Enable support for CNI mode networks for Consul Connect

Issue: hashicorp#8953
arctype-co · Jan 17, 2024 · 7217e7f · 7217e7f
1 parent a7cfff3
commit 7217e7f
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 10 deletions.
diff --git a/client/allocrunner/consul_grpc_sock_hook.go b/client/allocrunner/consul_grpc_sock_hook.go
@@ -80,8 +80,8 @@ func (*consulGRPCSocketHook) Name() string {
 func (h *consulGRPCSocketHook) shouldRun() bool {
 	tg := h.alloc.Job.LookupTaskGroup(h.alloc.TaskGroup)
 
-	// we must be in bridge networking and at least one connect sidecar task
-	if !tgFirstNetworkIsBridge(tg) {
+	// we must be in bridge or CNI networking, with at least one connect sidecar task.
+	if !tgFirstNetworkIsBridgeOrCNI(tg) {
 		return false
 	}
 

diff --git a/client/allocrunner/consul_http_sock_hook.go b/client/allocrunner/consul_http_sock_hook.go
@@ -10,6 +10,7 @@ import (
 	"net"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 	"time"
 
@@ -20,11 +21,12 @@ import (
 	"github.com/hashicorp/nomad/nomad/structs/config"
 )
 
-func tgFirstNetworkIsBridge(tg *structs.TaskGroup) bool {
-	if len(tg.Networks) < 1 || tg.Networks[0].Mode != "bridge" {
+func tgFirstNetworkIsBridgeOrCNI(tg *structs.TaskGroup) bool {
+	if len(tg.Networks) < 1 {
 		return false
 	}
-	return true
+	mode := tg.Networks[0].Mode
+	return mode == "bridge" || strings.HasPrefix(mode, "cni/")
 }
 
 const (
@@ -56,12 +58,11 @@ func (*consulHTTPSockHook) Name() string {
 // shouldRun returns true if the alloc contains at least one connect native
 // task and has a network configured in bridge mode
 //
-// todo(shoenig): what about CNI networks?
 func (h *consulHTTPSockHook) shouldRun() bool {
 	tg := h.alloc.Job.LookupTaskGroup(h.alloc.TaskGroup)
 
-	// we must be in bridge networking and at least one connect native task
-	if !tgFirstNetworkIsBridge(tg) {
+	// we must be in bridge or CNI networking, with at least one connect native task.
+	if !tgFirstNetworkIsBridgeOrCNI(tg) {
 		return false
 	}
 

diff --git a/nomad/job_endpoint_hook_connect.go b/nomad/job_endpoint_hook_connect.go
@@ -574,8 +574,10 @@ func groupConnectSidecarValidate(g *structs.TaskGroup, s *structs.Service) error
 		return fmt.Errorf("Consul Connect sidecars require exactly 1 network, found %d in group %q", n, g.Name)
 	}
 
-	if g.Networks[0].Mode != "bridge" {
-		return fmt.Errorf("Consul Connect sidecar requires bridge network, found %q in group %q", g.Networks[0].Mode, g.Name)
+  mode := g.Networks[0].Mode
+
+	if mode != "bridge" && !strings.HasPrefix(mode, "cni/") {
+		return fmt.Errorf("Consul Connect sidecar requires a bridge or CNI network, found %q in group %q", g.Networks[0].Mode, g.Name)
 	}
 
 	// We must enforce lowercase characters on group and service names for connect