github.com/iqoqo/nomad@v0.11.3-0.20200911112621-d7021c74d101/website/pages/docs/integrations/consul-connect.mdx (about) 1 --- 2 layout: docs 3 page_title: Consul Connect 4 sidebar_title: Consul Connect 5 description: >- 6 Learn how to use Nomad with Consul Connect to enable secure service to service 7 communication 8 --- 9 10 # Consul Connect 11 12 ~> **Note:** This guide requires Nomad 0.10.0 or later and Consul 1.6.0 or 13 later. 14 15 ~> **Note:** Nomad's Connect integration requires Linux network namespaces. 16 Nomad Connect will not run on Windows or macOS. 17 18 [Consul Connect](https://www.consul.io/docs/connect) provides 19 service-to-service connection authorization and encryption using mutual 20 Transport Layer Security (TLS). Applications can use sidecar proxies in a 21 service mesh configuration to automatically establish TLS connections for 22 inbound and outbound connections without being aware of Connect at all. 23 24 # Nomad with Consul Connect Integration 25 26 Nomad integrates with Consul to provide secure service-to-service communication 27 between Nomad jobs and task groups. In order to support Consul Connect, Nomad 28 adds a new networking mode for jobs that enables tasks in the same task group to 29 share their networking stack. With a few changes to the job specification, job 30 authors can opt into Connect integration. When Connect is enabled, Nomad will 31 launch a proxy alongside the application in the job file. The proxy (Envoy) 32 provides secure communication with other applications in the cluster. 33 34 Nomad job specification authors can use Nomad's Consul Connect integration to 35 implement [service segmentation](https://www.consul.io/segmentation.html) in a 36 microservice architecture running in public clouds without having to directly 37 manage TLS certificates. This is transparent to job specification authors as 38 security features in Connect continue to work even as the application scales up 39 or down or gets rescheduled by Nomad. 40 41 For using the Consul Connect integration with Consul ACLs enabled, see the 42 [Secure Nomad Jobs with Consul Connect](https://learn.hashicorp.com/nomad/consul-integration/nomad-connect-acl) 43 guide. 44 45 # Nomad Consul Connect Example 46 47 The following section walks through an example to enable secure communication 48 between a web dashboard and a backend counting service. The web dashboard and 49 the counting service are managed by Nomad. Nomad additionally configures Envoy 50 proxies to run along side these applications. The dashboard is configured to 51 connect to the counting service via localhost on port 9001. The proxy is managed 52 by Nomad, and handles mTLS communication to the counting service. 53 54 ## Prerequisites 55 56 ### Consul 57 58 Connect integration with Nomad requires [Consul 1.6 or 59 later.](https://releases.hashicorp.com/consul/1.6.0/) The Consul agent can be 60 run in dev mode with the following command: 61 62 **Note**: Nomad's Connect integration requires Consul in your `$PATH` 63 64 ```shell-sessionconsul agent -dev 65 66 ``` 67 68 To use Connect on a non-dev Consul agent, you will minimally need to enable the 69 GRPC port and set `connect` to enabled by adding some additional information to 70 your Consul client configurations, depending on format. 71 72 For HCL configurations: 73 74 ```hcl 75 # ... 76 77 ports { 78 grpc = 8502 79 } 80 81 connect { 82 enabled = true 83 } 84 ``` 85 86 For JSON configurations: 87 88 ```javascript 89 { 90 // ... 91 "ports": { 92 "grpc": 8502 93 }, 94 "connect": { 95 "enabled": true 96 } 97 } 98 ``` 99 100 ### Nomad 101 102 Nomad must schedule onto a routable interface in order for the proxies to 103 connect to each other. The following steps show how to start a Nomad dev agent 104 configured for Connect. 105 106 ```shell-sessionsudo nomad agent -dev-connect 107 108 ``` 109 110 ### CNI Plugins 111 112 Nomad uses CNI plugins to configure the network namespace used to secure the 113 Consul Connect sidecar proxy. All Nomad client nodes using network namespaces 114 must have CNI plugins installed. 115 116 The following commands install CNI plugins: 117 118 ```shell-sessioncurl -L -o cni-plugins.tgz https://github.com/containernetworking/plugins/releases/download/v0.8.4/cni-plugins-linux-amd64-v0.8.4.tgz 119 $ sudo mkdir -p /opt/cni/bin 120 $ sudo tar -C /opt/cni/bin -xzf cni-plugins.tgz 121 ``` 122 123 Ensure the your Linux operating system distribution has been configured to allow 124 container traffic through the bridge network to be routed via iptables. These 125 tunables can be set as follows: 126 127 ```shell-sessionecho 1 > /proc/sys/net/bridge/bridge-nf-call-arptables 128 $ echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables 129 $ echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables 130 ``` 131 132 To preserve these settings on startup of a client node, add a file including the 133 following to `/etc/sysctl.d/` or remove the file your Linux distribution puts in 134 that directory. 135 136 ``` 137 net.bridge.bridge-nf-call-arptables = 1 138 net.bridge.bridge-nf-call-ip6tables = 1 139 net.bridge.bridge-nf-call-iptables = 1 140 ``` 141 142 ## Run the Connect-enabled Services 143 144 Once Nomad and Consul are running, submit the following Connect-enabled services 145 to Nomad by copying the HCL into a file named `connect.nomad` and running: 146 `nomad run connect.nomad` 147 148 ```hcl 149 job "countdash" { 150 datacenters = ["dc1"] 151 152 group "api" { 153 network { 154 mode = "bridge" 155 } 156 157 service { 158 name = "count-api" 159 port = "9001" 160 161 connect { 162 sidecar_service {} 163 } 164 } 165 166 task "web" { 167 driver = "docker" 168 169 config { 170 image = "hashicorpnomad/counter-api:v1" 171 } 172 } 173 } 174 175 group "dashboard" { 176 network { 177 mode = "bridge" 178 179 port "http" { 180 static = 9002 181 to = 9002 182 } 183 } 184 185 service { 186 name = "count-dashboard" 187 port = "9002" 188 189 connect { 190 sidecar_service { 191 proxy { 192 upstreams { 193 destination_name = "count-api" 194 local_bind_port = 8080 195 } 196 } 197 } 198 } 199 } 200 201 task "dashboard" { 202 driver = "docker" 203 204 env { 205 COUNTING_SERVICE_URL = "http://${NOMAD_UPSTREAM_ADDR_count_api}" 206 } 207 208 config { 209 image = "hashicorpnomad/counter-dashboard:v1" 210 } 211 } 212 } 213 } 214 ``` 215 216 The job contains two task groups: an API service and a web frontend. 217 218 ### API Service 219 220 The API service is defined as a task group with a bridge network: 221 222 ```hcl 223 group "api" { 224 network { 225 mode = "bridge" 226 } 227 228 # ... 229 } 230 ``` 231 232 Since the API service is only accessible via Consul Connect, it does not define 233 any ports in its network. The service stanza enables Connect: 234 235 ```hcl 236 group "api" { 237 238 # ... 239 240 service { 241 name = "count-api" 242 port = "9001" 243 244 connect { 245 sidecar_service {} 246 } 247 } 248 249 # ... 250 251 } 252 ``` 253 254 The `port` in the service stanza is the port the API service listens on. The 255 Envoy proxy will automatically route traffic to that port inside the network 256 namespace. 257 258 ### Web Frontend 259 260 The web frontend is defined as a task group with a bridge network and a static 261 forwarded port: 262 263 ```hcl 264 group "dashboard" { 265 network { 266 mode = "bridge" 267 268 port "http" { 269 static = 9002 270 to = 9002 271 } 272 } 273 274 # ... 275 276 } 277 ``` 278 279 The `static = 9002` parameter requests the Nomad scheduler reserve port 9002 on 280 a host network interface. The `to = 9002` parameter forwards that host port to 281 port 9002 inside the network namespace. 282 283 This allows you to connect to the web frontend in a browser by visiting 284 `http://<host_ip>:9002` as show below: 285 286 [![Count Dashboard][count-dashboard]][count-dashboard] 287 288 The web frontend connects to the API service via Consul Connect: 289 290 ```hcl 291 service { 292 name = "count-dashboard" 293 port = "9002" 294 295 connect { 296 sidecar_service { 297 proxy { 298 upstreams { 299 destination_name = "count-api" 300 local_bind_port = 8080 301 } 302 } 303 } 304 } 305 } 306 ``` 307 308 The `upstreams` stanza defines the remote service to access (`count-api`) and 309 what port to expose that service on inside the network namespace (`8080`). 310 311 The web frontend is configured to communicate with the API service with an 312 environment variable: 313 314 ```hcl 315 env { 316 COUNTING_SERVICE_URL = "http://${NOMAD_UPSTREAM_ADDR_count_api}" 317 } 318 ``` 319 320 The web frontend is configured via the `$COUNTING_SERVICE_URL`, so you must 321 interpolate the upstream's address into that environment variable. Note that 322 dashes (`-`) are converted to underscores (`_`) in environment variables so 323 `count-api` becomes `count_api`. 324 325 ## Limitations 326 327 - The `consul` binary must be present in Nomad's `$PATH` to run the Envoy 328 proxy sidecar on client nodes. 329 - Consul Connect Native is not yet supported ([#6083][gh6083]). 330 - Only the Docker, `exec`, `raw_exec`, and `java` drivers support network namespaces 331 and Connect. 332 - Changes to the `connect` stanza may not properly trigger a job update 333 ([#6459][gh6459]). Changing a `meta` variable is the suggested workaround as 334 this will always cause an update to occur. 335 - Consul Connect and network namespaces are only supported on Linux. 336 337 [count-dashboard]: /img/count-dashboard.png 338 [gh6083]: https://github.com/hashicorp/nomad/issues/6083 339 [gh6120]: https://github.com/hashicorp/nomad/issues/6120 340 [gh6701]: https://github.com/hashicorp/nomad/issues/6701 341 [gh6459]: https://github.com/hashicorp/nomad/issues/6459