Nomad 0.10: Secure Service to Service Traffic with Consul Connect Integration
Nov 12, 2019
Learn about the new features and integrations in HashiCorp Nomad 0.10.
- Erik VeldDeveloper Advocate, HashiCorp
With service mesh quickly becoming a necessity to address the connectivity and security challenges of microservice networking, HashiCorp's Consul Connect is becoming a vital component of modern infrastructure stacks. Nomad 0.10 is able to connect your infrastructure orchestration and scheduling capabilities with Consul Connect for bare metal, VM, and container-based infrastructures. The new release of Nomad 0.10 enhanced its integration with Consul Connect to support the sidecar traffic pattern for service mesh. This helps Nomad-managed services easily opt into mutual TLS connections between services without having to make additional code changes an application.
In this webinar, HashiCorp developer advocate Erik Veld will cover all the new features of Nomad 0.10 and demo how to run Consul service mesh on Nomad 0.10—effectively securing your microservice communications. New Nomad 0.10 features covered in this webinar include:
- Host Volumes: Stateful workload support through locally mounted storage volumes
- UI Allocation File Explorer: A visual file system explorer for allocations
- Network Namespaces: Support communication between applications and sidecar proxies
- Consul Connect integration: Secure service-to-service communication and bridge networking
1:02 — Host volumes in Nomad 0.10
2:53 — Allocation file explorer in Nomad 0.10
3:46 — Network namespaces in Nomad 0.10
7:58 — Demo: Network namespaces
14:04 — Nomad 0.10 & Consul Connect integration
24:41 — Demo: Nomad 0.10 & Consul Connect integration
41:57 — Q&A
- How is this different from the usual bind-mount?
- Host volumes give you a named volume thats tied to a specific host. This allows the workload to simply specify the volume my name and Nomad will schedule the workload to the correct node where the host volume is defined.
- Does a write replicate to all hosts?
- Are volumes just for exec and raw_exec drivers? How does this relate to traditional Docker volumes?
- If the group has the IP how do you target a task from inside the group? How do they specify each other inside their group on the flat network? Is it by task name? How does the sidecar proxy know how to talk to the service (database in this case)?
- Does Nomad support the 0.7.x CNI plugin?
- Nomad has only be tested with 0.8.1+
- Is Consul client really the Consul agent?
- Is it possible to set dynamic ports when the service is at group level? when we create volumes for a certain service, if the service is moving arround, does the volume get replicated or created where the service is running? Does the data get replicated? Or does the service stick to where the volume is created?
- How is the sidecar proxy executed? Does the Envoy binary need to be installed on the node?
- By default Nomad adds a Docker task to the allocation that uses the official Envoy Docker image to run envoy. There is a ‘sidecar_task’ stanza which you can override task settings with.
- Does Nomad support mix network mode? e.g. Consul running in the host while tasks are running in bridge networks?
- Nomad manages most communication with Consul, check and service registering/deregistering etc. Currently you cannot communicate directly with the host Consul agent HTTP API, but it is something on our immediate roadmap.