Attempting to follow along with the introductory Consul Connect / proxy guide here: Getting Started with Connect guide
I already have a cluster which is configured with ACLs in default deny mode, so I had to do extra things to make it work and I wanted to make sure this was the expected set…
I created a token and policy for the “socat” service for registering that, the policy needed to be:
service "socat" { policy = "write" }
service "socat-sidecar-proxy" { policy = "write" }
… without this the service registration would fail.
For the “web” service, I needed:
service "web" { policy = "write" }
service "web-sidecar-proxy" { policy = "write" }
service "socat" { policy = "read" }
service "socat-sidecar-proxy" { policy = "read" }
node_prefix "" { policy = "read" }
… the two “write” policies were necessary to register the service and start the proxy, but it did not work and would not see that the “socat” service was healthy.
Adding the three “read” policies seemed to be necessary. I sort of understand the need to read the service for the upstream, but the “node_prefix” policy was very confusing, and I only discovered it after intense debugging and finding that the health endpoint depended on node:read.
Finally, I had to add an intent for web -> allow -> socat, which is fine.
Is this documented anywhere at all? It was an extremely head-scratching experience to get it to work, especially the “node_prefix” requirement.