From 9cc62ceb916bf49a27c90ffd2e028e2f33859a3b Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Wed, 3 Apr 2024 16:04:32 -0400 Subject: [PATCH] address comments from code review --- .../content/docs/job-specification/expose.mdx | 2 +- .../content/docs/job-specification/proxy.mdx | 2 +- .../job-specification/transparent_proxy.mdx | 45 +++++++++---------- .../docs/job-specification/upstreams.mdx | 3 +- 4 files changed, 24 insertions(+), 28 deletions(-) diff --git a/website/content/docs/job-specification/expose.mdx b/website/content/docs/job-specification/expose.mdx index e709e4c4647..184aad4ca03 100644 --- a/website/content/docs/job-specification/expose.mdx +++ b/website/content/docs/job-specification/expose.mdx @@ -229,7 +229,7 @@ check { ``` [network-to]: /nomad/docs/job-specification/network#to -[consul-expose-path-config]: /consul/docs/connect/registration/service-registration#expose-paths-configuration-reference +[consul-expose-path-config]: /consul/docs/connect/proxies/proxy-config-reference#expose-paths-configuration-reference [expose-path]: /nomad/docs/job-specification/expose#path-1 [expose]: /nomad/docs/job-specification/service#expose [path]: /nomad/docs/job-specification/expose#path-parameters 'Nomad Expose Path Parameters' diff --git a/website/content/docs/job-specification/proxy.mdx b/website/content/docs/job-specification/proxy.mdx index 5aa84a51172..5b95f5f2f98 100644 --- a/website/content/docs/job-specification/proxy.mdx +++ b/website/content/docs/job-specification/proxy.mdx @@ -106,6 +106,6 @@ sidecar_service { [upstreams]: /nomad/docs/job-specification/upstreams 'Nomad upstream config Specification' [expose]: /nomad/docs/job-specification/expose 'Nomad proxy expose configuration' [envoy_dynamic_config]: /consul/docs/connect/proxies/envoy#dynamic-configuration -[expose_path_ref]: /consul/docs/connect/registration/service-registration#expose-paths-configuration-reference +[expose_path_ref]: /consul/docs/connect/proxies/proxy-config-reference#expose-paths-configuration-reference [transparent_proxy]: /nomad/docs/job-specification/transparent_proxy [tproxy]: /consul/docs/k8s/connect/transparent-proxy diff --git a/website/content/docs/job-specification/transparent_proxy.mdx b/website/content/docs/job-specification/transparent_proxy.mdx index 9854cc8283c..f3ae8064532 100644 --- a/website/content/docs/job-specification/transparent_proxy.mdx +++ b/website/content/docs/job-specification/transparent_proxy.mdx @@ -24,36 +24,30 @@ The `transparent_proxy` block configures the Envoy sidecar proxy to act as a Consul Connect [transparent proxy][tproxy]. This simplifies the configuration of Consul Connect by eliminating the need to configure [`upstreams`][] blocks in Nomad. Instead, the Envoy proxy will takes its configuration entirely from -Consul [service intentions][]. When transparent proxy is enabled: +Consul [service intentions][]. -* Nomad will invoke the [`consul-cni`][] CNI plugin to configure `iptables` rules - in the network namespace to force outbound traffic from an allocation to flow - through the proxy. -* If the local Consul agent is serving DNS, Nomad will set the IP address of the - Consul agent as the nameserver in the task's `/etc/resolv.conf`. -* Consul will provide a [virtual IP][] for any upstream service the workload - has access to, based on the service intentions. +When transparent proxy is enabled traffic will automatically flow through the +Envoy proxy. If the local Consul agent is serving DNS, Nomad will also set up +the task's nameservers to use Consul. This lets your workload use the [virtual +IP][] DNS name from Consul, rather than configuring a `template` block that +queries services. -Using transparent proxy has several important requirements: +Using transparent proxy has some important restrictions: -* You must have the [`consul-cni`][] CNI plugin installed on the client host - along with the usual [required CNI plugins][cni_plugins]. * You can only have a single `connect` block in any task group that uses transparent proxy. -* To use Consul DNS and virtual IPs, you must set the Consul agent's - [`ports.dns`][consul_dns_port] configuration to an IP other than localhost - (the default is to use the `client_addr`). -* The Consul agent must be configured with [`recursors`][] if you want - allocations to make DNS queries for applications outside the service mesh. * You cannot set a [`network.dns`][] block on the allocation (unless you set [`no_dns`](#no_dns), see below). +* The node where the allocation is placed must be configured as described in + the Service Mesh integration documentation for [Transparent Proxy][]. ## `transparent_proxy` Parameters * `exclude_inbound_ports` `([]string: nil)` - A list of inbound ports to exclude - from the IP tables redirect rule. These ports can be specified as either - [network port labels][port_labels] or as numeric ports. Nomad will - automatically add the following to this list: + from the inbound traffic redirection. This allows traffic on these ports to + bypass the Envoy proxy. These ports can be specified as either [network port + labels][port_labels] or as numeric ports. Nomad will automatically add the + following to this list: * The [`local_path_port`][] of any [`expose`][] block. * The port of any service check with [`expose=true`][check_expose] set. * The port of any `network.port` with a [`static`][] value. @@ -70,11 +64,11 @@ Using transparent proxy has several important requirements: * `exclude_uids` `([]string: nil)` - A list of Unix user IDs (UIDs) that should be excluded from outbound traffic redirection. When unset, only the Envoy proxy's user will be allowed to bypass the iptables rule. -* `no_dns` `(bool: false)` - When set to true, do not set Consul as the - nameserver for the workload and do not create IP tables rules to allow DNS to - bypass the Envoy proxy. If you want external DNS to work inside the allocation - with `no_dns=true`, you will need to add your own CIDR and port exclusions for - your DNS nameserver. You cannot set [`network.dns`][] if `no_dns=false`. +* `no_dns` `(bool: false)` - By default, Consul will be set as the nameserver + for the workload and IP tables rules will redirect DNS queries to Consul. If + you want only external DNS, set `no_dns=true`. You will need to add your own + CIDR and port exclusions for your DNS nameserver. You cannot set + [`network.dns`][] if `no_dns=false`. * `outbound_port` `(int: 15001)` - The port that Envoy will bind on inside the network namespace. The iptables rules created by `consul-cni` will force traffic to flow to this port. You should only set this value if you have @@ -140,7 +134,7 @@ Sources = [ ``` And then the downstream service `count-dashboard` could reach the `count-api` -service by making requests to `http://count-api.virtual.consul:9001`. +service by making requests to `http://count-api.virtual.consul`. ### External DNS @@ -177,3 +171,4 @@ sidecar_service { [`template`]: /nomad/docs/job-specification/template#consul-integration [`nomad node meta apply`]: /nomad/docs/commands/node/meta/apply [`network.dns`]: /nomad/docs/job-specification/network#dns-parameters +[Transparent Proxy]: /nomad/docs/integrations/consul/service-mesh#transparent-proxy diff --git a/website/content/docs/job-specification/upstreams.mdx b/website/content/docs/job-specification/upstreams.mdx index da5d27e8552..58ad223d5fc 100644 --- a/website/content/docs/job-specification/upstreams.mdx +++ b/website/content/docs/job-specification/upstreams.mdx @@ -82,7 +82,7 @@ job "countdash" { ## `upstreams` Parameters - `config` `(map: nil)` - Upstream configuration that is opaque to Nomad and passed - directly to Consul. See [Consul Connect documentation](/consul/docs/connect/registration/service-registration#upstream-configuration-reference) + directly to Consul. See [Consul Connect documentation][consul_expose_path_ref] for details. Keys and values support [runtime variable interpolation][interpolation]. - `destination_name` `(string: )` - Name of the upstream service. - `destination_namespace` `(string: )` - Name of the upstream Consul namespace. @@ -147,3 +147,4 @@ and a local bind port. [service_defaults_mode]: /consul/docs/connect/config-entries/service-defaults#meshgateway [mesh_gateway_param]: /nomad/docs/job-specification/upstreams#mesh_gateway-parameters [mesh_gateways]: /consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters#mesh-gateways +[consul_expose_path_ref]: /consul/docs/connect/proxies/proxy-config-reference#expose-paths-configuration-reference