Open consul connect proxies from inside the box, and forward this to the user's machine

[pdmthorsrud]

Right now we open proxies from outside the box. Opening these inside the box would enable us to take advantage of everything the box brings (e.g. fetching consul acl token via vault which will be implemented in #342).

Requirements:

• Pattern for setting up consul-connect proxies to services
• These proxies are transparent for the user; the service is simply available as if the service is running on the user's machine locally (e.g. service is available on `localhost:5050``

[zhenik]

Does this cover your needs https://github.com/fredrikhgrelland/terraform-nomad-presto/blob/master/dev/ansible/05_presto_create_tables.yml#L14-L28 ?

[pdmthorsrud]

Does this cover your needs https://github.com/fredrikhgrelland/terraform-nomad-presto/blob/master/dev/ansible/05_presto_create_tables.yml#L14-L28 ?

Is that service then available on 10.0.3.10:8888 for the user? If so, I guess this would serve the correct purpose for now, yes.

[zhenik]

Does this cover your needs https://github.com/fredrikhgrelland/terraform-nomad-presto/blob/master/dev/ansible/05_presto_create_tables.yml#L14-L28 ?

Is that service then available on 10.0.3.10:8888 for the user? If so, I guess this would serve the correct purpose for now, yes.

I havent check outside the box.

[pdmthorsrud]

I havent check outside the box.

We should check that, and if it is, we should document this, and make that the primary way of giving users access to the services (instead of having targets in the Makefile that opens new consul-connect proxies).

[zhenik]

So far, research results

Option 1

Expose (to local machine), range of ports, which will be used for local-proxy inside the box.

1.1.
Reference https://www.vagrantup.com/docs/networking/forwarded_ports

You can define allowed port range assignable by Vagrant when port collision is detected via config.vm.usable_port_range property.

Vagrant.configure("2") do |config|
  config.vm.usable_port_range = 8000..8999
end

1.2.
Reference https://serverfault.com/a/581833

Using for-loop

for i in 64000..65535
    config.vm.network :forwarded_port, guest: i, host: i
end

Option 2

Using vagrant cli

Reference https://stackoverflow.com/a/52348660

vagrant ssh -- -L <local machine port>:<host inside machine>:<port inside machine>

vagrant ssh -- -L 7001:localhost:5432

cool part with option 2, that you can expose several ports also. Imagine you have run minio module and run local-proxy inside the box on port 9999.
So inside the box you have 2 minio, one minio is for artifact deployment (available inside box on port 9000) and another is minio module instance (available inside box on port 9999 - proxy)

To expose both minio instance

vagrant ssh -- -L 7001:localhost:9999 -L 7002:localhost:9000

On local machine, artifactory on port 7002, module on port 7001

Additional info

vagrant ssh -- --help

usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
           [-i identity_file] [-J [user@]host[:port]] [-L address]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] destination [command]

[zhenik]

I like option 2, available from the box. You can use it without any changes.