Q: Can/How to interpolate a variable inside a service tag?

I’m probably missing something obvious, but I’m stuck.

I’m working with Nomad with the Docker driver, Traefik with ConsulCatalog as a provider and Authelia for authorization.

The problem I’m running into is that one of the service tags configuring Traefik requires a url to the Authelia docker container. Specifically, I believe I need to inject the environment variable NOMAD_ADDR_authelia.

For example, my authelia service requires the following traefik tag:

service authelia {
    name = "authelia"
   port = "authelia"
   tags = [
     "traefik.enable=true",  "traefik.http.middlewares.authelia.forwardauth.address=http://<NOMAD_ADDR_authelia>/api/verify?rd=https://auth.aussieswithtails.com/", ]

Is this possible? If so how or how do I work around it since the value depends on Nomad’s placement of the authelia container.

Thanks in advance,

-steve

Hi @snesbittsea! That is a little tricky. … seeing as how you have Consul already in the mix could you use the authelia DNS entry rather than its IP address?

Hi @tgoss!

Glad it was tricky and not just me being oblivious.

I had considered using the Consul DNS resolution mechanism. But wouldn’t that require changing the DNS resolver configuration on all Consul agents?

I’m assumming this would mean futzing with either systemd-resolved or introducing DNSMasq as the resolving mechanism?

Any guides out there that show how it might be done.

Also, how does DNS lookup work when ACLs are enabled? For example, dig@127.0.0.1 -p8600 authelia.service.stage01.consul returns no values until I turn ACLs off.

Thx!

-steve

I had considered using the Consul DNS resolution mechanism. But wouldn’t that require changing the DNS resolver configuration on all Consul agents?

Yeah it’s a bit of a pain. But there’s some good Learn guides available for setting up all the common DNS scenarios in the Consul DNS Forwarding guide.

Also, how does DNS lookup work when ACLs are enabled? For example, dig@127.0.0.1 -p8600 authelia.service.stage01.consul returns no values until I turn ACLs off.

You’ll want to set a token for the agent that’s serving the DNS requests that has access to the services, etc. Take a look at Consul ACL setup guide.

Thanks much for the help. I finally got ACLs set correctly to do DNS lookups.

Now for resolver mods. I found the docs. I did notice that the documentation regard systemd-resolved may be out of date - I believe one can now include a port along with the host.

-steve