currently we are using ingress to expose for internal user access directly. Howver, now we have a frontend want to expose and want to use mtls (or any ways to have https easily).
We check this document: gateway Stanza - Job Specification | Nomad by HashiCorp
I found that we can
»tls Parameters
enabled (bool: false) - Set this configuration to enable TLS for every listener on the gateway. If TLS is enabled, then each host defined in the host field will be added as a DNSSAN to the gateway's x509 certificate.
but when I change the port to http, it shows Error submitting job: Unexpected response code: 500 (Unexpected response code: 500 (service “xxx” has protocol “tcp”, which does not match defined listener protocol “http”))
how do I resolve it?
job "xxx-ingress" {
datacenters = [ "yyy" ]
group "xxx-ingress" {
network {
mode = "bridge"
port "inbound" {
static = 5002
to = 3002
}
}
service {
name = "xxx-ingress"
port = "3002"
connect {
gateway {
# Consul gateway [envoy] proxy options.
proxy {
}
# Consul Ingress Gateway Configuration Entry.
ingress {
tls {
enabled = true
}
listener {
port = 3002
protocol = "http"
service {
name = "xxx"
hosts = [ "http://example.com, "http://example.com:3002" ]
}
}
}
}
}
}
}
}
also, for the nomad service:
variable "docker_image" {
type = string
}
job "xxx" {
datacenters = [ "yyy" ]
type = "service"
reschedule {
delay = "10s"
delay_function = "exponential"
max_delay = "120s"
unlimited = true
}
group "xxx" {
count = 1
network {
mode = "bridge"
dns {
servers = [ "sss" ]
}
port "http" {}
port "https" {}
}
restart {
interval = "2m"
attempts = 8
delay = "15s"
mode = "delay"
}
service {
name = "xxx"
port = 3002
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "bbb"
local_bind_port = 3000
}
}
}
}
}
task "xxx" {
driver = "docker"
leader = true
config {
image = var.docker_image
labels {
service_name = "xxx"
}
mounts = [
{
type = "bind"
target = "/app/.prod.env"
source = "/env"
}
]
}
resources {
cpu = 1024
memory = 1024
}
}
}
}