consul/connect: add support for running connect native tasks

This PR adds the capability of running Connect Native Tasks on Nomad, particularly when TLS and ACLs are enabled on Consul. The `connect` stanza now includes a `native` parameter, which can be set to the name of task that backs the Connect Native Consul service. There is a new Client configuration parameter for the `consul` stanza called `share_ssl`. Like `allow_unauthenticated` the default value is true, but recommended to be disabled in production environments. When enabled, the Nomad Client's Consul TLS information is shared with Connect Native tasks through the normal Consul environment variables. This does NOT include auth or token information. If Consul ACLs are enabled, Service Identity Tokens are automatically and injected into the Connect Native task through the CONSUL_HTTP_TOKEN environment variable. Any of the automatically set environment variables can be overridden by the Connect Native task using the `env` stanza. Fixes #6083
2026-01-06 02:15:43 +03:00 · 2020-05-13 14:15:55 -06:00
parent 4a769f886e
commit 7e8d5c2392
25 changed files with 976 additions and 111 deletions
--- a/command/agent/consul/connect.go
+++ b/command/agent/consul/connect.go
@@ -17,7 +17,7 @@ func newConnect(serviceName string, nc *structs.ConsulConnect, networks structs.
 		return nil, nil
 	}

-	if nc.Native {
+	if nc.IsNative() {
 		return &api.AgentServiceConnect{Native: true}, nil
 	}

--- a/command/agent/consul/connect_test.go
+++ b/command/agent/consul/connect_test.go
@@ -32,7 +32,7 @@ func TestConnect_newConnect(t *testing.T) {

 	t.Run("native", func(t *testing.T) {
 		asr, err := newConnect("", &structs.ConsulConnect{
-			Native: true,
+			Native: "foo",
 		}, nil)
 		require.NoError(t, err)
 		require.True(t, asr.Native)
@@ -41,7 +41,7 @@ func TestConnect_newConnect(t *testing.T) {

 	t.Run("with sidecar", func(t *testing.T) {
 		asr, err := newConnect("redis", &structs.ConsulConnect{
-			Native: false,
+			Native: "",
 			SidecarService: &structs.ConsulSidecarService{
 				Tags: []string{"foo", "bar"},
 				Port: "sidecarPort",
--- a/command/agent/job_endpoint_test.go
+++ b/command/agent/job_endpoint_test.go
@@ -1693,7 +1693,7 @@ func TestJobs_ApiJobToStructsJob(t *testing.T) {
 							},
 						},
 						Connect: &api.ConsulConnect{
-							Native: false,
+							Native: "",
 							SidecarService: &api.ConsulSidecarService{
 								Tags: []string{"f", "g"},
 								Port: "9000",
@@ -2061,7 +2061,7 @@ func TestJobs_ApiJobToStructsJob(t *testing.T) {
 							},
 						},
 						Connect: &structs.ConsulConnect{
-							Native: false,
+							Native: "",
 							SidecarService: &structs.ConsulSidecarService{
 								Tags: []string{"f", "g"},
 								Port: "9000",
@@ -2763,16 +2763,26 @@ func TestConversion_apiConnectSidecarServiceToStructs(t *testing.T) {
 	}))
 }

-func TestConversion_ApiConsulConnectToStructs(t *testing.T) {
+func TestConversion_ApiConsulConnectToStructs_legacy(t *testing.T) {
 	t.Parallel()
 	require.Nil(t, ApiConsulConnectToStructs(nil))
 	require.Equal(t, &structs.ConsulConnect{
-		Native:         false,
+		Native:         "",
 		SidecarService: &structs.ConsulSidecarService{Port: "myPort"},
 		SidecarTask:    &structs.SidecarTask{Name: "task"},
 	}, ApiConsulConnectToStructs(&api.ConsulConnect{
-		Native:         false,
+		Native:         "",
 		SidecarService: &api.ConsulSidecarService{Port: "myPort"},
 		SidecarTask:    &api.SidecarTask{Name: "task"},
 	}))
 }
+
+func TestConversion_ApiConsulConnectToStructs_native(t *testing.T) {
+	t.Parallel()
+	require.Nil(t, ApiConsulConnectToStructs(nil))
+	require.Equal(t, &structs.ConsulConnect{
+		Native: "foo",
+	}, ApiConsulConnectToStructs(&api.ConsulConnect{
+		Native: "foo",
+	}))
+}