consul (A), nomad (B) and vault © are installed on bare metal.
Any service (D) started with Nomad in a Service Mesh ( connect { sidecar_service { }} ) does not have access to those services on bare metal.
How to write a Nomad job for a service (D) so that it will have access to A, B, C?
Hi @pashinin, if consul, nomad, and vault are configured to only listen to a local address it won’t be possible to connect to them directly from inside the network namespace that the connect tasks run in. You could do something like make use of consul’s unix socket listener capability and volume mount the socket file into the allocation (Nomad actually does this for the Envoy sidecar’s xDS over gRPC connection to Consul), or do some iptables magic on the host to forward packets destined for a routable address.
A third option if possible would be to make your service Connect Native, which Nomad supports running in host networking mode rather than only bridge networking.
What about terminating gateways? https://www.consul.io/docs/connect/gateways/terminating-gateway
Can it help in this situation?
I saw Ingress Gateways in recent Nomad. But that’s for incoming traffic (into service mesh).
Can Nomad run terminating gateways?
Interesting idea @pashinin, I think terminating gateways might work for this use case. Adding support for terminating and mesh gateways is on our upcoming roadmap.
Hey @shoenig,
thanks for the info and also thanks for the coding dive Nomad video.
Where can I go to check for updates on the timeline to adding Terminating Gateways to Nomad?
(My team is in need of a way to control egress and Terminating Gateways and External Services seem like they will allow us to do what we need to in a very nice way)