Consul ambassador connector

mjwilkerson-strateos · December 19, 2020, 2:34am

Hello,

I’m having issues with the Consul ambassador connector. I was able to get all of the components up and running by following: Ambassador Integration - Kubernetes | Consul by HashiCorp

When I look at the logs I see that one error is repeating…the error is pointing to the host IP on port 8500 (is the host IP the node?) …it’s failing due to a permission problem, but I’m not sure where I should look to resolve this…

Here is a snippet from the logs:

level=info msg=“Starting Consul Connect Integration” consul_host=13.42.51.35 consul_port=8500 version=1.8.1

2020-11-05T02:07:49.846222558Z time=“2020-11-05T02:07:49Z” level=info msg=“Watching CA leaf for ambassador\n”

2020-11-05T02:07:49.846243147Z time=“2020-11-05T02:07:49Z” level=info msg="[ERR] consul.watch: Watch (type: connect_leaf) errored: Get “http://13.42.51.35:8500/v1/agent/connect/ca/leaf/ambassador”: dial tcp 13.42.51.35:8500: connect: connection refused, retry in 5s"

thanks,
michael…

lkysow · November 5, 2020, 3:53am

Hi Michael,
What does your helm config look like? Consul should be listening on that port but maybe you have tls enabled?

mjwilkerson-strateos · November 5, 2020, 6:24pm

Hi lkysow,

Yes, I have tls enabled, my config (values) file has this entry:

global:
enabled: true
name: consul
datacenter: prod-dc1
image: ‘consul:1.8.4’
enableAutoEncrypt: true
tls:
enabled: true
verify: true
gossipEncryption:
tls:
enabled: true

mjwilkerson-strateos · November 6, 2020, 2:06am

also, I haven’t been able to find where the ip: 13.42.51.35 is coming from…so this is confusing…
should I disable tls and just use the end-to-end encryption that is provided with ambassador?

mjwilkerson-strateos · November 6, 2020, 6:05pm

Regarding the ip in question, I spoke too soon, that particular ip is coming from a Node. When I accessed the node there is no 8500 listening. Any advice on what I’m missing in my configuration?

I just noticed this open issue, not sure if my problem is related: https://github.com/datawire/ambassador/issues/2515

mjwilkerson-strateos · November 9, 2020, 7:13pm

Hi lkysow,

Just a polite ping… any feedback from my comments? Thanks…

blake · December 6, 2020, 10:57am

@mjwilkerson-strateos,

When TLS is enabled in the Helm chart, Consul only listens on port 8501 (HTTPS) instead of 8500 (HTTP).

It appears from one of the comments in the issue you posted that its possible to pass a few environment variables to Ambassador to tell it to contact Consul on an alternate port.

Can you try adding the following to the ambassador-consul-connect-integration Deployment and see if that resolves the connetivity issues?

- env:
  - name: _CONSUL_PORT
    value: "8501"
  - name: CONSUL_HTTP_SSL
    value: "true"
  - name: CONSUL_HTTP_SSL_VERIFY
    value: "false"

mjwilkerson-strateos · December 8, 2020, 4:23pm

Hello Blake

Looks like that solved the issue. Thanks!