Consul Connect with ACL

okkdev · August 31, 2021, 11:20am

Hello! I'm setting up an ACL enabled Nomad cluster with Consul and Traefik. I'm trying to use the new Consul Connect capabilities of Traefik 2.5, but the routes for the deployed apps wont register.

I created a new Consul policy for Traefik:

key_prefix "traefik" {
  policy = "write"
}

agent_prefix "" {
  policy = "read"
}

node_prefix "" {
  policy = "read"
}

service_prefix "" {
  policy = "read"
}

And deployed Traefik to Nomad:

job "traefik" {
  region      = "global"
  datacenters = ["dc1"]
  type        = "service"

  group "traefik" {
    count = 1

    network {
      port "http" {
        static = 80
      }

      port "https" {
        static = 443
      }

      port "api" {
        static = 8080
      }
    }

    service {
      name = "traefik"

      check {
        name     = "alive"
        type     = "tcp"
        port     = "http"
        interval = "10s"
        timeout  = "2s"
      }
    }

    task "traefik" {
      driver = "docker"

      config {
        image        = "traefik:v2.5"
        network_mode = "host"

        volumes = [
          "local/traefik.toml:/etc/traefik/traefik.toml",
        ]
      }

      template {
        data = <<EOF
[entryPoints]
    [entryPoints.http]
    address = ":80"
    [entryPoints.https]
    address = ":443"
    [entryPoints.traefik]
    address = ":8080"

[api]
    dashboard = true
    insecure  = true

# Enable Consul Catalog configuration backend.
[providers.consulCatalog]
    prefix = "traefik"
    connectAware = true
    connectByDefault = true
    exposedByDefault = false

    [providers.consulCatalog.endpoint]
      address = "10.12.0.101:8500"
      token = "token to consul traefik policy"
      scheme  = "http"
EOF

        destination = "local/traefik.toml"
      }

      resources {
        cpu    = 100
        memory = 128
      }
    }
  }
}

To test I'm using this job from the Nomad docs:

Am I missing something?

okkdev · September 3, 2021, 4:23pm

I found a solution.

I was missing the Traefik service write privilege. Here the updated policy:

key_prefix "traefik" {
  policy = "write"
}

service "traefik" {
  policy = "write"
}

agent_prefix "" {
  policy = "read"
}

node_prefix "" {
  policy = "read"
}

service_prefix "" {
  policy = "read"
}

And the updated nomad job:

job "traefik" {
  datacenters = ["dc1"]
  type        = "service"

  group "traefik" {
    count = 1

    network {
      port "http" {
        static = 80
      }

      port "https" {
        static = 443
      }

      port "api" {
        static = 8080
      }
    }

    service {
      name = "traefik"
      port = "http"

      connect {
        native = true
      }

      check {
        name     = "alive"
        type     = "tcp"
        port     = "http"
        interval = "10s"
        timeout  = "2s"
      }
    }

    task "traefik" {
      driver = "docker"

      config {
        image        = "traefik:v2.5"
        network_mode = "host"

        volumes = [
          "local/traefik.toml:/etc/traefik/traefik.toml",
        ]
      }

      template {
        data = <<EOF
[entryPoints]
    [entryPoints.http]
    address = ":80"
    [entryPoints.https]
    address = ":443"
    [entryPoints.traefik]
    address = ":8080"

[api]
    dashboard = true
    insecure  = true

# Enable Consul Catalog configuration backend.
[providers.consulCatalog]
    servicename = "traefik"
    prefix = "traefik"
    connectAware = true
    connectByDefault = true
    exposedByDefault = false

    [providers.consulCatalog.endpoint]
      address = "{{ env \"CONSUL_HTTP_ADDR\" }}"
      token = "REPLACE ME WITH THE TRAEFIK TOKEN"
      scheme  = "http"
EOF

        destination = "local/traefik.toml"
      }

      resources {
        cpu    = 100
        memory = 128
      }
    }
  }
}

paladin-devops · November 9, 2021, 8:33pm

@okkdev I really wish I found this post sooner, I have been pouring through Traefik docs, GitHub issues and googling, but never knew about the community forum. Within the last hour I just figured out the permissions, just as you have them set!

I may open up a GitHub issue for a feature request for this to be added to the documentation. I couldn't determine which Consul API method that Traefik was using until I accidentally set it to use the wrong Consul URL. Prior to that, only a vanilla 403 error message was being logged. When I had the wrong URL set, I could actually see which method in the Consul API it was trying to use, which allowed me to determine what ACL policies were required from the Consul docs.

jakubhajek · November 9, 2021, 10:33pm

hello @paladin-devops

I highly encourage you to open PR if you find the solution shared by @okkdev helpful. All contributions around all areas in the Traefik project are warmly welcome!

@okkdev thank you very much for sharing the final solution!

Topic		Replies	Views
Consul Catalog - Services not added to Traefik after exposedByDefault is set to false Traefik v2 (latest) consul-catalog	2	592	August 20, 2020
Traefik and Consul Catalog Provider issue Traefik v2 (latest) consul-catalog	0	567	August 12, 2020
Does anyone have a sample config of traefik 2.x using consul kv store? Traefik v2 (latest) consul-catalog	6	1759	May 13, 2021
Path routing doesn't work for a Nomad job Traefik v2 (latest) docker , consul-catalog	5	558	July 7, 2023
Cannot deploy Nomad task with Traefik loadbalancing using Nomad's native service discovery Traefik v2 (latest) consul-catalog	4	545	April 19, 2023

Consul Connect with ACL

Related Topics