Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature] Configure nomad cluster to use a Consul Namespace [Consul Enterprise] #8849

Merged
merged 1 commit into from
Oct 2, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ IMPROVEMENTS:
* api: Added support for cancellation contexts to HTTP API. [[GH-8836](https://github.com/hashicorp/nomad/issues/8836)]
* client: Added support for Azure fingerprinting. [[GH-8979](https://github.com/hashicorp/nomad/issues/8979)]
* client: Updated consul-template to v0.25.0 - config function_blacklist deprecated and replaced with function_denylist [[GH-8988](https://github.com/hashicorp/nomad/pull/8988)]
* consul: Support consul namespace (consul enterprise) in client configuration. [[GH-8849](https://github.com/hashicorp/nomad/pull/8849)]
* driver/docker: Upgrade pause container and detect architecture [[GH-8957](https://github.com/hashicorp/nomad/pull/8957)]
* jobspec: Lowered minimum CPU allowed from 10 to 1. [[GH-8996](https://github.com/hashicorp/nomad/issues/8996)]

Expand Down
9 changes: 9 additions & 0 deletions client/allocrunner/taskrunner/envoybootstrap_hook.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ type consulTransportConfig struct {
CAFile string // optional, arg -ca-file
CertFile string // optional, arg -client-cert
KeyFile string // optional, arg -client-key
Namespace string // optional, only consul Enterprise, env CONSUL_NAMESPACE
// CAPath (dir) not supported by Nomad's config object
}

Expand All @@ -42,6 +43,7 @@ func newConsulTransportConfig(consul *config.ConsulConfig) consulTransportConfig
CAFile: consul.CAFile,
CertFile: consul.CertFile,
KeyFile: consul.KeyFile,
Namespace: consul.Namespace,
}
}

Expand Down Expand Up @@ -416,6 +418,10 @@ func (e envoyBootstrapArgs) args() []string {
arguments = append(arguments, "-client-key", v)
}

if v := e.consulConfig.Namespace; v != "" {
arguments = append(arguments, "-namespace", v)
}

return arguments
}

Expand All @@ -435,6 +441,9 @@ func (e envoyBootstrapArgs) env(env []string) []string {
if v := e.consulConfig.VerifySSL; v != "" {
env = append(env, fmt.Sprintf("%s=%s", "CONSUL_HTTP_SSL_VERIFY", v))
}
if v := e.consulConfig.Namespace; v != "" {
env = append(env, fmt.Sprintf("%s=%s", "CONSUL_NAMESPACE", v))
}
return env
}

Expand Down
1 change: 1 addition & 0 deletions client/allocrunner/taskrunner/template/template.go
Original file line number Diff line number Diff line change
Expand Up @@ -624,6 +624,7 @@ func newRunnerConfig(config *TaskTemplateManagerConfig,
if cc.ConsulConfig != nil {
conf.Consul.Address = &cc.ConsulConfig.Addr
conf.Consul.Token = &cc.ConsulConfig.Token
conf.Consul.Namespace = &cc.ConsulConfig.Namespace

if cc.ConsulConfig.EnableSSL != nil && *cc.ConsulConfig.EnableSSL {
verify := cc.ConsulConfig.VerifySSL != nil && *cc.ConsulConfig.VerifySSL
Expand Down
11 changes: 11 additions & 0 deletions nomad/structs/config/consul.go
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,10 @@ type ConsulConfig struct {

// ExtraKeysHCL is used by hcl to surface unexpected keys
ExtraKeysHCL []string `hcl:",unusedKeys" json:"-"`

// Namespace sets the Consul namespace used for all calls against the
// Consul API. If this is unset, then Nomad does not specify a consul namespace.
Namespace string `hcl:"namespace"`
}

// DefaultConsulConfig() returns the canonical defaults for the Nomad
fredrikhgrelland marked this conversation as resolved.
Show resolved Hide resolved
Expand All @@ -144,6 +148,7 @@ func DefaultConsulConfig() *ConsulConfig {
EnableSSL: helper.BoolToPtr(def.Scheme == "https"),
VerifySSL: helper.BoolToPtr(!def.TLSConfig.InsecureSkipVerify),
CAFile: def.TLSConfig.CAFile,
Namespace: def.Namespace,
}
}

Expand Down Expand Up @@ -230,6 +235,9 @@ func (c *ConsulConfig) Merge(b *ConsulConfig) *ConsulConfig {
if b.AllowUnauthenticated != nil {
result.AllowUnauthenticated = helper.BoolToPtr(*b.AllowUnauthenticated)
}
if b.Namespace != "" {
result.Namespace = b.Namespace
}
return result
}

Expand Down Expand Up @@ -285,6 +293,9 @@ func (c *ConsulConfig) ApiConfig() (*consul.Config, error) {
}
config.Transport.TLSClientConfig = tlsConfig
}
if c.Namespace != "" {
config.Namespace = c.Namespace
}
return config, nil
}

Expand Down
4 changes: 4 additions & 0 deletions website/pages/docs/configuration/consul.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,10 @@ configuring Nomad to talk to Consul via DNS such as consul.service.consul
- `key_file` `(string: "")` - Specifies the path to the private key used for
Consul communication. If this is set then you need to also set `cert_file`.

- `namespace` `(string: "")` - Specifies the [Consul namespace](https://www.consul.io/docs/enterprise/namespaces)
used by the Consul integration. If non-empty, this namespace will be used on
all Consul API calls and for Consul Connect configurations.

- `server_service_name` `(string: "nomad")` - Specifies the name of the service
in Consul for the Nomad servers.

Expand Down