From 7217e7f8b83f37ae9af1c991896552508f1526ac Mon Sep 17 00:00:00 2001 From: Ryan Sundberg Date: Tue, 22 Jun 2021 23:27:38 -0700 Subject: [PATCH] Enable support for CNI mode networks for Consul Connect Issue: https://github.com/hashicorp/nomad/issues/8953 --- client/allocrunner/consul_grpc_sock_hook.go | 4 ++-- client/allocrunner/consul_http_sock_hook.go | 13 +++++++------ nomad/job_endpoint_hook_connect.go | 6 ++++-- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/client/allocrunner/consul_grpc_sock_hook.go b/client/allocrunner/consul_grpc_sock_hook.go index d8152ac3c7d..c69a30c5e9d 100644 --- a/client/allocrunner/consul_grpc_sock_hook.go +++ b/client/allocrunner/consul_grpc_sock_hook.go @@ -80,8 +80,8 @@ func (*consulGRPCSocketHook) Name() string { func (h *consulGRPCSocketHook) shouldRun() bool { tg := h.alloc.Job.LookupTaskGroup(h.alloc.TaskGroup) - // we must be in bridge networking and at least one connect sidecar task - if !tgFirstNetworkIsBridge(tg) { + // we must be in bridge or CNI networking, with at least one connect sidecar task. + if !tgFirstNetworkIsBridgeOrCNI(tg) { return false } diff --git a/client/allocrunner/consul_http_sock_hook.go b/client/allocrunner/consul_http_sock_hook.go index f5135e59ab1..e483f659bc3 100644 --- a/client/allocrunner/consul_http_sock_hook.go +++ b/client/allocrunner/consul_http_sock_hook.go @@ -10,6 +10,7 @@ import ( "net" "os" "path/filepath" + "strings" "sync" "time" @@ -20,11 +21,12 @@ import ( "github.com/hashicorp/nomad/nomad/structs/config" ) -func tgFirstNetworkIsBridge(tg *structs.TaskGroup) bool { - if len(tg.Networks) < 1 || tg.Networks[0].Mode != "bridge" { +func tgFirstNetworkIsBridgeOrCNI(tg *structs.TaskGroup) bool { + if len(tg.Networks) < 1 { return false } - return true + mode := tg.Networks[0].Mode + return mode == "bridge" || strings.HasPrefix(mode, "cni/") } const ( @@ -56,12 +58,11 @@ func (*consulHTTPSockHook) Name() string { // shouldRun returns true if the alloc contains at least one connect native // task and has a network configured in bridge mode // -// todo(shoenig): what about CNI networks? func (h *consulHTTPSockHook) shouldRun() bool { tg := h.alloc.Job.LookupTaskGroup(h.alloc.TaskGroup) - // we must be in bridge networking and at least one connect native task - if !tgFirstNetworkIsBridge(tg) { + // we must be in bridge or CNI networking, with at least one connect native task. + if !tgFirstNetworkIsBridgeOrCNI(tg) { return false } diff --git a/nomad/job_endpoint_hook_connect.go b/nomad/job_endpoint_hook_connect.go index cb7bd72b6fa..0ee935fae10 100644 --- a/nomad/job_endpoint_hook_connect.go +++ b/nomad/job_endpoint_hook_connect.go @@ -574,8 +574,10 @@ func groupConnectSidecarValidate(g *structs.TaskGroup, s *structs.Service) error return fmt.Errorf("Consul Connect sidecars require exactly 1 network, found %d in group %q", n, g.Name) } - if g.Networks[0].Mode != "bridge" { - return fmt.Errorf("Consul Connect sidecar requires bridge network, found %q in group %q", g.Networks[0].Mode, g.Name) + mode := g.Networks[0].Mode + + if mode != "bridge" && !strings.HasPrefix(mode, "cni/") { + return fmt.Errorf("Consul Connect sidecar requires a bridge or CNI network, found %q in group %q", g.Networks[0].Mode, g.Name) } // We must enforce lowercase characters on group and service names for connect