Kubernetes and Consul Integration question

[csnance]

Hello,

I am using Ocelot as an API gateway in AKS with Consul deployed inside the cluster for service discovery. I am using connect sidecar injection with ACL tokens for my pods. So my question is how to best integrate Ocelot with Consul in this scenario. This issue references what I am trying to do but doesn't lay out a preferred route. I see three potential solutions.

1. Annotate the ocelot pod for connect injection and provide the list of required services to the connect-service-upstreams. This would create localhost bindings for each service and then I would use Ocelots normal configuration (without consul integration)

{
    "DownstreamPathTemplate": "/api/posts/{postId}",
    "DownstreamScheme": "https",
    "DownstreamHostAndPorts": [
            {
                "Host": "127.0.0.1",
                "Port": {servicePortConfiguredInUpstreams},
            }
        ],
    "UpstreamPathTemplate": "/posts/{postId}",
    "UpstreamHttpMethod": [ "Put", "Delete" ]
}

2. Don't use connect inject on the Ocelot pod, use the Consul integration as defined in the configuration

"ServiceDiscoveryProvider": {
 "Host": "consul",
 "Port": 8500,
 "Token": "{aclToken}",
 "Namespace": "{consulns}"
}

3. Use connect inject and the consul integration. In this scenario connect-inject is setup, but the service being injected is the consul service.

{
      "DownstreamPathTemplate": "/api/{everything}",
      "DownstreamScheme": "http",
      "ServiceName": "{requestedService}",
      "UpstreamPathTemplate": "/api/c/{everything}",
      "UpstreamHttpMethod": [],
      "AuthenticationOptions": {
        "AuthenticationProviderKey": "IdentityApiKey",
        "AllowedScopes": []
      }

"ServiceDiscoveryProvider": {
      "Host": "127.0.0.1",
      "Port": 8500,
      "Token": "{aclToken}",
      "Type": "Consul"
    }

Of the three I think I prefer the first option as it allows consul to manage it's ACL tokens, but is there a recommended best practice for this scenario?

Thanks!

[gianniskt]

Hello,

Did you find the best solution for that issue?
I am also trying to implement connect-inject on my services (and Ocelot) by setting at Consul Helm Chart the values:

connectInject:
   enabled: true
   default: true

But I receive the error from POD Logs:

error: a container name must be specified for pod microservice1, choose one of: [app1 envoy-sidecar] or one of the init containers: [copy-consul-bin consul-connect-inject-init]

Also these are the logs from consul-connect-inject:

INFO    controller.endpoints    registering proxy service with Consul   {"name": "service1-sidecar-proxy"}
INFO    controller.endpoints    updating health check status for service        {"name": "service1", "reason": "Pod \"docker-repository/pod1\" is not ready", "status": "critical"}

I have no annotations to Deployments, as I have put "default: true" at "connectInject", but I have tried also with explicit annotations, with same results.

[raman-m]

Hi @csnance !
Thanks for your interest in Ocelot!

I know my feedback is a bit late after these long 4 years of your waiting...
To understand the correctness of your Consul provider configurations you need to have Ocelot logs.
I hope attached PR 1366 will help you to take your solution to the next level.
Let me know if you have any further questions!

[raman-m]

@csnance Let me know if your question is still actual.