Hey,
I have an issue with internal Consul DNS, even a service is registered and all health checks pass, Consul internal DNS are not set…
$ dig @127.0.0.1 app.service.consul. -p 8600 ANY
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.4 <<>> @127.0.0.1 app.service.consul. -p 8600 ANY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7627
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;app.service.consul. IN ANY
;; AUTHORITY SECTION:
consul. 0 IN SOA ns.consul. hostmaster.consul. 1594204518 3600 600 86400 0
;; Query time: 1 msec
;; SERVER: 127.0.0.1#8600(127.0.0.1)
;; WHEN: wed jul 08 10:35:18 UTC 2020
;; MSG SIZE rcvd: 97
-
app
is the service name, it’s also present as a tag - I run
dig
command on the client (where the service is running) -
dig
returns the same output on masters
any thoughts?
UPDATE: ok, it works now. I forgot to mention that I enabled ACL
with default policy set to deny
.
More or less anonymous token needs an access for some stuff on consul’s end.
resource "consul_acl_policy" "service_consul_read" {
name = "service-consul-read"
rules = <<-RULE
service "consul" {
policy = "read"
}
RULE
}
resource "consul_acl_policy" "list_all_nodes" {
name = "list-all-nodes"
rules = <<-RULE
node_prefix "" {
policy = "read"
}
RULE
}
resource "consul_acl_token_policy_attachment" "service_consul_read" {
token_id = "00000000-0000-0000-0000-000000000002"
policy = consul_acl_policy.service_consul_read.name
}
resource "consul_acl_token_policy_attachment" "list_all_nodes" {
token_id = "00000000-0000-0000-0000-000000000002"
policy = consul_acl_policy.list_all_nodes.name
}