I’m having issues with the Consul ambassador connector. I was able to get all of the components up and running by following: Ambassador Integration - Kubernetes | Consul by HashiCorp
When I look at the logs I see that one error is repeating…the error is pointing to the host IP on port 8500 (is the host IP the node?) …it’s failing due to a permission problem, but I’m not sure where I should look to resolve this…
Here is a snippet from the logs:
level=info msg=“Starting Consul Connect Integration” consul_host=22.214.171.124 consul_port=8500 version=1.8.1
2020-11-05T02:07:49.846222558Z time=“2020-11-05T02:07:49Z” level=info msg=“Watching CA leaf for ambassador\n”
2020-11-05T02:07:49.846243147Z time=“2020-11-05T02:07:49Z” level=info msg="[ERR] consul.watch: Watch (type: connect_leaf) errored: Get “http://126.96.36.199:8500/v1/agent/connect/ca/leaf/ambassador”: dial tcp 188.8.131.52:8500: connect: connection refused, retry in 5s"
What does your helm config look like? Consul should be listening on that port but maybe you have tls enabled?
Yes, I have tls enabled, my config (values) file has this entry:
also, I haven’t been able to find where the ip: 184.108.40.206 is coming from…so this is confusing…
should I disable tls and just use the end-to-end encryption that is provided with ambassador?
Regarding the ip in question, I spoke too soon, that particular ip is coming from a Node. When I accessed the node there is no 8500 listening. Any advice on what I’m missing in my configuration?
I just noticed this open issue, not sure if my problem is related: https://github.com/datawire/ambassador/issues/2515
Just a polite ping… any feedback from my comments? Thanks…
When TLS is enabled in the Helm chart, Consul only listens on port 8501 (HTTPS) instead of 8500 (HTTP).
It appears from one of the comments in the issue you posted that its possible to pass a few environment variables to Ambassador to tell it to contact Consul on an alternate port.
Can you try adding the following to the ambassador-consul-connect-integration Deployment and see if that resolves the connetivity issues?
- name: _CONSUL_PORT
- name: CONSUL_HTTP_SSL
- name: CONSUL_HTTP_SSL_VERIFY
Looks like that solved the issue. Thanks!