Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Nomad Connect doesn't manage TLS Consul endpoints #6594
Some context :
I am using Nomad 0.10.0 and Consul 1.6.1. Both Nomad and Consul are working with TLS and ACLs enabled.
I try to make my Nomad jobs running with Connect but in the logs I always have these error messages:
This doen't work too with exactly the same error message.
But if I put https:// before endpoint.local.compuscene.net:8500 this command works nice.
It seems Nomad doesn't take care about it's configuration, and in particular the ssl=true option :
I don't know if this is clear. If you have any question don't hesitate to ask me more if needed.
What I coincidence. I was about to create a ticket for this since I'm also running into the same issue. Like @vvanholl says: Nomad currently assumes the local Consul agent is available over plain HTTP. Our configuration has TLS enabled on the Consul clients and Consul servers and we don't expose a plain HTTP endpoint on the Consul agent.
The problem is Nomad start the Consul Envoy proxy without any HTTP flags: https://github.com/hashicorp/nomad/blob/master/client/allocrunner/taskrunner/envoybootstrap_hook.go#L89
Therefore the Consul proxy fails to connect to the local Consul agent: https://github.com/hashicorp/consul/blob/cc9a6f79934a6da58b7aec63c057681d82aded5a/command/connect/proxy/proxy.go#L221
What Nomad should do is grab the Consul client configuration (the
As of right now Consul ACL support is one of the known limitations of our implementation but is in the works. For TLS, I do see that we have an open issue for testing that properly (#6502) but this looks like a bug in how we look up the Consul address.