address comments from code review

hashicorp · Apr 3, 2024 · 9cc62ce · 9cc62ce
1 parent 8c3eeda
commit 9cc62ce
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 28 deletions.
diff --git a/website/content/docs/job-specification/expose.mdx b/website/content/docs/job-specification/expose.mdx
@@ -229,7 +229,7 @@ check {
 ```
 
 [network-to]: /nomad/docs/job-specification/network#to
-[consul-expose-path-config]: /consul/docs/connect/registration/service-registration#expose-paths-configuration-reference
+[consul-expose-path-config]: /consul/docs/connect/proxies/proxy-config-reference#expose-paths-configuration-reference
 [expose-path]: /nomad/docs/job-specification/expose#path-1
 [expose]: /nomad/docs/job-specification/service#expose
 [path]: /nomad/docs/job-specification/expose#path-parameters 'Nomad Expose Path Parameters'

diff --git a/website/content/docs/job-specification/proxy.mdx b/website/content/docs/job-specification/proxy.mdx
@@ -106,6 +106,6 @@ sidecar_service {
 [upstreams]: /nomad/docs/job-specification/upstreams 'Nomad upstream config Specification'
 [expose]: /nomad/docs/job-specification/expose 'Nomad proxy expose configuration'
 [envoy_dynamic_config]: /consul/docs/connect/proxies/envoy#dynamic-configuration
-[expose_path_ref]: /consul/docs/connect/registration/service-registration#expose-paths-configuration-reference
+[expose_path_ref]: /consul/docs/connect/proxies/proxy-config-reference#expose-paths-configuration-reference
 [transparent_proxy]: /nomad/docs/job-specification/transparent_proxy
 [tproxy]: /consul/docs/k8s/connect/transparent-proxy
diff --git a/website/content/docs/job-specification/transparent_proxy.mdx b/website/content/docs/job-specification/transparent_proxy.mdx
@@ -24,36 +24,30 @@ The `transparent_proxy` block configures the Envoy sidecar proxy to act as a
 Consul Connect [transparent proxy][tproxy]. This simplifies the configuration of
 Consul Connect by eliminating the need to configure [`upstreams`][] blocks in
 Nomad. Instead, the Envoy proxy will takes its configuration entirely from
-Consul [service intentions][]. When transparent proxy is enabled:
+Consul [service intentions][].
 
-* Nomad will invoke the [`consul-cni`][] CNI plugin to configure `iptables` rules
-  in the network namespace to force outbound traffic from an allocation to flow
-  through the proxy.
-* If the local Consul agent is serving DNS, Nomad will set the IP address of the
-  Consul agent as the nameserver in the task's `/etc/resolv.conf`.
-* Consul will provide a [virtual IP][] for any upstream service the workload
-  has access to, based on the service intentions.
+When transparent proxy is enabled traffic will automatically flow through the
+Envoy proxy. If the local Consul agent is serving DNS, Nomad will also set up
+the task's nameservers to use Consul. This lets your workload use the [virtual
+IP][] DNS name from Consul, rather than configuring a `template` block that
+queries services.
 
-Using transparent proxy has several important requirements:
+Using transparent proxy has some important restrictions:
 
-* You must have the [`consul-cni`][] CNI plugin installed on the client host
-  along with the usual [required CNI plugins][cni_plugins].
 * You can only have a single `connect` block in any task group that uses
   transparent proxy.
-* To use Consul DNS and virtual IPs, you must set the Consul agent's
-  [`ports.dns`][consul_dns_port] configuration to an IP other than localhost
-  (the default is to use the `client_addr`).
-* The Consul agent must be configured with [`recursors`][] if you want
-  allocations to make DNS queries for applications outside the service mesh.
 * You cannot set a [`network.dns`][] block on the allocation (unless you set
   [`no_dns`](#no_dns), see below).
+* The node where the allocation is placed must be configured as described in
+  the Service Mesh integration documentation for [Transparent Proxy][].
 
 ## `transparent_proxy` Parameters
 
 * `exclude_inbound_ports` `([]string: nil)` - A list of inbound ports to exclude
-  from the IP tables redirect rule. These ports can be specified as either
-  [network port labels][port_labels] or as numeric ports. Nomad will
-  automatically add the following to this list:
+  from the inbound traffic redirection. This allows traffic on these ports to
+  bypass the Envoy proxy. These ports can be specified as either [network port
+  labels][port_labels] or as numeric ports. Nomad will automatically add the
+  following to this list:
   * The [`local_path_port`][] of any [`expose`][] block.
   * The port of any service check with [`expose=true`][check_expose] set.
   * The port of any `network.port` with a [`static`][] value.
@@ -70,11 +64,11 @@ Using transparent proxy has several important requirements:
 * `exclude_uids` `([]string: nil)` - A list of Unix user IDs (UIDs) that should
   be excluded from outbound traffic redirection. When unset, only the Envoy
   proxy's user will be allowed to bypass the iptables rule.
-* `no_dns` `(bool: false)` - When set to true, do not set Consul as the
-  nameserver for the workload and do not create IP tables rules to allow DNS to
-  bypass the Envoy proxy. If you want external DNS to work inside the allocation
-  with `no_dns=true`, you will need to add your own CIDR and port exclusions for
-  your DNS nameserver. You cannot set [`network.dns`][] if `no_dns=false`.
+* `no_dns` `(bool: false)` - By default, Consul will be set as the nameserver
+  for the workload and IP tables rules will redirect DNS queries to Consul. If
+  you want only external DNS, set `no_dns=true`. You will need to add your own
+  CIDR and port exclusions for your DNS nameserver. You cannot set
+  [`network.dns`][] if `no_dns=false`.
 * `outbound_port` `(int: 15001)` - The port that Envoy will bind on inside the
   network namespace. The iptables rules created by `consul-cni` will force
   traffic to flow to this port. You should only set this value if you have
@@ -140,7 +134,7 @@ Sources = [
 ```
 
 And then the downstream service `count-dashboard` could reach the `count-api`
-service by making requests to `http://count-api.virtual.consul:9001`.
+service by making requests to `http://count-api.virtual.consul`.
 
 ### External DNS
 
@@ -177,3 +171,4 @@ sidecar_service {
 [`template`]: /nomad/docs/job-specification/template#consul-integration
 [`nomad node meta apply`]: /nomad/docs/commands/node/meta/apply
 [`network.dns`]: /nomad/docs/job-specification/network#dns-parameters
+[Transparent Proxy]: /nomad/docs/integrations/consul/service-mesh#transparent-proxy
diff --git a/website/content/docs/job-specification/upstreams.mdx b/website/content/docs/job-specification/upstreams.mdx
@@ -82,7 +82,7 @@ job "countdash" {
 ## `upstreams` Parameters
 
 - `config` `(map: nil)` - Upstream configuration that is opaque to Nomad and passed
-  directly to Consul. See [Consul Connect documentation](/consul/docs/connect/registration/service-registration#upstream-configuration-reference)
+  directly to Consul. See [Consul Connect documentation][consul_expose_path_ref]
   for details. Keys and values support [runtime variable interpolation][interpolation].
 - `destination_name` `(string: <required>)` - Name of the upstream service.
 - `destination_namespace` `(string: <required>)` - Name of the upstream Consul namespace.
@@ -147,3 +147,4 @@ and a local bind port.
 [service_defaults_mode]: /consul/docs/connect/config-entries/service-defaults#meshgateway
 [mesh_gateway_param]: /nomad/docs/job-specification/upstreams#mesh_gateway-parameters
 [mesh_gateways]: /consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters#mesh-gateways
+[consul_expose_path_ref]: /consul/docs/connect/proxies/proxy-config-reference#expose-paths-configuration-reference