Failed to correctly represent intentions in Consul UI

[ventaubain]

Overview of the Issue

The Consul UI has a problem for representing correctly the intention rules in the topology field of a service. I have correctly defined the intention but the UI doesn't handle it even if I create the rule after a click on the red arrow. The intention works correctly on the network.

All services are in a Mesh Network with Envoy sidecar except traefik that is in native mode. Traefik is integrated in the Mesh network.

Reproduction Steps

Consul info for both Client and Server

job "traefik" {
  datacenters = ["MicroservicePlatform"]

  group "traefik" {

    network {
      mode = "bridge"

      port "http" {
        static = 80
        to     = 80
      }

      port "https" {
        static = 443
        to     = 443
      }

      port "gui" {
        static = 8081
        to     = 8081
      }
    }

    service {
      name = "traefik"
      port = "http"
      tags = ["http"]

      connect {
        native = true
      }
    }

    service {
      name = "traefik"
      port = "https"
      tags = ["https"]
    }

    service {
      name = "traefik"
      port = "gui"
      tags = ["gui"]
    }

    task "traefik" {
      driver = "docker"
      config {
        image = "traefik:latest"
        args  = [
          "--providers.consulcatalog.connectaware=true",
          "--providers.consulcatalog.connectbydefault=true",
          "--providers.consulcatalog.exposedbydefault=false",
          "--entrypoints.http=true",
          "--entrypoints.http.address=:80",
          "--entrypoints.https=true",
          "--entrypoints.https.address=:443",
          "--api.dashboard=true",
          "--entrypoints.traefik.address=:8081",
          "--api.insecure=true",
          "--providers.consulcatalog.servicename=traefik",
          "--providers.consulcatalog.prefix=traefik",
          "--metrics.prometheus=true"
        ]
      }
    }
  }
}

Consul master

datacenter = "MicroservicePlatform"
data_dir = "/opt/consul"

bind_addr = "X.X.X.X"
client_addr = "0.0.0.0"
bootstrap_expect = 1

ports {
  http = 8006
  grpc = 8502
}

connect {
  enabled = true
}

server = true

retry_join = ["X.X.X.X"]

performance {
  raft_multiplier = 1
}

telemetry {
  prometheus_retention_time = "24h"
  disable_hostname          = true
}

ui_config {
  enabled          = true
  metrics_provider = "prometheus"
  metrics_proxy {
    base_url = "http://X.X.X.X:9090"
  }
}

Consul agent

datacenter = "MicroservicePlatform"
data_dir = "/opt/consul"

bind_addr = "X.X.X.X"
client_addr = "0.0.0.0"

ui = false

retry_join = ["X.X.X.X"]

performance {
  raft_multiplier = 1
}

ports {
  grpc = 8502
}

connect {
  enabled = true
}

telemetry {
        prometheus_retention_time = "480h",
        disable_hostname = true
 }

job "homepage" {
    datacenters = ["MicroservicePlatform"]

    group "front" {
        network {
            mode = "bridge"
            port "envoy_metrics" {
                to = 8888
            }
        }

        service {
            meta {
                envoy_metrics_port = "${NOMAD_HOST_PORT_envoy_metrics}"
            }
            name = "homepage"
            port = 3000

            tags = [
                "traefik.enable=true",
                "traefik.http.routers.homepage.rule=Host(`XXX`)"
            ]
            connect {
                sidecar_service {
                    proxy {
                        config {
                            envoy_prometheus_bind_addr = "0.0.0.0:8888"
                        }
                    }
                }
            }
        }

        task "frontend" {
            driver = "docker"
            config {
                image = "X.X.X.X/home_page"
            }
        }
    }
}

Operating system and Environment details

Debian 11 Consul v1.13.2 Nomad v1.3.1

Log Fragments

[jkirschner-hashicorp]

Hi @moutroll,

Double-checking to make sure I'm interpreting this correctly:

• traefik is natively integrated with the mesh
• You have an intention allowing traefik to talk to <redacted>frontend
• When you open the traefik service's topology view, the UI represents the intention to <redacted>frontend correctly (normal gray arrow)
• But you open the <redacted>frontend service's topology view, the UI represents the intention from <redacted>frontend incorrectly (red arrow with X)

Is this accurate?

And have you seen this same inconsistency with any services that are in the mesh with an Envoy sidecar (rather than using native integration like traefik)?

Thank you for the report!

[ventaubain]

Hi @jkirschner-hashicorp

• Yes, Traefik is in the Mesh network with native approach (without Envoy sidecar)
• Yes, Traefik has an explicit rule to communicate with frontend. The problem is the same for all others services linked to traefik. By default, the rule is set with accept
• After checking, It seems to not work too. If I set the rule with Deny in traefik, the arrow stays grey and don't switch with the red arrow. So it seems that the arrow is blocked in "allow" mode with traefik topology view and in "deny" mode with frontend topology view. So the view may be incorrect for both views.

After testing, the Ui seems to work correctly with a service in the Mesh Network with Envoy Sidecar. So, the problem can be from the native integration.

Thanks

[apollo13]

Hi @moutroll and @jkirschner-hashicorp. I think I fixed this one in https://github.com/hashicorp/consul/pull/13023 but I can't get a reviewer for it :) The problem here is that traefik registers multiple services under the same name but with different tags and the UI didn't properly dedupe that.

[apollo13]

And have you seen this same inconsistency with any services that are in the mesh with an Envoy sidecar (rather than using native integration like traefik)?

The same inconsistency does not arise for Envoy sidecars because the connections are explicit there and take other code paths in the UI. A connect native application behaves more like the transparent proxy in the sense that it's connections are only defined via intentions (as such they take the same code paths in my patch)