Nomad Consul connect docker and system

We are running Consul, Vault and Nomad all on a system using systemd.

There are all integrated fine and working, however we have a single service within nomad that is using the docker driver that is attempting to use Vault as a service using consul connect.

We have added the envoy proxy to the host for vault to expose it to the consul catalog, and it’s appearing on their. The health checks pass but no matter what we do we can’t use it as an upstream to connect to it. We keep getting connection closed by peer in downstream services trying to use it.

I did try look at the envoy admin config and found this, which seems to me that it’s being blocked but I can’t work out how/why this is appearing there.

{
  "name": "envoy.filters.network.rbac",
  "typed_config": {
    "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
    "rules": {
      "action": "DENY"
    },
    "stat_prefix": "connect_authz"
  }
},

Hi @matt2,

Have you enabled ACLs on your Consul cluster? If so, and you have set acl.default_policy to deny, then the service mesh will also deny traffic by default. (See default_intention_policy.)

You will need to authorize the downstream services to connect to Vault by creating a service intention.

Here’s a basic example for permitting the downstream service example-app to access the vault service.

# vault-intentions.hcl
Kind = "service-intentions"
Name = "vault"
Sources = [
  {
    Name   = "example-app"
    Action = "allow"
  }
]

Save the configuration to Consul using the consul config write CLI command.

$ consul config write vault-intentions.hcl

Refer to the service intentions configuration entry documentation for additional info about this resource.

Thanks Blake,

We have setup intentions and the default policy is allow. That doesn’t work.