-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Configure nomad cluster to use a Consul Namespace [Consul Enterprise] #8849
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @fredrikhgrelland! Thanks for this PR -- this is a great start!
Consul is a bit more deeply integrated into Nomad than Vault is, so there are several other places that will need to have this configuration:
- template hook
- service hook
- Connect Native hook
- script check hook
- the task runner's Consul client
- the server's Consul client
- (maybe more... you'd want to search for imports of
"github.com/hashicorp/consul"
and"github.com/hashicorp/consul-template"
)
This is a pretty big feature to take on, and the Nomad maintainers would need to follow up with multi-namespace support for the ENT product just as we've done with Vault in 0.12.2. But it's also not on our short-term roadmap, so if you're willing to tackle this, we'd love to have the contribution and we'd be happy to help review and guide you through it!
Thank you for the review. I expected that it was a little bit more involved... I'll review your comments and will get back to you :) |
Hi @tgross. I have looked through the places where you suggest there needs to be changes, but I have a hard time figuring out what it is you think needs changing. The way I read this code is that nomad will leverage the consul api configuration of nomad. Is this not true? In order for nomad to honor a different consul namepace than the Please have a second look, and if I am mistaken, maybe you can show one example where changes is needed so I can get at it? |
Basically the idea is looking for the places where we're converting from Nomad's internal representation of Consul configuration ( Two areas I found:
Upon a bit more review I think we're good on the server and client's own clients. And elsewhere we're using the "Consul Service API" interface wrapper and using that, so those should be ok:
|
68bbfea
to
ef0ca92
Compare
@tgross , Sorry for the delay. I finally found enough time to dive in and review properly. I tried to find any more places where config needs to be converted, but I have not found any more. |
I think you've got them all. The #8988 PR needs a couple fixes. I'm going to tag-in one of my colleagues who's been working on the Consul integration a lot in the last few months just to double-check I haven't missed anything glaring. But I think we'll be good-to-go here. |
63ae16e
to
9ab39a4
Compare
9ab39a4
to
996bca2
Compare
Thanks for working on this @fredrikhgrelland , it is truly appreciated. Getting this to work with Consul ACLs is a little funny but possible, and I think we'll want to add some documentation since it's not quite obvious. Consul does not allow Namespace'd ACL policies to make use of
Can probably have the docs live under a heading at the bottom of https://www.nomadproject.io/docs/configuration/consul |
I'll follow-up with that documentation suggestion in a separate PR so that we're not gating this one on some in-flight documentation infra changes. |
I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. |
Currently Nomad has the option of setting a global Vault namespace configuration
This PR brings feature parity, by allowing a global option to be set for Consul namespaces in the consul configuration