

Commit

Permalink
configure nomad cluster to use a Consul Namespace [Consul Enterprise] (
Browse files Browse the repository at this point in the history
  • Loading branch information
fredrikhgrelland authored and roaks3 committed Oct 7, 2020
1 parent 7175035 commit cdb8f4d
Show file tree
Hide file tree
Showing 5 changed files with 26 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ IMPROVEMENTS:
* api: Added support for cancellation contexts to HTTP API. [[GH-8836](https://github.com/hashicorp/nomad/issues/8836)]
* client: Added support for Azure fingerprinting. [[GH-8979](https://github.com/hashicorp/nomad/issues/8979)]
* client: Updated consul-template to v0.25.0 - config function_blacklist deprecated and replaced with function_denylist [[GH-8988](https://github.com/hashicorp/nomad/pull/8988)]
* consul: Support consul namespace (consul enterprise) in client configuration. [[GH-8849](https://github.com/hashicorp/nomad/pull/8849)]
* driver/docker: Upgrade pause container and detect architecture [[GH-8957](https://github.com/hashicorp/nomad/pull/8957)]
* jobspec: Lowered minimum CPU allowed from 10 to 1. [[GH-8996](https://github.com/hashicorp/nomad/issues/8996)]

Expand Down
9 changes: 9 additions & 0 deletions client/allocrunner/taskrunner/envoybootstrap_hook.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ type consulTransportConfig struct {
CAFile string // optional, arg -ca-file
CertFile string // optional, arg -client-cert
KeyFile string // optional, arg -client-key
Namespace string // optional, only consul Enterprise, env CONSUL_NAMESPACE
// CAPath (dir) not supported by Nomad's config object
}

Expand All @@ -42,6 +43,7 @@ func newConsulTransportConfig(consul *config.ConsulConfig) consulTransportConfig
CAFile: consul.CAFile,
CertFile: consul.CertFile,
KeyFile: consul.KeyFile,
Namespace: consul.Namespace,
}
}

Expand Down Expand Up @@ -416,6 +418,10 @@ func (e envoyBootstrapArgs) args() []string {
arguments = append(arguments, "-client-key", v)
}

if v := e.consulConfig.Namespace; v != "" {
arguments = append(arguments, "-namespace", v)
}

return arguments
}

Expand All @@ -435,6 +441,9 @@ func (e envoyBootstrapArgs) env(env []string) []string {
if v := e.consulConfig.VerifySSL; v != "" {
env = append(env, fmt.Sprintf("%s=%s", "CONSUL_HTTP_SSL_VERIFY", v))
}
if v := e.consulConfig.Namespace; v != "" {
env = append(env, fmt.Sprintf("%s=%s", "CONSUL_NAMESPACE", v))
}
return env
}

Expand Down
1 change: 1 addition & 0 deletions client/allocrunner/taskrunner/template/template.go
Original file line number Diff line number Diff line change
Expand Up @@ -624,6 +624,7 @@ func newRunnerConfig(config *TaskTemplateManagerConfig,
if cc.ConsulConfig != nil {
conf.Consul.Address = &cc.ConsulConfig.Addr
conf.Consul.Token = &cc.ConsulConfig.Token
conf.Consul.Namespace = &cc.ConsulConfig.Namespace

if cc.ConsulConfig.EnableSSL != nil && *cc.ConsulConfig.EnableSSL {
verify := cc.ConsulConfig.VerifySSL != nil && *cc.ConsulConfig.VerifySSL
Expand Down
11 changes: 11 additions & 0 deletions nomad/structs/config/consul.go
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,10 @@ type ConsulConfig struct {

// ExtraKeysHCL is used by hcl to surface unexpected keys
ExtraKeysHCL []string `hcl:",unusedKeys" json:"-"`

// Namespace sets the Consul namespace used for all calls against the
// Consul API. If this is unset, then Nomad does not specify a consul namespace.
Namespace string `hcl:"namespace"`
}

// DefaultConsulConfig() returns the canonical defaults for the Nomad
Expand All @@ -144,6 +148,7 @@ func DefaultConsulConfig() *ConsulConfig {
EnableSSL: helper.BoolToPtr(def.Scheme == "https"),
VerifySSL: helper.BoolToPtr(!def.TLSConfig.InsecureSkipVerify),
CAFile: def.TLSConfig.CAFile,
Namespace: def.Namespace,
}
}

Expand Down Expand Up @@ -230,6 +235,9 @@ func (c *ConsulConfig) Merge(b *ConsulConfig) *ConsulConfig {
if b.AllowUnauthenticated != nil {
result.AllowUnauthenticated = helper.BoolToPtr(*b.AllowUnauthenticated)
}
if b.Namespace != "" {
result.Namespace = b.Namespace
}
return result
}

Expand Down Expand Up @@ -285,6 +293,9 @@ func (c *ConsulConfig) ApiConfig() (*consul.Config, error) {
}
config.Transport.TLSClientConfig = tlsConfig
}
if c.Namespace != "" {
config.Namespace = c.Namespace
}
return config, nil
}

Expand Down
4 changes: 4 additions & 0 deletions website/pages/docs/configuration/consul.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,10 @@ configuring Nomad to talk to Consul via DNS such as consul.service.consul
- `key_file` `(string: "")` - Specifies the path to the private key used for
Consul communication. If this is set then you need to also set `cert_file`.

- `namespace` `(string: "")` - Specifies the [Consul namespace](https://www.consul.io/docs/enterprise/namespaces)
used by the Consul integration. If non-empty, this namespace will be used on
all Consul API calls and for Consul Connect configurations.

- `server_service_name` `(string: "nomad")` - Specifies the name of the service
in Consul for the Nomad servers.

Expand Down

0 comments on commit cdb8f4d

Please sign in to comment.