From e2e561da888a5b40b88bec2014067090910125fc Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Wed, 10 Apr 2024 08:55:50 -0400 Subject: [PATCH] tproxy: documentation improvements --- website/content/docs/configuration/client.mdx | 2 +- website/content/docs/configuration/index.mdx | 2 +- .../docs/integrations/consul/service-mesh.mdx | 19 ++++++++++++------- .../job-specification/transparent_proxy.mdx | 2 +- 4 files changed, 15 insertions(+), 10 deletions(-) diff --git a/website/content/docs/configuration/client.mdx b/website/content/docs/configuration/client.mdx index f6088f394..916230b8a 100644 --- a/website/content/docs/configuration/client.mdx +++ b/website/content/docs/configuration/client.mdx @@ -739,7 +739,7 @@ client { [metadata_constraint]: /nomad/docs/job-specification/constraint#user-specified-metadata 'Nomad User-Specified Metadata Constraint Example' [runtime_var_interpolation]: /nomad/docs/runtime/interpolation [task working directory]: /nomad/docs/runtime/environment#task-directories 'Task directories' -[go-sockaddr/template]: https://godoc.org/github.com/hashicorp/go-sockaddr/template +[go-sockaddr/template]: https://pkg.go.dev/github.com/hashicorp/go-sockaddr/template [landlock]: https://docs.kernel.org/userspace-api/landlock.html [`leave_on_interrupt`]: /nomad/docs/configuration#leave_on_interrupt [`leave_on_terminate`]: /nomad/docs/configuration#leave_on_terminate diff --git a/website/content/docs/configuration/index.mdx b/website/content/docs/configuration/index.mdx index 11531775e..b2c7ed669 100644 --- a/website/content/docs/configuration/index.mdx +++ b/website/content/docs/configuration/index.mdx @@ -392,7 +392,7 @@ http_api_response_headers { [`server`]: /nomad/docs/configuration/server 'Nomad Agent server Configuration' [tls]: /nomad/docs/configuration/tls 'Nomad Agent tls Configuration' [`vault`]: /nomad/docs/configuration/vault 'Nomad Agent vault Configuration' -[go-sockaddr/template]: https://godoc.org/github.com/hashicorp/go-sockaddr/template +[go-sockaddr/template]: https://pkg.go.dev/github.com/hashicorp/go-sockaddr/template [log-api]: /nomad/api-docs/client#stream-logs [hcl]: https://github.com/hashicorp/hcl 'HashiCorp Configuration Language' [tls-reload]: /nomad/docs/configuration/tls#tls-configuration-reloads diff --git a/website/content/docs/integrations/consul/service-mesh.mdx b/website/content/docs/integrations/consul/service-mesh.mdx index 3df95e6b2..96aa8db4f 100644 --- a/website/content/docs/integrations/consul/service-mesh.mdx +++ b/website/content/docs/integrations/consul/service-mesh.mdx @@ -136,9 +136,9 @@ node_prefix "" { policy = "read" } #### Transparent Proxy -Using Nomad's support for [transparent proxy][] configures the network namespace -so that traffic flows through the Envoy proxy. When the [`transparent_proxy`][] -block is enabled: +Using Nomad's support for [transparent proxy][] configures the task group's +network namespace so that traffic flows through the Envoy proxy. When the +[`transparent_proxy`][] block is enabled: * Nomad will invoke the [`consul-cni`][] CNI plugin to configure `iptables` rules in the network namespace to force outbound traffic from an allocation to flow @@ -152,7 +152,7 @@ Using transparent proxy has several important requirements: * You must have the [`consul-cni`][] CNI plugin installed on the client host along with the usual [required CNI plugins][cni_plugins]. -* To use Consul DNS and virtual IPs, you'll need to configure Consul's DNS +* To use Consul DNS and virtual IPs, you will need to configure Consul's DNS listener to be exposed to the workload network namespace. You can do this without exposing the Consul agent on a public IP by setting the Consul `bind_addr` to bind on a private IP address (the default is to use the @@ -382,8 +382,13 @@ directed to the correct service port. ### Manually Configured Upstreams -If you don't want to use Consul DNS and `transparent_proxy` mode, you can add -`upstream` blocks to the job spec. In that case, you don't need the +You can also use Connect without Consul DNS and `transparent_proxy` mode. This +approach is not recommended because it requires duplicating service intention +information in an `upstreams` block in the Nomad job specification. But Consul +DNS is not protected by ACLs, so you might want to do this if you don't want to +expose Consul DNS to untrusted workloads. + +In that case, you can add `upstream` blocks to the job spec. You don't need the `transparent_proxy` block for the `count-api` service: ```hcl @@ -485,7 +490,7 @@ filesystem. [consul_grpc_tls]: /consul/docs/upgrading/upgrade-specific#changes-to-grpc-tls-configuration [cni_install]: /nomad/docs/install#post-installation-steps [transparent proxy]: /consul/docs/k8s/connect/transparent-proxy -[go-sockaddr/template]: https://godoc.org/github.com/hashicorp/go-sockaddr/template +[go-sockaddr/template]: https://pkg.go.dev/github.com/hashicorp/go-sockaddr/template [`recursors`]: /consul/docs/agent/config/config-files#recursors [`transparent_proxy`]: /nomad/docs/job-specification/transparent_proxy [tproxy_no_dns]: /nomad/docs/job-specification/transparent_proxy#no_dns diff --git a/website/content/docs/job-specification/transparent_proxy.mdx b/website/content/docs/job-specification/transparent_proxy.mdx index f3ae80645..112edb861 100644 --- a/website/content/docs/job-specification/transparent_proxy.mdx +++ b/website/content/docs/job-specification/transparent_proxy.mdx @@ -23,7 +23,7 @@ description: |- The `transparent_proxy` block configures the Envoy sidecar proxy to act as a Consul Connect [transparent proxy][tproxy]. This simplifies the configuration of Consul Connect by eliminating the need to configure [`upstreams`][] blocks in -Nomad. Instead, the Envoy proxy will takes its configuration entirely from +Nomad. Instead, the Envoy proxy will determines its configuration entirely from Consul [service intentions][]. When transparent proxy is enabled traffic will automatically flow through the