I am running a k8s cluster with consul connect, and I am confused about how to go about adding AWS services to the consul registry and how this would work with connect. I am currently reading this (https://learn.hashicorp.com/consul/developer-discovery/external), but I am confused about where the envoy proxy ends up in my k8s cluster. Does k8s just schedule the proxy container anywhere and then automatically route traffic to rds through the proxy?
Hi James! If you’ve enabled automatic proxy injection then Kubernetes will inject a proxy into each of your pods. I don’t know much about RDS but if it runs in your Kubernetes cluster, it should automatically get an Envoy proxy injected.
If it runs outside of Kubernetes I imagine it will be tough to get it to talk with Connect enabled services. If it were a service you wrote, you could integrate it natively. If it were a service you (or Kubernetes) ran, you could deploy an Envoy proxy with it. But since you don’t control its code or the host it runs on it might fall in a functionality gap ATM. ESM just health checks it. It won’t deploy a proxy with it.
Sorry to not have a more satisfactory answer. I’ll check with eng to make sure this is correct, but I’m pretty sure we aren’t quite to the point of joining managed services into a Connect mesh yet. Hope this helps!
One other thing. This breaks the connect security model , but if you were to configure the services that need to talk to RDS to accept connections over the network you could circumvent Connect. If you did this you would want to put extra security in place to make sure that nothing nefarious was talking with those services. Hope it helps
thanks for the reply.
The services are not deployed in my k8s cluster, and I don’t have much control over the nodes the services run on. So it sounds like i’m going to have to figure out how to circumvent connect.
Ok, new update from eng:
You should be able to register a proxy for RDS and deploy it on a node that has a Connect agent running, using the
consul connect proxy -sidecar-for command. You’ll have to set a static IP address for RDS when you register the proxy with a
proxy.local_service_address so that the proxy and RDS can find each other.
The communication between RDS and the proxy still won’t be secured, but at least your downstream services won’t need to accept connections that circumvent their proxies.
Thanks for your help!
Did they mention anything about scheduling the proxy on k8s? The consul helm chart puts an agent on every node. So I guess that implies I can just schedule an envoy proxy anywhere on the cluster and then register it?
Also, is a dns alias for the IP address ok?