Best practices for dynamic Consul Connect upstreams?

Previous discussion 1.5y ago trying to solve the same problem, that eventually leads to “use transparent proxies”, which are not supported by Nomad.

Hi folks! So I have a Consul Connect service running in Nomad that needs to dynamically, at runtime, make short-lived gRPC calls into other, arbitrarily-named Consul Connect services.

service dispatcher:

  • has consul connect sidecar
  • needs to be able to make http calls to any plugin-* consul connect service (let’s ignore consul ACLs for now for simplicity)

service “plugin-abc123-some-uuid”:

  • has consul connect sidecar

service “plugin-def456-some-uuid”:

  • has consul connect sidecar

My current theory is that I’ll have to do this with Consul Native: resolve the DNS, get the correct leaf cert, etc etc.

Is this the best current solution for this use case?
The things telling me “yes, this is the best way to do it”:

  • the Consul Proxy page has a huge disclaimer saying in no uncertain terms, “Dynamic Upstreams Require Native Integration”

The things giving me pause:

  • the Consul Proxy page mentioned above is for a deprecated feature
  • there’s this semi big warning at the top of the Connect Native page strongly suggesting “just use envoy proxy”
  • the Envoy Proxy page does not mention anything about dynamic upstreams.

Thank you in advance!