Consul Connect with ACL

Hello! I'm setting up an ACL enabled Nomad cluster with Consul and Traefik. I'm trying to use the new Consul Connect capabilities of Traefik 2.5, but the routes for the deployed apps wont register.

I created a new Consul policy for Traefik:

key_prefix "traefik" {
  policy = "write"
}

agent_prefix "" {
  policy = "read"
}

node_prefix "" {
  policy = "read"
}

service_prefix "" {
  policy = "read"
}

And deployed Traefik to Nomad:

job "traefik" {
  region      = "global"
  datacenters = ["dc1"]
  type        = "service"

  group "traefik" {
    count = 1

    network {
      port "http" {
        static = 80
      }

      port "https" {
        static = 443
      }

      port "api" {
        static = 8080
      }
    }

    service {
      name = "traefik"

      check {
        name     = "alive"
        type     = "tcp"
        port     = "http"
        interval = "10s"
        timeout  = "2s"
      }
    }

    task "traefik" {
      driver = "docker"

      config {
        image        = "traefik:v2.5"
        network_mode = "host"

        volumes = [
          "local/traefik.toml:/etc/traefik/traefik.toml",
        ]
      }

      template {
        data = <<EOF
[entryPoints]
    [entryPoints.http]
    address = ":80"
    [entryPoints.https]
    address = ":443"
    [entryPoints.traefik]
    address = ":8080"

[api]
    dashboard = true
    insecure  = true

# Enable Consul Catalog configuration backend.
[providers.consulCatalog]
    prefix = "traefik"
    connectAware = true
    connectByDefault = true
    exposedByDefault = false

    [providers.consulCatalog.endpoint]
      address = "10.12.0.101:8500"
      token = "token to consul traefik policy"
      scheme  = "http"
EOF

        destination = "local/traefik.toml"
      }

      resources {
        cpu    = 100
        memory = 128
      }
    }
  }
}

To test I'm using this job from the Nomad docs:

Am I missing something?

I found a solution.

I was missing the Traefik service write privilege. Here the updated policy:

key_prefix "traefik" {
  policy = "write"
}

service "traefik" {
  policy = "write"
}

agent_prefix "" {
  policy = "read"
}

node_prefix "" {
  policy = "read"
}

service_prefix "" {
  policy = "read"
}

And the updated nomad job:

job "traefik" {
  datacenters = ["dc1"]
  type        = "service"

  group "traefik" {
    count = 1

    network {
      port "http" {
        static = 80
      }

      port "https" {
        static = 443
      }

      port "api" {
        static = 8080
      }
    }

    service {
      name = "traefik"
      port = "http"

      connect {
        native = true
      }

      check {
        name     = "alive"
        type     = "tcp"
        port     = "http"
        interval = "10s"
        timeout  = "2s"
      }
    }

    task "traefik" {
      driver = "docker"

      config {
        image        = "traefik:v2.5"
        network_mode = "host"

        volumes = [
          "local/traefik.toml:/etc/traefik/traefik.toml",
        ]
      }

      template {
        data = <<EOF
[entryPoints]
    [entryPoints.http]
    address = ":80"
    [entryPoints.https]
    address = ":443"
    [entryPoints.traefik]
    address = ":8080"

[api]
    dashboard = true
    insecure  = true

# Enable Consul Catalog configuration backend.
[providers.consulCatalog]
    servicename = "traefik"
    prefix = "traefik"
    connectAware = true
    connectByDefault = true
    exposedByDefault = false

    [providers.consulCatalog.endpoint]
      address = "{{ env \"CONSUL_HTTP_ADDR\" }}"
      token = "REPLACE ME WITH THE TRAEFIK TOKEN"
      scheme  = "http"
EOF

        destination = "local/traefik.toml"
      }

      resources {
        cpu    = 100
        memory = 128
      }
    }
  }
}
4 Likes

@okkdev I really wish I found this post sooner, I have been pouring through Traefik docs, GitHub issues and googling, but never knew about the community forum. Within the last hour I just figured out the permissions, just as you have them set!

I may open up a GitHub issue for a feature request for this to be added to the documentation. I couldn't determine which Consul API method that Traefik was using until I accidentally set it to use the wrong Consul URL. Prior to that, only a vanilla 403 error message was being logged. When I had the wrong URL set, I could actually see which method in the Consul API it was trying to use, which allowed me to determine what ACL policies were required from the Consul docs.

hello @paladin-devops

I highly encourage you to open PR if you find the solution shared by @okkdev helpful. All contributions around all areas in the Traefik project are warmly welcome!

@okkdev thank you very much for sharing the final solution!