Access a Connect Proxy from inside a Consul Connect Native container

I’m running out of ideas for how I should accomplish this. It almost seems easier if my main job was not a Connect Native job and that the Native interface is making this more difficult.

I’m trying to run Traefik as an ingress proxy using Consul Connect and have it forward auth to Authelia. This requires Traefik having configuration containing an address that it can reach Authelia. Traefik was not run in Connect Native, I’d set an upstream and then template in ${NOMAD_UPSTREAM_ADDR_authelia} in my configuration, but that won’t work here because that uses the sidecar proxy.

I read on another thread to try to use DNS forwarding. I’ve done this and from within my traefik container authelia.service.consul resolves, however it resolves to the host and port bound to the service (not reachable) and not to the Connect Proxy. It also doesn’t include any port information, so it wouldn’t be very useful for this case anyway.

How should this be done? Is there any way with a Connect Native application to communicate with a Connect Sidecar task by an address? Or will this require some kind of upstream change to Traefik to use the Connect Native libraries to lookup the forward auth destination?

You can resolve the IP and port of a service’s the Connect sidecar over DNS using a Connect-capable service lookup. Resolving the port requires the use of an SRV query.

I haven’t looked too much at the behavior of Traefik’s ForwardAuth middleware. I’m not sure if it can be configured to utilize the certificates obtained via the Connect-native integration, or whether changes are required to support that.

Thanks. So it probably needs some work on the Traefik side then since it will need to lookup the port and specify the certificates. I’ll dig around over there.

Here’s an issue tracking this on Traefik: Support service-name as address value in the forwardAuth middleware · Issue #8051 · traefik/traefik · GitHub