search

emissary-ingress / emissary

open source Kubernetes-native API gateway for microservices built on the Envoy Proxy
https://www.getambassador.io
Apache License 2.0
4.36k stars 683 forks source link

Consul Changes in v1.14.0 break Ambassador Deploy Script #5154

Open stvdilln opened 1 year ago

stvdilln commented 1 year ago

I am following the blog on this url: https://www.getambassador.io/docs/emissary/latest/howtos/consul#consul-integration and the 'using console for authorization and encryption' step isn't working.

Consul in versions v1.14.0 if you are setting up service mesh no longer installs a consul agent on each node of a k8s cluster. There are the lead 3-5 consul 'control plane' servers, and the work that was done in the demonset is now being done in the sidecar.

In the ambassador guide is this link: https://app.getambassador.io/yaml/v2-docs/3.7.0/consul/ambassador-consul-connector.yaml which at the end of it expects consul to exist on each node: ` # Consul runs as a DaemonSet on each Node therefore we need to talk to the Host machine.

See: https://www.consul.io/docs/platform/k8s/run.html#architecture

        - name: _CONSUL_HOST
          valueFrom:
            fieldRef:
              fieldPath: status.hostIP`

To Reproduce Basically just following the blog listed.

  1. Create k8s cluster on AKS
  2. Follow Hashicorp Basic consul [setup](https://developer.hashicorp.com/consul/tutorials/kubernetes/kubernetes-aks-azure?utm_source=consul.io&utm_medium=docs) (this page is linked from ambassador howto guide)
  3. Follow Ambassador guide

Expected behavior Ambassador consul connector copies CA certificates from Consul to K8s secret. Instead it gets repeated error trying to connect to consul.

Versions (please complete the following information):

Additional context There should be a DNS and or Environment variable available in your pod to use instead of the hostIP. I can't find this file on GitHub so (assuming I find the time) I can't do a PR. If I get some time I may post the few line fix to this issue and have somebody here integrate it.

stvdilln commented 1 year ago

In my copy of the file, instead of hardcoding an IP address, I used as below. This DNS name will change based on what they named their consul server. In your getting started guide, you have a consul.name of '', which gives the name below. I don't see an easy way to do service discovery in this yaml file. You may need to use the k8s api's to do service discovery and find the consul server. 

          env:
            - name: _CONSUL_HOST
              value: consul-consul-server.consul.svc.cluster.local
cindymullins-dw commented 1 year ago

The user noted on 7/13 that "I've resolved the last issue (getting the API Gateway to talk to the Service Mesh), in that I missed one of the yaml files and didn't have a listener specified. Adding the listener (and some of the prior work arounds) has it working for me."