Talking to agent with downward API fails when hosts have multiple IPs (ex. EKS w/ aws-cniI) about consul-helm HOT 9 CLOSED

Gotcha, that definitely makes sense and it looks like the consul DaemonSet is currently missing the following in the spec:

dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true

so it's not actually binding to the host ports specified and explains why my setup as well as @popopanda are experiencing the issue.

from consul-helm.

This same issue occurs with Digital Ocean's k8 offering. The only way to resolve is to change the host ip the sync catalog deployment to reflect the internal domain of the consul server service rather than piggy backing off of the clusterIp which is injected via hostip

https://github.com/hashicorp/consul-helm/blob/master/templates/sync-catalog-deployment.yaml#L36
https://github.com/hashicorp/consul-helm/blob/master/templates/sync-catalog-deployment.yaml#L49

            -http-addr=consul-server:8500 \

Perhaps this should be optional in the values.yml

@mitchellh

For others looking, a present fix is to override the sync-catalog-deployment.yaml file with the change to reflect the consul service name as the hostIp.

from consul-helm.

Also, this is my values.yml I used

global:
  enabled: true

  # Domain to register the Consul DNS server to listen for.
  domain: consul
  image: "consul:1.3.0"
  imageK8S: "hashicorp/consul-k8s:0.2.0"
  datacenter: dc1

server:
  enabled: true
  image: null
  replicas: 3
  bootstrapExpect: 3 # Should <= replicas count

  storage: 10Gi
  storageClass: null

  connect: true

  resources: {}
  updatePartition: 0
  disruptionBudget:
    enabled: true
    maxUnavailable: null
  extraConfig: |
    {}
  extraVolumes: []
    # - type: secret (or "configMap")
    #   name: my-secret
    #   load: false # if true, will add to `-config-dir` to load by Consul
client:
  enabled: "-"
  image: null
  join: null
  grpc: false
  resources: {}
  extraConfig: |
    {}
  extraVolumes: []
    # - type: secret (or "configMap")
    #   name: my-secret
    #   load: false # if true, will add to `-config-dir` to load by Consul

dns:
  enabled: "-"

ui:
  enabled: true
  service:
    enabled: true
    type: NodePort

syncCatalog:
  # True if you want to enable the catalog sync. "-" for default.
  enabled: true
  image: null
  toConsul: true
  toK8S: true

  k8sPrefix: null

connectInject:
  enabled: false
  image: null # image for consul-k8s that contains the injector
  default: false # true will inject by default, otherwise requires annotation
  imageConsul: null
  imageEnvoy: null

  namespaceSelector: null

  certs:
    secretName: null
    caBundle: ""
    certName: tls.crt
    keyName: tls.key

from consul-helm.

The issue here is the consul-sync-catalog deployment is being configured with the hostIP of the pod when it should just be using the consul-server Service. I manually changed the deployment to use the following command:

        - /bin/sh
        - -ec
        - |
          consul-k8s sync-catalog \
            -http-addr=consul-server:8500 \
            -consul-domain=consul \
            -k8s-write-namespace=${NAMESPACE}

I'm not sure what the thinking is behind using the hostIP for the -http-addr flag.

from consul-helm.

@jipperinbham Consul tooling should use the local agent wherever possible. The servers aren't meant to field cluster-wide API requests on their own (though they can to a fairly high scale). The local agent performs aggressive API batching, pipelining, and TCP multiplexing along with local caching to make Consul a lot more performant. Additionally, in the case of the catalog sync, it provides a local agent to register a service against in some cases which provides proper node health checking.

Please ensure you have the Consul clients installed using the Helm chart. This will expose the agent HTTP API on port 8500 on the host IP.

from consul-helm.

Just for me to refer to later, the issue is that we're using the downward API to inject the HOST_IP environment variable so we can talk to the agent running on our node. In some deployments, ex. EKS with the aws-cni plugin that uses multiple enis, the HOST_IP is only one IP of multiple and so we might not be able to talk to the agent on that specific HOST_IP.

I'm not sure why we're not using hostNetwork and will need to ask the team.

from consul-helm.

Gotcha, that definitely makes sense and it looks like the consul DaemonSet is currently missing the following in the spec:

dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true

so it's not actually binding to the host ports specified and explains why my setup as well as @popopanda are experiencing the issue.

@jipperinbham we are running with hostPort: 8500 so hostNetwork should not be required

from consul-helm.

This same issue occurs with Digital Ocean's k8 offering. The only way to resolve is to change the host ip the sync catalog deployment to reflect the internal domain of the consul server service rather than piggy backing off of the clusterIp which is injected via hostip

https://github.com/hashicorp/consul-helm/blob/master/templates/sync-catalog-deployment.yaml#L36
https://github.com/hashicorp/consul-helm/blob/master/templates/sync-catalog-deployment.yaml#L49

            -http-addr=consul-server:8500 \

Perhaps this should be optional in the values.yml

@mitchellh

For others looking, a present fix is to override the sync-catalog-deployment.yaml file with the change to reflect the consul service name as the hostIp.

@ptariche I just tested this chart with Digital Ocean and the sync deployment could reach the local consul agent using its hostPort. Maybe something has changed on DO's side?

from consul-helm.

@popopanda from my testing, this should be working. Since this ticket is 1 year old, it's likely things have changed. It's totally our fault that this has sat here for so long but I'm going to close it now.

If folks are still having issues with the sync catalog pod not being able to talk to the local consul agent please open a new issue.

from consul-helm.