Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Connect transparent proxy support #20175

Merged
merged 9 commits into from
Apr 10, 2024
Merged

Connect transparent proxy support #20175

merged 9 commits into from
Apr 10, 2024

Conversation

tgross
Copy link
Member

@tgross tgross commented Mar 21, 2024

This is a feature branch PR for adding support for Consul transparent proxy.

Component PRs, all of which have been previously reviewed:

Fixes: #10628

@tgross tgross added this to the 1.8.0 milestone Mar 21, 2024
@tgross tgross changed the title transparent proxy Connect transparent proxy support Mar 21, 2024
@tgross tgross added the theme/consul/connect Consul Connect integration label Mar 21, 2024
@tgross tgross self-assigned this Mar 21, 2024
tgross added a commit that referenced this pull request Mar 27, 2024
tgross added a commit that referenced this pull request Mar 28, 2024
Update the service mesh integration docs to explain how Consul needs to be
configured for transparent proxy. Update the walkthrough to assume that
`transparent_proxy` mode is the best approach, and move the manually-configured
`upstreams` to a separate section for users who don't want to use Consul DNS.

Ref: #20175
Ref: #20241
tgross added a commit that referenced this pull request Apr 3, 2024
Migrate our E2E tests for Connect off the old framework in preparation for
writing E2E tests for transparent proxy and the updated workload identity
workflow. Mark the tests that cover the legacy Consul token submitted workflow.

Ref: #20175
Add a constraint on job submission that requires the `consul-cni` plugin
fingerprint whenever transparent proxy is used.

Add a validation that the `network.dns` cannot be set when transparent proxy is
used, unless the `no_dns` flag is set.
tgross added a commit that referenced this pull request Apr 5, 2024
Add the `consul-cni` plugin to the Linux AMI for E2E, and add a test case that
covers the transparent proxy feature.

Ref: #20175
Add the `consul-cni` plugin to the Linux AMI for E2E, and add a test case that
covers the transparent proxy feature. Add test assertions to the Connect tests
for upstream reachability

Ref: #20175
api/consul.go Show resolved Hide resolved
Copy link
Member

@shoenig shoenig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! just the small docs/comment notes

website/content/docs/integrations/consul/service-mesh.mdx Outdated Show resolved Hide resolved
website/content/docs/integrations/consul/service-mesh.mdx Outdated Show resolved Hide resolved
website/content/docs/integrations/consul/service-mesh.mdx Outdated Show resolved Hide resolved
website/content/docs/integrations/consul/service-mesh.mdx Outdated Show resolved Hide resolved
client/allocrunner/networking_cni.go Outdated Show resolved Hide resolved
The `getPortMapping` method forces callers to handle two different data
structures, but only one caller cares about it. We don't want to return a single
map or slice because the `cni.PortMapping` object doesn't include a label field
that we need for tproxy. Return a new datastructure that closes over both a
slice of `cni.PortMapping` and a map of label to index in that slice.
@tgross tgross merged commit 8298d39 into main Apr 10, 2024
21 checks passed
@tgross tgross deleted the f-tproxy branch April 10, 2024 15:00
philrenaud pushed a commit that referenced this pull request Apr 18, 2024
Migrate our E2E tests for Connect off the old framework in preparation for
writing E2E tests for transparent proxy and the updated workload identity
workflow. Mark the tests that cover the legacy Consul token submitted workflow.

Ref: #20175
philrenaud pushed a commit that referenced this pull request Apr 18, 2024
)

Update the service mesh integration docs to explain how Consul needs to be
configured for transparent proxy. Update the walkthrough to assume that
`transparent_proxy` mode is the best approach, and move the manually-configured
`upstreams` to a separate section for users who don't want to use Consul DNS.

Ref: #20175
Ref: #20241
philrenaud pushed a commit that referenced this pull request Apr 18, 2024
philrenaud pushed a commit that referenced this pull request Apr 18, 2024
Add the `consul-cni` plugin to the Linux AMI for E2E, and add a test case that
covers the transparent proxy feature. Add test assertions to the Connect tests
for upstream reachability

Ref: #20175
@david-yu
Copy link
Contributor

david-yu commented May 7, 2024

@tgross Would it be possible to also update the Terraform Nomad provider to utilize the new transparent proxy block?

@tgross
Copy link
Member Author

tgross commented May 8, 2024

We typically update the TF provider on GA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add support for transparent connect proxies
3 participants