[SOLVED] Can't connect postgres via sidecar proxy

nomar.mora · September 28, 2022, 3:47pm

Hi!

I’m trying to deploy a keycloak/postgres test, but I can’t connect keycloak to postgres via sidecar proxy.

This is my nomad file:

job "test" {
	datacenters = ["dc1"]
	type        = "service"
	group "auth-database" {
		count = 1
		network {
			mode = "bridge"
			port "psql" {
				# static = 15432
				to = 5432
			}
			dns {
				servers = ["192.168.20.2"]
			}
		}
		service {
			provider = "consul"
			name = "postgres-server"
			port = "psql"
			tags = ["backend", "database"]
			# check {
			# 	name     = "psql_probe"
			# 	type = "tcp"
			# 	interval = "10s"
			# 	timeout  = "2s"
			# }
			connect {
				sidecar_service {}
				sidecar_task {
					resources {
						cpu    = 1000
						memory = 1024
					}
				}
			}
		}
		volume "keycloak_test" {
			type      = "host"
			read_only = false
			source    = "keycloak_test"
		}
		task "postgres" {
			driver = "docker"
			config {
				image = "postgres:10"
				ports = ["psql"]
			}
			volume_mount {
				volume      = "keycloak_test"
				destination = "/var/lib/postgresql/data"
				read_only   = false
			}
			env {
				POSTGRES_USER = "keycloak"
				POSTGRES_PASSWORD = "keycloak"
				POSTGRES_DB = "keycloak"
			}
		}
	}

	group "auth-app" {
		count = 1
		network {
			mode = "bridge"
			port "keycloak" { 
				# static = 18443
				to = 18443
			}
			dns {
				servers = ["192.168.20.2"]
			}
		}
		service {
			provider = "consul"
			name = "keycloak"
			tags = ["frontend", "authentication", "authorization"]
			port = "keycloak"
			connect {
				sidecar_service {
					proxy {
						upstreams {
							destination_name = "postgres-server"
							local_bind_port = 5432
						}
					}
				}
			}
		
		}

		task "keycloak" {
			driver = "docker"
			# artifact {
			# 	source = "http://192.168.20.2:9080/preb_kcloak.tar"
			# 	destination = "local/preb_kcloak.tar"
			# 	mode = "file"
			# 	options {
			# 		archive = false
			# 	}
			# }
			config {
				# load = "preb_kcloak.tar"
				# image = "prebuilt_keycloak:latest"
				image = "quay.io/keycloak/keycloak:latest"
				ports = ["keycloak"]
				args = [
					"--verbose",
					"start",
					"--hostname keycloak.service.apps.local",
					"--hostname-port ${NOMAD_HOST_PORT_keycloak}",
					"--db postgres",
					"--db-username keycloak",
					"--db-password keycloak",
					"--https-certificate-file /local/cert.pem",
					"--https-certificate-key-file /local/key.pem",
					"--db-url jdbc:postgresql://127.0.0.1:5432/keycloak",
					# "--db-url jdbc:postgresql://${NOMAD_UPSTREAM_ADDR_postgres-server}/keycloak"
				]
			}
			# volume_mount {
			# 	volume      = "keycloak_test"
			# 	destination = "/opt/keycloak/data"
			# 	read_only   = false
			# }
			env {
				KEYCLOAK_ADMIN = "admin"
				KEYCLOAK_ADMIN_PASSWORD = "admin"
				# KC_DB_URL = "jdbc:postgresql://${NOMAD_HOST_ADDR_psql}/keycloak"
				# KC_DB_USERNAME = "keycloak"
				# KC_DB_PASSWORD = "password"
				# KC_HOSTNAME = "keycloak.service.apps.local"
			}
			resources {
				memory = 2048
				memory_max = 4096
			}
			template {
				change_mode = "noop"
				destination = "local/cert.pem"
				data = <<EOH
-----BEGIN CERTIFICATE-----
MIIDtzCCAp+gAwIBAgIUECAi2Kq8MytzJvWy5aphlCXMerYwDQYJKoZIhvcNAQEL
BQAwazELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEkMCIGA1UEAwwba2V5Y2xvYWsuc2Vy
dmljZS5hcHBzLmxvY2FsMB4XDTIyMDkyNjE1NTkzOVoXDTMyMDkyMzE1NTkzOVow
azELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEkMCIGA1UEAwwba2V5Y2xvYWsuc2Vydmlj
ZS5hcHBzLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5IDS
7X5ehzPry4kYRS2h8GXNHoZMoUr4qLDYNEQvHrLi8rJoJ2HIm3zyvboLxLFzpM8a
GeGMzPVdQIO+L6H2Qxx2FkypDoxZmhXDmxKHqMhcmoT4jkc/4QkG5fRjXTnQ1Epy
B8ttjAI0+BzCgTwMJUQUx2sPs2J2K6/YyNaWT8N98K9hKxtN62CQL52qwDmRou4A
N6051ayZPU/qyXoy6y2UIM4CRJuF1j9MWLhz2oyN+e8QLHuFzdZ4ngAQ6qFt0m0v
Ut56JBtTnKhSWlIK5bS/cgIS22fG6s/ZXlmDC4dGJpv+qYFq7eRIg+Ke67Y6Zhrd
10uhTgNRBsri+0+4BQIDAQABo1MwUTAdBgNVHQ4EFgQUABIPIlcCt5OrueZfEsWS
LNxxPJswHwYDVR0jBBgwFoAUABIPIlcCt5OrueZfEsWSLNxxPJswDwYDVR0TAQH/
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAgKFiRr1meiswSrJvucsTqMvpt2x1
3ecrWJ9K9PJ5AJQvPWcR6yt0U4coOOeEUpcyUpTGaojoVAHcPtw7dSsfIZHP9UoA
tELBsfgqgS5/BcM/AGsWc0pYdHIB5zZTwRcCWpnzkfbl0iGV0cuTAkF0neOVvl6f
swhKf5sfbu7+2kjhCxArNnTDZfddhfQpNnFRXBg9j/ml3XWtt9ubG5HHoHgW8FP7
LxaXB66tEKtcsuaog7j9Fi3hqPIKV4lcQ9cB5+/3EbeR/DJRR15zEL3C1NCMr5kb
4gz7zmGe3MeQZDWJDV/ti+JQzaX4MBvKamGF4P+zJ/an7xSbMjfstcD25g==
-----END CERTIFICATE-----
EOH
		}
		template {
			change_mode = "noop"
			destination = "local/key.pem"
			data = <<EOH
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDkgNLtfl6HM+vL
iRhFLaHwZc0ehkyhSviosNg0RC8esuLysmgnYcibfPK9ugvEsXOkzxoZ4YzM9V1A
g74vofZDHHYWTKkOjFmaFcObEoeoyFyahPiORz/hCQbl9GNdOdDUSnIHy22MAjT4
HMKBPAwlRBTHaw+zYnYrr9jI1pZPw33wr2ErG03rYJAvnarAOZGi7gA3rTnVrJk9
T+rJejLrLZQgzgJEm4XWP0xYuHPajI357xAse4XN1nieABDqoW3SbS9S3nokG1Oc
qFJaUgrltL9yAhLbZ8bqz9leWYMLh0Ymm/6pgWrt5EiD4p7rtjpmGt3XS6FOA1EG
yuL7T7gFAgMBAAECggEAfAwbdeaWdpuPNG12iYeeVB1P33RVAXLrzthCZw1k7yt5
3PtRY5/IAfEw7iKj5OHYv+3WY5p4j4PcXfunMcChKgm3aZ+wXz9+HRIXoIXMs6oh
65ioPsUbPpVh81Ba6O9MGRNZGDYtgEZqbw9d4D6y8UAmb6QFYALh2BGchFtKOn4F
tHZtA3A1WmmN0RdG+5TDahx2xYTgtPIOfW5fImgz177gBmQy0rdciEzWDEx8I23m
yzEzqA9QaUAsSjcpY8ASOx/yq1F8/Qf4Jwv8Qph8O7fkYluAgWVWCyLFIlzjRzXJ
eSFkkldHfkUqn2wY4WBwPZbTkT5V6Y3wSnCqtSsUuQKBgQDybDcxIrDKB0G2Ppid
akK+8pfIcT5MgBtsLn5ysLA7OOyaoD7/4wZmxF2s9iazy/UgwmKffMGRx/6/ahVO
xOMlkxcPzOkQ6jm463YCONjHQj1xVAY7WgdggSzEhanBLfpG+2D97d81veffGqf+
Glz0gZYp+4TaFgTKGJf89RV52wKBgQDxTQjkXc2P6t0C4QYHt5gNOYpoSXrBOjRY
IjJUj1/2WAvfsK4keydhs8TwYiI/CwWz3lbe/4RbqYGgO1URIfKt/zk99yCurESM
NSVWX0qsw0ExzvMdXedyzMF8zFp3BH/S+26YsEQQRyo9ixXt3towiU0Sx812Lyx2
x/g7n2frnwKBgQDdJ0HWbmpPc/1Lj6FUgdrwLYmwTzbhPUFHGMc8Q9oRvOWETkoK
0IZHfD5lCo3WGmu+ffbQvlQsdQH+h312xYDfB2fTf0DjsHoGK7AVaNzCMriwyVGC
FaiDLnSzt6hcVmBrHuql3LpzYZLFYqD82/oPCKUAGbdh6RJnd7Y4CzGTXwKBgQCM
28xSCxQBbDfiA1vSy3C+X5WVNTesbn656BR7WkrJcjJUPT4a261sklVngdG9/YAx
tJv/hydLntKlp50L6EZTHgbbTlTMwpEtS6TlG7Fq0nxPSCCRRwzh7fcRE/XHPmAj
2FSCW3sQCYr17Cg7+HhkFvJgATTGRdlt6WPV4kL2vwKBgHB1Eq21Hp6KYbX1Z1s1
YShrtQYt223LOipJRm9yca8Gt8kilHSk//h0nH0m6MzAQmRrJSQR+RBpD6qrJ6zU
Gc4kbKZ+WyTs+lhvFMrU0xU3uRAMUL7pIOI2ObDafmi7xxYWvjQZ27isYxEU5bkd
56cnPnqaH5DJPJAUtD45LQJh
-----END PRIVATE KEY-----
EOH
			}
		
		}
	}
	# group "traefik" {}
}

Did I make a mistake while creating the file?

Thanks in advance
Nomar

nomar.mora · September 28, 2022, 4:19pm

I did set up the consul intentions to allow connection.

seth.hoenig · September 28, 2022, 5:03pm

Hi @nomar.mora, at first glance it looks like you are creating a port-mapping named psql, but if you’re using Connect, that’s not what you want to do. Instead, just define the service with the port the datatabase is going to listen to locally (5432) - and that will be the same as the local_bind_port for the upstream service.

  network {
    mode = "bridge"
  }

service {
  name = "postgres-server"
  port = "5432"
  # ...
}

You should be able to follow the 3rd example under

where api is like your postgres-server, and dashboard is like your keycloak.

nomar.mora · September 28, 2022, 5:11pm

Thanks @seth.hoenig !!!

It works like a charm!!!

I have been stuck with this situation for a week and I was already beginning to despair!

Thanks a lot!