Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] Add support (and documentation) for consul ingress gateways #8294

Closed
apollo13 opened this issue Jun 26, 2020 · 4 comments
Closed

[feature] Add support (and documentation) for consul ingress gateways #8294

apollo13 opened this issue Jun 26, 2020 · 4 comments
Assignees
@shoenig
Labels
theme/consul/connect Consul Connect integration theme/consul type/enhancement

Comments

@apollo13
Copy link
Contributor

It would be great (given the usage of consul & connect in nomad) to have first class support for ingress gateways (https://www.consul.io/docs/connect/ingress-gateway) in Nomad. For an outsider it kinda feels weird that all the examples (https://www.hashicorp.com/blog/ingress-gateways-in-hashicorp-consul-1-8/) are either bare-bones or kubernetes specific. You've got a great scheduler here, make use of it :)
@jlarfors
Copy link

jlarfors commented Jun 26, 2020
edited
Loading

I made a proof of concept where I add the connect->sidecar_service to my nomad job's group->service definition.

// File: vault.nomad
// job->group->service
  service {
      name = "vault"
      port = "http"
      tags = ["http"]
      connect {
        sidecar_service {}
      }
    }

Then following the tutorial here (https://learn.hashicorp.com/consul/developer-mesh/ingress-gateways) to create an ingress-gateway service and run consul connect envoy -kind ingress-gateway .... manually.

A fair approach would be if there was a simple way to run the envoy ingress-gateway process as a job in Nomad (maybe there already is?). Then as long as nomad job group services have the sidecar_service enabled we could deploy the ingress-gateway using a nomad job separately, defining the port and listener etc.

Another issue I encountered is that in our use case we want one ingress-gateway routing to multiple services which can only be achieved with HTTP, and the services created by Nomad jobs use TCP by default in Consul. I then used a service-defaults for each service to make it HTTP afterwards, which is a bit cumbersome but not a showstopper.

// File: vault-service-defaults.hcl
Kind      = "service-defaults"
Name      = "vault"
Protocol  = "http"

Definition of an ingress-gateway could then look like:

// File: ingress-gateway.hcl
Kind = "ingress-gateway"
Name = "ingress-service"

Listeners = [
 {
   Port = 80
   Protocol = "http"
   Services = [
     {
       Name = "vault"
     },
     {
       Name = "other-service"
     }
   ]
 }
]

and run consul config write ingress-gateway.hcl.

@shoenig shoenig added the theme/consul/connect Consul Connect integration label Jun 29, 2020
@shoenig shoenig self-assigned this Jul 13, 2020
@manveru
Copy link
Contributor

manveru commented Jul 17, 2020

Here's a full group definition for something that works:

  group "web" {
    network {
      mode = "bridge"
      port "http" { to = 80 }
    }

    service {
      name = "web"
      tags = ["http"]
      port = "http"

      connect {
        sidecar_service {
          proxy {
            config {
              protocol = "http"
            }
            local_service_port = 80
          }
        }
      }

      check {
        type = "http"
        path = "/"
        interval = "10s"
        timeout = "10s"
      }
    }

    task "web" {
      driver = "docker"

      meta {
        version = 49
      }

      config = {
        image = "fill in the blanks"
      }
    }
  }

@apollo13 apollo13 mentioned this issue Aug 12, 2020
Open
shoenig added a commit that referenced this issue Aug 21, 2020
@shoenig
consul/connect: add initial support for ingress gateways
9ffdeed 
This PR adds initial support for running Consul Connect Ingress Gateways (CIGs) in Nomad. These gateways are declared as part of a task group level service definition within the connect stanza.

```hcl
service {
  connect {
    gateway {
      proxy {
        // envoy proxy configuration
      }
      ingress {
        // ingress-gateway configuration entry
      }
    }
  }
}
```

A gateway can be run in `bridge` or `host` networking mode, with the caveat that host networking necessitates manually specifying the Envoy admin listener (which cannot be disabled) via the service port value.

Currently Envoy is the only supported gateway implementation in Consul, and Nomad only supports running Envoy as a gateway using the docker driver.

Aims to address #8294 and tangentially #8647
@shoenig shoenig mentioned this issue Aug 21, 2020
Merged
@shoenig
Copy link
Member

shoenig commented Nov 25, 2020

Support for ingress gateways was added in #8709
https://www.nomadproject.io/docs/job-specification/gateway#gateway-stanza

@shoenig shoenig closed this as completed Nov 25, 2020
This was referenced Nov 25, 2020
Closed
Closed
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@shoenig shoenig

Labels
theme/consul/connect Consul Connect integration theme/consul type/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@manveru @apollo13 @shoenig @jlarfors @jrasell