Automatically create Consul intentions

[valenvb]

When deploying a job with tasks that communicate via Consul Connect/sidecar proxies, it would be great if Nomad could automatically configure (and remove on completion) consul intentions to allow services defined in the same jobspec to communicate.

For instance if jobs are deployed by CI, they might have generated names from branches/tags (such as deploying review environments), which then each need to have intentions created manually (and later removed) in Consul.

[Oloremo]

I think the intentions supposed to be a second-factor autz in a way, but I'd be interested in something like this as well

[microadam]

@valenvb I am after this functionality as well for the exact reason you described (review environments). What are you doing currently to solve this out of interest? (as doing it manually for review environments isn't really feasible)

[valenvb]

@microadam Unfortunately our solution right now is to basically bypass this functionality entirely with a * -> * rule on our development cluster. Our production plan is likely going to involve our CI getting a very short lived token from Vault to put everything in motion. I haven’t really scoped that through fully though, and I think there may end up being a few hurdles to that (needing a policy in Consul that Vault can get a token against, etc). Hence the incredible usefulness of this feature request. For us anyway I think it will make intentions useful as a feature rather than something we have to work around.

[microadam]

Thanks for the tips! I agree, would be very useful. Will probably go down the same route as allowing everything and isolating review environments to their own cluster