consul/connect: dynamically select envoy sidecar at runtime

[shoenig]

As newer versions of Consul are released, the minimum version of Envoy
it supports as a sidecar proxy also gets bumped. Starting with the upcoming
Consul v1.9.X series, Envoy v1.11.X will no longer be supported. Current
versions of Nomad hardcode a version of Envoy v1.11.2 to be used as the
default implementation of Connect sidecar proxy.

This PR introduces a change such that each Nomad Client will query its
local Consul for a list of Envoy proxies that it supports (hashicorp/consul#8545)
and then launch the Connect sidecar proxy task using the latest supported version
of Envoy. If the SupportedProxies API component is not available from
Consul, Nomad will fallback to the old version of Envoy supported by old
versions of Consul.

Setting the meta configuration option meta.connect.sidecar_image or
setting the connect.sidecar_task stanza will take precedence as is
the current behavior for sidecar proxies.

Setting the meta configuration option meta.connect.gateway_image
will take precedence as is the current behavior for connect gateways.

meta.connect.sidecar_image and meta.connect.gateway_image may make
use of the special ${NOMAD_envoy_version} variable interpolation, which
resolves to the newest version of Envoy supported by the Consul agent.

Addresses #8585 #7665

[shoenig]

TODO

• e2e testing
• changelog entry

[schmichael]

Only comments are just dreaming up possible rough edges. Not blockers

[schmichael]

I wonder if we should actually skip this to ensure we re-run it in the event Envoy fails? Seems cheap enough we might as well.

Bootstrap has a similar problem though, so it might not be worth worrying about here if there's a chance we're just going to fail later due to bootstrap changes not being picked up or something.

[shoenig]

I was thinking the opposite - if Envoy gets restarted the generated envoy config and the envoy version that gets launched should continue to work together. It's kind of interesting in that Envoy will try twice - interpreting the config at versions N and N-1, but it'd be more consistent to just have the version and bootstrap hooks behave the same. OTOH, maybe now it would make sense to query the version and regenerate the config on every sidecar task restart.

[schmichael]

If Consul is being restarted when this is called it will fail the task and go into a restart loop which... seems ok?

In configurations where Consul does not start before Nomad there could be spurious task failures, but I think that's already true for Connect? Bootstrap has that awkward bulitin retry that avoids spurious task failures, but it's not a very robust approach.

[shoenig]

The envoy bootstrap hook's retry block I believe really targets the race condition between launching the sidecar and Nomad actually registering the service to be proxied - potentially a common occurrence. I'm thinking /v1/agent/self response failures are either rare enough or catastrophic enough that letting the task do a restart in those cases is probably fine

[nickethier]

Great work, I really like the way this turned out!

[github-actions]

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.