Consul Connect with ACL

okkdev · August 31, 2021, 11:20am

Hello! I'm setting up an ACL enabled Nomad cluster with Consul and Traefik. I'm trying to use the new Consul Connect capabilities of Traefik 2.5, but the routes for the deployed apps wont register.

I created a new Consul policy for Traefik:

key_prefix "traefik" {
  policy = "write"
}

agent_prefix "" {
  policy = "read"
}

node_prefix "" {
  policy = "read"
}

service_prefix "" {
  policy = "read"
}

And deployed Traefik to Nomad:

job "traefik" {
  region      = "global"
  datacenters = ["dc1"]
  type        = "service"

  group "traefik" {
    count = 1

    network {
      port "http" {
        static = 80
      }

      port "https" {
        static = 443
      }

      port "api" {
        static = 8080
      }
    }

    service {
      name = "traefik"

      check {
        name     = "alive"
        type     = "tcp"
        port     = "http"
        interval = "10s"
        timeout  = "2s"
      }
    }

    task "traefik" {
      driver = "docker"

      config {
        image        = "traefik:v2.5"
        network_mode = "host"

        volumes = [
          "local/traefik.toml:/etc/traefik/traefik.toml",
        ]
      }

      template {
        data = <<EOF
[entryPoints]
    [entryPoints.http]
    address = ":80"
    [entryPoints.https]
    address = ":443"
    [entryPoints.traefik]
    address = ":8080"

[api]
    dashboard = true
    insecure  = true

# Enable Consul Catalog configuration backend.
[providers.consulCatalog]
    prefix = "traefik"
    connectAware = true
    connectByDefault = true
    exposedByDefault = false

    [providers.consulCatalog.endpoint]
      address = "10.12.0.101:8500"
      token = "token to consul traefik policy"
      scheme  = "http"
EOF

        destination = "local/traefik.toml"
      }

      resources {
        cpu    = 100
        memory = 128
      }
    }
  }
}

To test I'm using this job from the Nomad docs:

Am I missing something?

okkdev · September 3, 2021, 4:23pm

I found a solution.

I was missing the Traefik service write privilege. Here the updated policy:

key_prefix "traefik" {
  policy = "write"
}

service "traefik" {
  policy = "write"
}

agent_prefix "" {
  policy = "read"
}

node_prefix "" {
  policy = "read"
}

service_prefix "" {
  policy = "read"
}

And the updated nomad job:

job "traefik" {
  datacenters = ["dc1"]
  type        = "service"

  group "traefik" {
    count = 1

    network {
      port "http" {
        static = 80
      }

      port "https" {
        static = 443
      }

      port "api" {
        static = 8080
      }
    }

    service {
      name = "traefik"
      port = "http"

      connect {
        native = true
      }

      check {
        name     = "alive"
        type     = "tcp"
        port     = "http"
        interval = "10s"
        timeout  = "2s"
      }
    }

    task "traefik" {
      driver = "docker"

      config {
        image        = "traefik:v2.5"
        network_mode = "host"

        volumes = [
          "local/traefik.toml:/etc/traefik/traefik.toml",
        ]
      }

      template {
        data = <<EOF
[entryPoints]
    [entryPoints.http]
    address = ":80"
    [entryPoints.https]
    address = ":443"
    [entryPoints.traefik]
    address = ":8080"

[api]
    dashboard = true
    insecure  = true

# Enable Consul Catalog configuration backend.
[providers.consulCatalog]
    servicename = "traefik"
    prefix = "traefik"
    connectAware = true
    connectByDefault = true
    exposedByDefault = false

    [providers.consulCatalog.endpoint]
      address = "{{ env \"CONSUL_HTTP_ADDR\" }}"
      token = "REPLACE ME WITH THE TRAEFIK TOKEN"
      scheme  = "http"
EOF

        destination = "local/traefik.toml"
      }

      resources {
        cpu    = 100
        memory = 128
      }
    }
  }
}

paladin-devops · November 9, 2021, 8:33pm

@okkdev I really wish I found this post sooner, I have been pouring through Traefik docs, GitHub issues and googling, but never knew about the community forum. Within the last hour I just figured out the permissions, just as you have them set!

I may open up a GitHub issue for a feature request for this to be added to the documentation. I couldn't determine which Consul API method that Traefik was using until I accidentally set it to use the wrong Consul URL. Prior to that, only a vanilla 403 error message was being logged. When I had the wrong URL set, I could actually see which method in the Consul API it was trying to use, which allowed me to determine what ACL policies were required from the Consul docs.

jakubhajek · November 9, 2021, 10:33pm

hello @paladin-devops

I highly encourage you to open PR if you find the solution shared by @okkdev helpful. All contributions around all areas in the Traefik project are warmly welcome!

@okkdev thank you very much for sharing the final solution!

Topic		Replies	Views
Traefik Nomad deployment with Consul Connect Traefik v2 consul-catalog	2	1134	June 1, 2022
[CONSUL][ACL] Using ACL with traefik 2.0 for configuration discovery Traefik v2 kv	8	1689	April 30, 2021
Consul Catalog - Services not added to Traefik after exposedByDefault is set to false Traefik v2 consul-catalog	2	659	August 20, 2020
Traefik and Consul Catalog Provider issue Traefik v2 consul-catalog	0	618	August 12, 2020
Does anyone have a sample config of traefik 2.x using consul kv store? Traefik v2 consul-catalog	6	2068	May 13, 2021

Consul Connect with ACL

Related topics