Two tasks in a Group, but only one of them trusted for Consul Connect

Hi there! I am trying to get the following setup, but I’m not quite sure if it’s possible in Nomad. The use case is the following: we allow user-supplied binaries, but we only want that binary to be able to communicate to its trusted sidecar (and nobody else).

  group "plugin" {
    task "untrusted-user-supplied" {}
    task "trusted-sidecar" {
      service "trusted-sidecar" { connect { upstreams {} etc etc } }
    }
  }

Obviously, this is not possible , according to this helpful error message:
service "trusted-sidecar" cannot have "connect" block, only services defined in a "group" block can

Is there any way I can emulate this desired behavior? Maybe some Consul intentions magic?

I’d definitely prefer that these two tasks be grouped together (mostly for lifecycle reasons).

Hi @wimax-grapl , in Nomad the scope of network trust is at the group level; at the moment there isn’t an obvious way to lock down a particular task in a group - they’re sharing the same network namespace.

The scope of work needed for this use case is similar to what’s needed for the implementation of support for Connect transparent gateways. Not everything we need exists yet both on the Nomad and Consul side but it’s something we’ve been thinking about.

One thought -
If the untrusted task is using the docker driver you might be able to make use of a docker driver network set specific to task - though I have not actually tried this

Thank you for the thoughtful reply! Yeah, there’s still paths ahead to play with here.