use consul connect to provide secure, load-balanced access to node socket internally #71
Description
Currently any services that require access to a node socket need a dedicated cardano node running along side it, such as db-sync & ogmios. It might be more efficient and also more fault tolerant to provide a consul connect service that exposes the socket of every node in the network at the same address.
It would look something like this:
- node creates local unix socket
socat(or similar tool) sidecar exposes the socket on a local port- create a consul service to point at this port, all nodes use the same service name so they are pooled
- set a consul connect sidecar to expose a load-balanced proxy to this service
- any internal service that needs access to a socket (db-sync, etc) can read from this proxy to have HA access to the nodes in the network
So long as you don't expose the service to the outside world via traefik, it should be plenty secure and probably more robust, while also saving resource consumption of the additional companion nodes in the network.
There has also been some work in Nomad upstream to allow for a distinction between "liveness" and "readiness", so we could flesh this out further in the future by writing a "readiness" check for the node which ensures it isn't forked, etc before allowing it to be added to the Consul service pool.