Envoy with nomad

Nomad
1

I provisioned a mysql instance with nomad and i want to use envoy un-top the service, i want to implement CIDR on my database so that i can whitelist the ip addresses that can connect to my db instance, how can i do this efficiently. And NO, i don’t want to use iptables configuration to set this up, because i want to isolate the network configuration, here is my current setup below

job "db-instance" {
  datacenters = ["dc1"]
  group "db" {
    network {
      mode = "host"
      port "db" {
        static = 3306
      }
      port "proxy" {
        static = 10000
      }
      port "admin" {
        static = 9901
      }
    }
    task "mysql" {
      driver = "docker"
      config {
        image = "mysql:latest"
        ports = ["db"]
        args = [
          "--bind-address=0.0.0.0"
        ]
      }
      env {
        MYSQL_ROOT_PASSWORD = "example-password"
      }
      resources {
        cpu    = 500
        memory = 512
      }
    }
    task "envoy" {
      driver = "docker"
      config {
        image = "envoyproxy/envoy:v1.22.0"
        ports = ["proxy", "admin"]
        args = [
          "-c", "/etc/envoy/envoy.yaml"
        ]
      }
      env {
        CIDR_BLOCKS = "[{\"address\": \"192.168.1.0\", \"prefix\": 24}, {\"address\": \"10.0.0.0\", \"prefix\": 8}]"
      }
      template {
        destination = "local/envoy.yaml"
        change_mode = "restart"
        data = <<EOH
admin:
  access_log_path: /tmp/admin_access.log
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 9901

static_resources:
  listeners:
  - name: db_listener
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 10000
    filter_chains:
    - filters:
      - name: envoy.filters.network.tcp_proxy
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
          stat_prefix: ingress_tcp
          cluster: db_cluster
      filter_chain_match:
        source_prefix_ranges:
        {{ $cidr_blocks := parseJSON (env "CIDR_BLOCKS") }}
        {{ if $cidr_blocks }}
        {{ range $cidr := $cidr_blocks }}
        - address_prefix: "{{ $cidr.address }}"
          prefix_len: {{ $cidr.prefix }}
        {{ end }}
        {{ else }}
        - address_prefix: "127.0.0.1"
          prefix_len: 32
        {{ end }}
  clusters:
  - name: db_cluster
    connect_timeout: 5s
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: db_cluster
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 127.0.0.1
                port_value: 3306
EOH
      }
      resources {
        cpu    = 200
        memory = 256
      }
      service {
        name = "envoy-proxy"
        port = "proxy"
        
        check {
          type     = "http"
          path     = "/ready"
          port     = "admin"
          interval = "10s"
          timeout  = "2s"
        }
        
        tags = [
          "ip-whitelist-enabled"
        ]
      }
      
      service {
        name = "envoy-admin"
        port = "admin"
        
        tags = [
          "admin"
        ]
      }
    }
  }
}
2

May I ask why you’re not just using Consul Connect? It’s based on Envoy proxy, is rather easy to set up and should make it quite simple to achieve what you’re trying to do.

IIRC, Consul Connect even offers an escape hatch mechanism to allow for exotic Envoy configurations which are not covered by the hcl configuration.