Last active
April 15, 2024 14:46
-
-
Save apollo13/857ae4c5e18de619815c2628212449e1 to your computer and use it in GitHub Desktop.
Traefik 2.5 with Consul Connect on Nomad
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Simple example to deploy traefik with consul connect enabled. | |
| # For simplicity the job includes traefik as well as the backend service. | |
| # Please note that traefik currently only supports connect for HTTP. | |
| job "traefik-consul-connect-demo" { | |
| datacenters = ["dc1"] | |
| group "edge" { | |
| network { | |
| mode = "bridge" | |
| port "http" { | |
| to = 8080 | |
| } | |
| } | |
| service { | |
| name = "traefik-ingress" | |
| port = "http" | |
| connect { | |
| native = true | |
| } | |
| } | |
| task "traefik" { | |
| driver = "docker" | |
| config { | |
| image = "traefik:v2.5.2" | |
| args = [ | |
| # Enables connect support, otherwise only http connections would be tried | |
| "--providers.consulcatalog.connectaware=true", | |
| # Make the communication secure by default | |
| "--providers.consulcatalog.connectbydefault=true", | |
| "--providers.consulcatalog.exposedbydefault=false", | |
| "--entrypoints.http=true", | |
| "--entrypoints.http.address=:8080", | |
| # The service name below should match the nomad/consul service above | |
| # and is used for intentions in consul | |
| "--providers.consulcatalog.servicename=traefik-ingress", | |
| "--providers.consulcatalog.prefix=traefik", | |
| # Automatically configured by Nomad through CONSUL_* environment variables | |
| # as long as client consul.share_ssl is enabled | |
| # "--providers.consulcatalog.endpoint.address=<socket|address>" | |
| # "--providers.consulcatalog.endpoint.tls.ca=<path>" | |
| # "--providers.consulcatalog.endpoint.tls.cert=<path>" | |
| # "--providers.consulcatalog.endpoint.tls.key=<path>" | |
| # "--providers.consulcatalog.endpoint.token=<token>" | |
| ] | |
| } | |
| env { | |
| # Enable this if nomad is older than 1.1.3 | |
| # CONSUL_TLS_SERVER_NAME = "localhost" | |
| } | |
| } | |
| } | |
| group "backend" { | |
| network { | |
| mode = "bridge" | |
| } | |
| service { | |
| name = "whoami" | |
| port = 80 | |
| tags = [ | |
| "traefik.enable=true", | |
| "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)" | |
| ] | |
| connect { | |
| sidecar_service {} | |
| } | |
| } | |
| # Note: For increased security the service should only listen on localhost | |
| # Otherwise it could be reachable from the outside world without going through connect | |
| task "whoami" { | |
| driver = "docker" | |
| config { | |
| image = "containous/whoami" | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The sidecar is necessary for traefik?