tproxy: networking hook changes #20183

tgross · 2024-03-21T18:39:52Z

When transparent_proxy block is present and the network mode is bridge, use a different CNI configuration that includes the consul-cni plugin. Before invoking the CNI plugins, create a Consul SDK iptables.Config struct for the allocation. This includes:

Use all the transparent_proxy block fields
The reserved ports are added to the inbound exclusion list so the alloc is reachable from outside the mesh
The expose blocks and check blocks with expose=true are added to the inbound exclusion list so health checks work.

The iptables.Config is then passed as a CNI argument to the consul-cni plugin.

Ref: #10628
Ref: hashicorp/consul-k8s#3795

This PR targets the feature branch. In addition to the new unit tests, I've verified the behavior of this PR with a build of consul-cni from hashicorp/consul-k8s#3795 and the following jobspec which is our usual "countdash" Connect example, but with transparent proxy and health checking added:

countdash with tproxy

job "countdash" {

  group "api" {
    network {
      mode = "bridge"
    }

    service {
      name = "count-api"
      port = "9001"

      check {
        type     = "http"
        path     = "/health"
        expose   = true
        interval = "3s"
        timeout  = "1s"

        check_restart {
          limit = 0
        }
      }

      connect {
        sidecar_service {
          proxy {
            transparent_proxy {}
          }
        }
      }
    }

    task "web" {
      driver = "docker"

      config {
        image          = "hashicorpdev/counter-api:v3"
        auth_soft_fail = true
      }
    }
  }

  group "dashboard" {
    network {
      mode = "bridge"

      port "http" {
        static = 9010
        to     = 9002
      }
    }

    service {
      name = "count-dashboard"
      port = "9002"

      check {
        type     = "http"
        path     = "/health"
        expose   = true
        interval = "3s"
        timeout  = "1s"

        check_restart {
          limit = 0
        }
      }

      connect {
        sidecar_service {
          proxy {
            transparent_proxy {}
          }
        }
      }
    }

    task "dashboard" {
      driver = "docker"

      env {
        COUNTING_SERVICE_URL = "http://count-api.virtual.consul:9001"
      }

      config {
        image          = "hashicorpdev/counter-dashboard:v3"
        auth_soft_fail = true
      }
    }
  }
}

When `transparent_proxy` block is present and the network mode is `bridge`, use a different CNI configuration that includes the `consul-cni` plugin. Before invoking the CNI plugins, create a Consul SDK `iptables.Config` struct for the allocation. This includes: * Use all the `transparent_proxy` block fields * The reserved ports are added to the inbound exclusion list so the alloc is reachable from outside the mesh * The `expose` blocks and `check` blocks with `expose=true` are added to the inbound exclusion list so health checks work. The `iptables.Config` is then passed as a CNI argument to the `consul-cni` plugin. Ref: #10628

client/allocrunner/networking_cni.go

client/client.go

shoenig

LGTM!!

tgross · 2024-03-27T14:30:14Z

Holding off merging this until this conversation is resolved: https://github.com/hashicorp/consul-k8s/pull/3795/files#r1539851537. If it takes a while to get resolved I might merge as-is anyways and then just push any change needed to the arg name to the feature branch as a separate commit. Resolved in 6f63b81

gulducat

looks good! just a few tidbits for your consideration

client/allocrunner/networking_bridge_linux.go

client/allocrunner/networking_cni.go

When `transparent_proxy` block is present and the network mode is `bridge`, use a different CNI configuration that includes the `consul-cni` plugin. Before invoking the CNI plugins, create a Consul SDK `iptables.Config` struct for the allocation. This includes: * Use all the `transparent_proxy` block fields * The reserved ports are added to the inbound exclusion list so the alloc is reachable from outside the mesh * The `expose` blocks and `check` blocks with `expose=true` are added to the inbound exclusion list so health checks work. The `iptables.Config` is then passed as a CNI argument to the `consul-cni` plugin. Ref: #10628

tgross added theme/consul theme/consul/connect Consul Connect integration type/enhancement labels Mar 21, 2024

tgross added this to the 1.8.0 milestone Mar 21, 2024

tgross mentioned this pull request Mar 21, 2024

Connect transparent proxy support #20175

Merged

10 tasks

vercel bot deployed to Preview – nomad-storybook-and-ui March 21, 2024 18:42 View deployment

tgross force-pushed the f-tproxy-network-config branch from a40dec2 to 487d1e4 Compare March 21, 2024 19:30

vercel bot deployed to Preview – nomad-storybook-and-ui March 21, 2024 19:33 View deployment

tgross force-pushed the f-tproxy-network-config branch from 487d1e4 to 4574eb4 Compare March 21, 2024 21:00

vercel bot deployed to Preview – nomad-storybook-and-ui March 21, 2024 21:02 View deployment

tgross force-pushed the f-tproxy branch from 1845508 to 65790d6 Compare March 22, 2024 15:34

tgross force-pushed the f-tproxy-network-config branch from 4574eb4 to dd22df6 Compare March 22, 2024 15:35

vercel bot deployed to Preview – nomad-storybook-and-ui March 22, 2024 15:38 View deployment

tgross force-pushed the f-tproxy-network-config branch from dd22df6 to 943d66a Compare March 22, 2024 15:53

vercel bot deployed to Preview – nomad-storybook-and-ui March 22, 2024 15:55 View deployment

tgross force-pushed the f-tproxy-network-config branch from 943d66a to 1aca361 Compare March 22, 2024 17:49

vercel bot deployed to Preview – nomad-storybook-and-ui March 22, 2024 17:52 View deployment

tgross force-pushed the f-tproxy branch from 65790d6 to 27929e5 Compare March 26, 2024 12:25

tgross force-pushed the f-tproxy-network-config branch from 1aca361 to a9a94ac Compare March 26, 2024 12:25

vercel bot deployed to Preview – nomad-storybook-and-ui March 26, 2024 12:28 View deployment

tgross force-pushed the f-tproxy-network-config branch from a9a94ac to 79862cb Compare March 26, 2024 15:16

vercel bot deployed to Preview – nomad-storybook-and-ui March 26, 2024 15:18 View deployment

tgross force-pushed the f-tproxy-network-config branch from 79862cb to 8ac6c19 Compare March 26, 2024 15:57

vercel bot deployed to Preview – nomad-storybook-and-ui March 26, 2024 16:00 View deployment

tgross force-pushed the f-tproxy-network-config branch from 8ac6c19 to 6bd84e5 Compare March 26, 2024 17:45

vercel bot deployed to Preview – nomad-storybook-and-ui March 26, 2024 17:47 View deployment

tgross mentioned this pull request Mar 26, 2024

Add support for Nomad transparent proxy hashicorp/consul-k8s#3795

Merged

2 tasks

tgross marked this pull request as ready for review March 26, 2024 18:08

tgross requested a review from Juanadelacuesta March 26, 2024 18:08

tgross requested review from gulducat and shoenig March 26, 2024 18:08

shoenig reviewed Mar 26, 2024

View reviewed changes

client/allocrunner/networking_cni.go Outdated Show resolved Hide resolved

overwrite DNS nameservers

226c02b

vercel bot deployed to Preview – nomad-storybook-and-ui March 26, 2024 19:47 View deployment

shoenig reviewed Mar 26, 2024

View reviewed changes

client/allocrunner/networking_cni.go Outdated Show resolved Hide resolved

shoenig reviewed Mar 26, 2024

View reviewed changes

client/client.go Outdated Show resolved Hide resolved

shoenig approved these changes Mar 26, 2024

View reviewed changes

move Envoy-related constants into helper/envoy package

3b8a7f9

vercel bot deployed to Preview – nomad-storybook-and-ui March 26, 2024 21:09 View deployment

gulducat approved these changes Mar 27, 2024

View reviewed changes

tgross added 2 commits March 27, 2024 13:27

update CNI argument we pass to match consul-cni

6f63b81

address comments on code review

4990ced

vercel bot deployed to Preview – nomad-storybook-and-ui March 27, 2024 17:31 View deployment

interpolate the existing bridge template for consul-cni

1f6d1b4

vercel bot deployed to Preview – nomad-storybook-and-ui March 27, 2024 18:08 View deployment

tgross merged commit 2045e62 into f-tproxy Mar 27, 2024
18 checks passed

tgross deleted the f-tproxy-network-config branch March 27, 2024 18:24

hc-github-team-consul-core mentioned this pull request Mar 28, 2024

Backport of Add support for Nomad transparent proxy into release/1.4.x hashicorp/consul-k8s#3830

Merged

2 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tproxy: networking hook changes #20183

tproxy: networking hook changes #20183

tgross commented Mar 21, 2024 •

edited

Loading

shoenig left a comment

tgross commented Mar 27, 2024 •

edited

Loading

gulducat left a comment

tproxy: networking hook changes #20183

tproxy: networking hook changes #20183

Conversation

tgross commented Mar 21, 2024 • edited Loading

shoenig left a comment

Choose a reason for hiding this comment

tgross commented Mar 27, 2024 • edited Loading

gulducat left a comment

Choose a reason for hiding this comment

tgross commented Mar 21, 2024 •

edited

Loading

tgross commented Mar 27, 2024 •

edited

Loading