Skip to content

Add TLS on ConsulIngressListener #16752

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
horaciomonsalvo wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add TLS on ConsulIngressListener #16752

horaciomonsalvo wants to merge 5 commits into from

Conversation

@horaciomonsalvo
Copy link
Contributor

@horaciomonsalvo horaciomonsalvo commented Apr 1, 2023

Description:

  • Added support for Ingress Listener TLS configuration, and SDS:
    • Created new ConsulGatewayTLSSDSConfig struct and corresponding receiver functions (Copy() and Equal())
    • Added TLS field to ConsulIngressListener struct and updated its receiver functions.
  • Updated jobspec/parse_service.go
  • Update related tests
  • Update Nomad Documentation for ConsulIngressListener struct.

Testing Changes

To test these changes you need to build a Nomad binary and deploy a cluster with both Nomad and Consul agents and clients.
When you have your cluster running you can run the following job-spec:

job "ingress-demo" {

  datacenters = ["dc1"]

  # This group will have a task providing the ingress gateway automatically
  # created by Nomad. The ingress gateway is based on the Envoy proxy being
  # managed by the docker driver.
  group "ingress-group" {

    network {
      mode = "bridge"

      # This example will enable plain HTTP traffic to access the uuid-api connect
      # native example service on port 8080.
      port "inbound" {
        static = 8080
        to     = 8080
      }
    }

    service {
      name = "my-ingress-service"
      port = "8080"

      connect {
        gateway {

          # Consul gateway [envoy] proxy options.
          proxy {
            # The following options are automatically set by Nomad if not
            # explicitly configured when using bridge networking.
            #
            # envoy_gateway_no_default_bind = true
            # envoy_gateway_bind_addresses "uuid-api" {
            #   address = "0.0.0.0"
            #   port    = <associated listener.port>
            # }
            #
            # Additional options are documented at
            # https://www.nomadproject.io/docs/job-specification/gateway#proxy-parameters
          }

          # Consul Ingress Gateway Configuration Entry.
          ingress {
            # Nomad will automatically manage the Configuration Entry in Consul
            # given the parameters in the ingress block.
            #
            # Additional options are documented at
            # https://www.nomadproject.io/docs/job-specification/gateway#ingress-parameters
            listener {
              port     = 8080
              protocol = "tcp"
              service {
                name = "uuid-api"
              }
              tls {
                # New Fields:
                sds_config {
                    cluster_name = "foo"
                    cert_resource = "example.com-public-cert"
                }
              }        
            }                    
          }
        }
      }
    }
  }

  # The UUID generator from the connect-native demo is used as an example service.
  # The ingress gateway above makes access to the service possible over normal HTTP.
  # For example,
  #
  # $ curl $(dig +short @127.0.0.1 -p 8600 uuid-api.ingress.dc1.consul. ANY):8080
  group "generator" {
    network {
      mode = "host"
      port "api" {}
    }

    service {
      name = "uuid-api"
      port = "api"

      connect {
        native = true
      }
    }

    task "generate" {
      driver = "docker"

      config {
        image        = "hashicorpdev/uuid-api:v5"
        network_mode = "host"
      }

      env {
        BIND = "0.0.0.0"
        PORT = "${NOMAD_PORT_api}"
      }
    }
  }
}

Once the job is running and healthy, use Consul's API to get the terminating gateway's configuration:

curl --request GET http://127.0.0.1:8500/v1/config/ingress-gateway | json_pp

You will get the following JSON output:

[
    {
        "Kind": "ingress-gateway",
        "Name": "my-ingress-service",
        "TLS": {
            "Enabled": false
        },
        "Listeners": [
            {
                "Port": 8080,
                "Protocol": "tcp",
                "TLS": {
                    "Enabled": false,
                    "SDS": {
                        "ClusterName": "foo",
                        "CertResource": "example.com-public-cert"
                    }
                },
                "Services": [
                    {
                        "Name": "uuid-api",
                        "Hosts": null,
                        "TLS": {},
                        "RequestHeaders": {},
                        "ResponseHeaders": {}
                    }
                ]
            }
        ],
        "Defaults": {
            "MaxConnections": 0,
            "MaxPendingRequests": 0,
            "MaxConcurrentRequests": 0
        },
        "CreateIndex": 51,
        "ModifyIndex": 647
    }
]

Demo Video

ConsulIngressListener.mp4

@tgross tgross added the stage/needs-rebase This PR needs to be rebased on main before it can be backported to pick up new BPA workflows label May 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

stage/needs-rebase This PR needs to be rebased on main before it can be backported to pick up new BPA workflows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@horaciomonsalvo @tgross