mirror of https://github.com/hashicorp/consul
docs: Manual secure configuration for ECS
parent
5ccc1fdcca
commit
08c046b3b0
|
@ -9,7 +9,8 @@ description: >-
|
|||
# AWS ECS
|
||||
|
||||
Consul service mesh applications can be deployed on [AWS Elastic Container Service](https://aws.amazon.com/ecs/) (ECS)
|
||||
using our official Terraform modules.
|
||||
using either our official [Terraform modules](/docs/ecs/terraform/install) or without Terraform by [manually configuring
|
||||
the task definition](/docs/ecs/manual/install).
|
||||
|
||||
## Service Mesh
|
||||
|
||||
|
@ -37,4 +38,5 @@ There are several ways to get started with Consul with ECS.
|
|||
* The [Consul with Dev Server on Fargate](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/examples/dev-server-fargate) example installation deploys a sample application in ECS using the Fargate launch type.
|
||||
* The [Consul with Dev Server on EC2](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/examples/dev-server-ec2) example installation deploys a sample application in ECS using the EC2 launch type.
|
||||
|
||||
See the [Requirements](/docs/ecs/requirements) and the full [Install Guide](/docs/ecs/install) when you're ready to install Consul on an existing ECS cluster and add existing tasks to the service mesh.
|
||||
See the [Requirements](/docs/ecs/requirements) and then choose whether to [install with Terraform](/docs/ecs/terraform/install) or [install without Terraform](/docs/ecs/manual/install)
|
||||
when you're ready to install Consul on an existing ECS cluster and add tasks to the service mesh.
|
||||
|
|
|
@ -0,0 +1,213 @@
|
|||
---
|
||||
layout: docs
|
||||
page_title: ACL Controller - AWS ECS
|
||||
description: >-
|
||||
Manual Deployment of the ACL Controller for Consul Service Mesh on AWS ECS (Elastic Container Service).
|
||||
---
|
||||
|
||||
# Install the ACL Controller
|
||||
|
||||
This topic describes how to manually deploy the ACL controller to [automatically provision ACL tokens](/docs/ecs/architecture#automatic-acl-token-provisioning) for Consul on ECS.
|
||||
If you are using Terraform, refer to the [Terraform Secure Configuration](/docs/ecs/terraform/secure-configuration) page to deploy the ACL controller.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
* Your application tasks must include certain tags to be compatible with the ACL controller.
|
||||
Refer to the [Task Tags](/docs/ecs/manual/install#task-tags) section of the installation page.
|
||||
* You should be familiar with configuring Consul's secure features, including how to create ACL tokens and policies. Refer to the following [Learn Guides](https://learn.hashicorp.com/collections/consul/security) for an introduction and the [ACL system](/docs/security/acl) documentation for more information.
|
||||
|
||||
## Setup AWS Secrets Manager
|
||||
|
||||
The ACL controller supports managing secrets in AWS Secrets Manager.
|
||||
|
||||
Before deploying the ACL controller for the first time, you must [create the following secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html) from Consul in AWS Secrets Manager.
|
||||
|
||||
| Secret | Initial Value | Sample Secret Name |
|
||||
| --------------------- | -------------- | ------------------------------ |
|
||||
| Consul server CA cert | Set | `my-consul-ca-cert` |
|
||||
| Bootstrap ACL Token | Set | `my-consul-bootstrap-token` |
|
||||
| Consul Client ACL Token | Empty | `<PREFIX>-consul-client-token` |
|
||||
|
||||
The secret for the client token must be intially empty. The ACL controller creates the client token in Consul
|
||||
and stores the token in Secrets Manager. In the secret name, `<PREFIX>` should be replaced with the
|
||||
[secret name prefix](/docs/ecs/manual/acl-controller#secret-name-prefix) of your choice.
|
||||
|
||||
### Secret Name Prefix
|
||||
|
||||
The ACL controller requires that the secrets it reads and writes are named with a unique prefix. The name prefix is used
|
||||
in the [Task Role Policy](/docs/ecs/manual/acl-controller#task-role-policy) to limit the ACL controller's access within
|
||||
AWS Secrets Manager to only those secrets strictly needed by the ACL controller.
|
||||
|
||||
The name prefix should be unique among secrets your AWS account. We recommend a short (8 character) random
|
||||
string for the prefix.
|
||||
|
||||
-> **NOTE:** If you are using the ACL controller with multiple ECS clusters, each cluster requires
|
||||
its own instance of the ACL controller, and each instance of the ACL controller should have a unique
|
||||
name prefix.
|
||||
|
||||
## Task Definition
|
||||
|
||||
You must create a task definition to deploy the ACL controller in your ECS cluster.
|
||||
The ACL controller must run in the same ECS cluster hosting your service mesh application
|
||||
tasks.
|
||||
|
||||
The following example shows how the task definition should be configured for the ACL controller.
|
||||
|
||||
```json
|
||||
{
|
||||
"family": "my-consul-acl-controller".
|
||||
"networkMode": "awsvpc",
|
||||
"containerDefinitions": [
|
||||
{
|
||||
"name": "acl-controller",
|
||||
"image": "public.ecr.aws/hashicorp/consul-ecs:<CONSUL_ECS_VERSION>",
|
||||
"essential": true,
|
||||
"command": [
|
||||
"acl-controller",
|
||||
"-consul-client-secret-arn", "arn:aws:secretsmanager:us-west-2:000000000000:secret:<PREFIX>-consul-client-token",
|
||||
"-secret-name-prefix", "<PREFIX>",
|
||||
],
|
||||
"secrets": [
|
||||
{
|
||||
"name": "CONSUL_HTTP_TOKEN",
|
||||
"valueFrom": "arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-bootstrap-token"
|
||||
},
|
||||
{
|
||||
"name": "CONSUL_CACERT_PEM",
|
||||
"valueFrom": "arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-ca-cert"
|
||||
}
|
||||
],
|
||||
"environment": [
|
||||
{
|
||||
"name": "CONSUL_HTTP_ADDR",
|
||||
"value": "<Consul server HTTP API address>"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
You must include the following top-level fields.
|
||||
|
||||
| Field name | Type | Description |
|
||||
| ----------- | ------- | ---------------------------------------------------------------------------- |
|
||||
| `family` | string | The task family name of your choice. |
|
||||
| `networkMode` | string | Must be `awsvpc`, which is the only network mode supported by Consul on ECS. |
|
||||
|
||||
In the `containerDefinitions` list, include one container with the following fields.
|
||||
|
||||
| Field name | Type | Description |
|
||||
| ----------- | ------- | -------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `name` | string | The container name, which should be `acl-controller` |
|
||||
| `image` | string | The `consul-ecs` image. Use our public AWS registry, `public.ecr.aws/hashicorp/consul-ecs`, to avoid rate limits. |
|
||||
| `command` | list | Must be set as shown. The startup command for the ACL controller. |
|
||||
| `essential` | boolean | Must be `true` to ensure the container health ties into the health of the task. |
|
||||
| `secrets` | list | Must have `CONSUL_HTTP_TOKEN` set to the ACL bootstrap token and `CONSUL_CACERT_PEM` set to the Consul server CA certificate. |
|
||||
| `environment` | string | Must set the `CONSUL_HTTP_ADDR` environment variable to the address of the HTTP API of your Consul servers. |
|
||||
|
||||
The following CLI options are required in the `command` field of the container definition.
|
||||
|
||||
| Flag | Type | Description |
|
||||
| --------------------------- | ------- | -------------------------------------------------------------------------------------------------------------------- |
|
||||
| `-consul-client-secret-arn` | string | The secret where the ACL controller will store the Consul client token. |
|
||||
| `-secret-name-prefix` | string | The [secret name prefix](/docs/ecs/manual/acl-controller#secret-name-prefix) that you chose for this ACL controller. |
|
||||
|
||||
## ECS Service
|
||||
|
||||
Once the task definition is created, define an ECS service in order to start an ACL controller task.
|
||||
|
||||
The following example contains the recommended settings for the ACL controller. Refer to
|
||||
the [ECS service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service_definition_parameters.html) documentation
|
||||
to complete the remaining details for your use case.
|
||||
|
||||
```json
|
||||
{
|
||||
"cluster": "<Your ECS cluster ARN>"
|
||||
"desiredCount": 1,
|
||||
"launchType": "FARGATE",
|
||||
"serviceName": "my-acl-controller",
|
||||
"taskDefinition": "<task definition ARN>",
|
||||
...
|
||||
}
|
||||
```
|
||||
|
||||
| Field name | Type | Description |
|
||||
| ---------------- | ------- | ---------------------------------------------------------------------------------------------------------------- |
|
||||
| `cluster` | string | Set to your ECS cluster name or ARN. This must be the same ECS cluster where your service mesh applications run. |
|
||||
| `desiredCount` | integer | Must be 1. Only one instance of the ACL controller should run per ECS cluster. |
|
||||
| `launchType` | string | Consul on ECS supports both the `FARGATE` and `EC2` launch types. |
|
||||
| `serviceName` | string | The service name of your choice. |
|
||||
| `taskDefinition` | string | Must be set to the ACL controller [task definition](/docs/ecs/manual/acl-controller#task-definition). |
|
||||
|
||||
## AWS IAM Roles
|
||||
|
||||
The ECS task and execution roles must be configured to allow the ACL controller access
|
||||
to the ECS API and Secrets Manager API.
|
||||
|
||||
### Task Role Policy
|
||||
|
||||
The following example shows the policy needed for the ECS task role for the ACL controller.
|
||||
This grants the ACL controller permission to list tasks, describe tasks, and read and update
|
||||
secrets.
|
||||
|
||||
```json
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"ecs:ListTasks",
|
||||
"ecs:DescribeTasks"
|
||||
],
|
||||
"Resource": ["*"]
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"secretsmanager:GetSecretValue",
|
||||
"secretsmanager:UpdateSecret"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:secretsmanager:us-west-2:000000000000:secret:<PREFIX>-*"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
The following are the required permissions. You will need to substitute `<PREFIX>` with your chosen [name prefix](/docs/ecs/manual/acl-controller#secret-name-prefix).
|
||||
|
||||
| Action | Resource | Description |
|
||||
| ------------------------------- | ----------------------------------------------------------------- | ---------------------------------------------------------------------------------- |
|
||||
| `ecs:ListTasks` | `*` | Allow the ACL controller to watch for new tasks. |
|
||||
| `ecs:DescribeTasks` | `*` | Allow the ACL controller to retrieve details for new tasks. |
|
||||
| `secretsmanager:GetSecretValue` | `arn:aws:secretsmanager:us-west-2:000000000000:secret:<PREFIX>-*` | Allow the ACL controller to read secrets with a name prefix. |
|
||||
| `secretsmanager:UpdateSecret` | `arn:aws:secretsmanager:us-west-2:000000000000:secret:<PREFIX>-*` | Allow the ACL controller to store Consul ACL tokens in secrets with a name prefix. |
|
||||
|
||||
### Execution Role Policy
|
||||
|
||||
The following IAM policy document allows ECS to retrieve secrets needed
|
||||
to start the ACL controller task from AWS Secrets Manager, including the ACL
|
||||
bootstrap token.
|
||||
|
||||
The following example shows the policy needed for the execution role.
|
||||
|
||||
```json
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"secretsmanager:GetSecretValue"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-bootstrap-token",
|
||||
"arn:aws:secretsmanager:us-west-2:000000000000:secret:<PREFIX>-consul-client-token"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
|
@ -7,7 +7,7 @@ description: >-
|
|||
|
||||
# Manual Installation
|
||||
|
||||
The following instructions describe how to manually create the ECS task definition using the [`consul-ecs` Docker image](https://gallery.ecr.aws/hashicorp/consul-ecs) without Terraform. Refer to the [Consul ECS Terraform module](/docs/ecs/install) documentation for an alternative method for installing Consul on ECS.
|
||||
The following instructions describe how to manually create the ECS task definition using the [`consul-ecs` Docker image](https://gallery.ecr.aws/hashicorp/consul-ecs) without Terraform. Refer to the [Consul ECS Terraform module](/docs/ecs/terraform/install) documentation for an alternative method for installing Consul on ECS.
|
||||
|
||||
This topic does not include instructions for creating all AWS resources necessary to install Consul, such as a VPC or the ECS cluster. Refer to the linked guides in the [Getting Started](/docs/ecs#getting-started) section for complete, runnable examples.
|
||||
|
||||
|
@ -47,6 +47,16 @@ during task startup.
|
|||
}
|
||||
],
|
||||
"containerDefinitions": [...]
|
||||
"tags": [
|
||||
{
|
||||
"key": "consul.hashicorp.com/mesh",
|
||||
"value": "true"
|
||||
},
|
||||
{
|
||||
"key": "consul.hashicorp.com/service-name",
|
||||
"value": "example-client-app"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
|
@ -57,6 +67,16 @@ during task startup.
|
|||
| `volumes` | list | Must be defined as shown above. Volumes are used to share configuration between containers for intial task setup. |
|
||||
| `containerDefinitions` | list | The list of containers to run in this task (see [Application container](#application-container)). |
|
||||
|
||||
### Task Tags
|
||||
|
||||
The `tags` list must include the following if you are using the ACL controller in a [secure configuration](/docs/manual/secure-configuration).
|
||||
Without these tags, the ACL controller will be unable to provision a service token for the task.
|
||||
|
||||
| Tag Key | Tag Value | Description |
|
||||
| ----------------------------------- | ------------------- | -------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `consul.hashicorp.com/mesh` | `true` (string) | The ACL controller ignores tasks without this tag set to `true`. |
|
||||
| `consul.hashicorp.com/service-name` | Consul service name | Specifies the Consul service associated with this task. Required if the service name is different than the task `family`. |
|
||||
|
||||
## Application container
|
||||
|
||||
First, include your application container in the `containerDefinitions` list
|
||||
|
@ -339,13 +359,13 @@ configuration to a shared volume.
|
|||
|
||||
</CodeBlockConfig>
|
||||
|
||||
| Field name | Type | Description |
|
||||
| ----------- | ------- | ------------------------------------------------------------------------------------------------------------------- |
|
||||
| `name` | string | The container name should be `consul-ecs-mesh-init`. |
|
||||
| `image` | string | The `consul-ecs` image. Use our public AWS registry, `public.ecr.aws/hashicorp/consul-ecs`, to avoid rate limits. |
|
||||
| `mountPoints` | list | Must be set as show above, so the `consul` and `consul-ecs` binaries can be shared among containers for task setup. |
|
||||
| `command` | list | Set the `["mesh-init"]` so that the container runs the `consul-ecs mesh-init` command. |
|
||||
| `environment` | list | This must include the [`CONSUL_ECS_CONFIG_JSON`](/docs/ecs/manual-installation#consul_ecs_config_json) variable. See below for details. |
|
||||
| Field name | Type | Description |
|
||||
| ----------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `name` | string | The container name should be `consul-ecs-mesh-init`. |
|
||||
| `image` | string | The `consul-ecs` image. Use our public AWS registry, `public.ecr.aws/hashicorp/consul-ecs`, to avoid rate limits. |
|
||||
| `mountPoints` | list | Must be set as show above, so the `consul` and `consul-ecs` binaries can be shared among containers for task setup. |
|
||||
| `command` | list | Set to `["mesh-init"]` so that the container runs the `consul-ecs mesh-init` command. |
|
||||
| `environment` | list | This must include the [`CONSUL_ECS_CONFIG_JSON`](/docs/ecs/manual-installation#consul_ecs_config_json) variable. See below for details. |
|
||||
|
||||
### `CONSUL_ECS_CONFIG_JSON`
|
||||
|
||||
|
@ -529,3 +549,4 @@ and `consul-ecs-mesh-init` containers.
|
|||
|
||||
* Create the task definition using the [AWS Console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html) or the [AWS CLI](https://docs.aws.amazon.com/cli/latest/reference/ecs/register-task-definition.html), or another method of your choice.
|
||||
* Create an [ECS Service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html) to start tasks using the task definition.
|
||||
* Follow the [Secure Configration](/docs/ecs/manual/secure-configuration) to get production-ready.
|
|
@ -0,0 +1,215 @@
|
|||
---
|
||||
layout: docs
|
||||
page_title: Secure Configuration - AWS ECS
|
||||
description: >-
|
||||
Manual Secure Confguration of the Consul Service Mesh on AWS ECS (Elastic Container Service).
|
||||
---
|
||||
|
||||
# Secure Configuration
|
||||
|
||||
For a production-ready installation of Consul on ECS, you will need to make sure that the cluster is secured.
|
||||
A secure Consul cluster should include the following:
|
||||
|
||||
1. [TLS Encryption](/docs/security/encryption#rpc-encryption-with-tls) for RPC communication between Consul clients and servers.
|
||||
1. [Gossip Encryption](/docs/security/encryption#gossip-encryption) for encrypting gossip traffic.
|
||||
1. [Access Control (ACLs)](/docs/security/acl) for authentication and authorization for Consul clients and services on the mesh.
|
||||
|
||||
-> **NOTE:** This page assumes that you have already configured your Consul server with the above features.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
* You should already have followed the [installation instructions](/docs/ecs/manual/install) to understand how to define
|
||||
the necessary components of the task definition for Consul on ECS.
|
||||
* You should be familiar with [specifying sensitive data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) on ECS.
|
||||
* You should be familiar with configuring Consul's secure features, including how to create ACL tokens and policies. Refer to the following [Learn Guides](https://learn.hashicorp.com/collections/consul/security) for an introduction and the [ACL system](/docs/security/acl) documentation for more information.
|
||||
|
||||
## ACL Tokens
|
||||
|
||||
You must create two types of ACL tokens for Consul on ECS:
|
||||
|
||||
* **Client tokens:** used by the `consul-client` containers to join the Consul cluster
|
||||
* **Service tokens:** used by sidecar containers for service registration and health syncing
|
||||
|
||||
The following sections describe the ACL polices which must be associated with these token types.
|
||||
|
||||
-> **NOTE:** This section describes how operators would create ACL tokens by hand. To ease operator
|
||||
burden, the ACL Controller can automatically create ACL tokens for Consul on ECS. Refer to the
|
||||
[ACL Controller](/docs/manual/acl-controller) page for installation details.
|
||||
|
||||
### Create Consul client token
|
||||
|
||||
You must create a token for the Consul client. This is a shared token used by the `consul-client`
|
||||
containers to join the Consul cluster.
|
||||
|
||||
The following is the ACL policy needed for the Consul client token:
|
||||
|
||||
```hcl
|
||||
node_prefix "" {
|
||||
policy = "write"
|
||||
}
|
||||
service_prefix "" {
|
||||
policy = "read"
|
||||
}
|
||||
```
|
||||
|
||||
This policy allows `node:write` for any node name, which is necessary because the Consul node
|
||||
names on ECS are not known until runtime.
|
||||
|
||||
### Create service tokens
|
||||
|
||||
Service tokens should be associated with a [service identity](https://www.consul.io/docs/security/acl/acl-system#acl-service-identities).
|
||||
The service identity includes `service:write` permissions for the service and sidecar proxy.
|
||||
|
||||
The following example shows how to use the Consul CLI to create a service token for a service named `example-client-app`:
|
||||
|
||||
```shell
|
||||
consul acl token create -service-identity=example-client-app ...
|
||||
```
|
||||
|
||||
-> **NOTE**: You will need to create one service token for each registered Consul service in ECS,
|
||||
including when new services are added to the service mesh.
|
||||
|
||||
## Secret storage
|
||||
|
||||
You should securely store the following secrets in order to make them available to ECS tasks.
|
||||
|
||||
1. Consul Server CA certificate
|
||||
2. Consul gossip encryption key
|
||||
3. Consul client ACL token
|
||||
4. Consul service ACL tokens (one per service)
|
||||
|
||||
These secrets can be securely stored and passed to ECS tasks using either of the following AWS secret services:
|
||||
|
||||
* [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-parameters.html)
|
||||
* [AWS Secrets Manager](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-secrets.html)
|
||||
|
||||
Once the secrets are stored they can be referenced using their ARN. The following shows
|
||||
example secret ARNs when using AWS Secrets Manager:
|
||||
|
||||
| Secret | Sample Secret ARN |
|
||||
| ---------------------- | ---------------------------------------------------------------------------------- |
|
||||
| Consul Server CA Cert | `arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-ca-cert` |
|
||||
| Gossip encryption key | `arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-gossip-key` |
|
||||
| Client token | `arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-client-token` |
|
||||
| Service token | `arn:aws:secretsmanager:us-west-2:000000000000:secret:my-example-client-app-token` |
|
||||
|
||||
## Configure `consul-client`
|
||||
|
||||
The following secrets must be passed to the `consul-client` container:
|
||||
|
||||
* Consul server CA certificate
|
||||
* Gossip encryption key
|
||||
* Consul client ACL token
|
||||
|
||||
The following example shows how to include these secrets in the task definition. The `secrets`
|
||||
list specifies environment variable `name`s that will be set to the secret values for this container.
|
||||
ECS automatically fetches the secret values specified in the `valueFrom` fields during task provisioning.
|
||||
|
||||
```json
|
||||
{
|
||||
"containerDefinitions": [
|
||||
{
|
||||
"name": "consul-client"
|
||||
"image": "public.ecr.aws/hashicorp/consul:<CONSUL_VERSION>",
|
||||
"secrets": [
|
||||
{
|
||||
"name": "CONSUL_CACERT",
|
||||
"valueFrom": "arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-ca-cert"
|
||||
},
|
||||
{
|
||||
"name": "CONSUL_GOSSIP_ENCRYPTION_KEY",
|
||||
"valueFrom": "arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-gossip-key"
|
||||
},
|
||||
{
|
||||
"name": "AGENT_TOKEN",
|
||||
"valueFrom": "arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-client-token"
|
||||
}
|
||||
]
|
||||
},
|
||||
...
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
Next, update Consul configuration options to pass the secrets to the Consul client.
|
||||
|
||||
The following is an example of the *additional* content to include in the `consul-client` startup script. Refer to the [install
|
||||
page](/docs/ecs/manual/install#consul-client-container) for the remainder of the startup script and how to pass this
|
||||
script to the container.
|
||||
|
||||
<CodeBlockConfig highlight="3-4,10-29">
|
||||
|
||||
```shell
|
||||
...
|
||||
|
||||
# Write the CA Cert to a file
|
||||
echo "$CONSUL_CACERT" > /tmp/consul-ca-cert.pem
|
||||
|
||||
# Write the Consul agent configuration file.
|
||||
cat << EOF > /consul/agent-defaults.hcl
|
||||
...
|
||||
|
||||
# Configure gossip encryption key
|
||||
encrypt = "$CONSUL_GOSSIP_ENCRYPTION_KEY"
|
||||
|
||||
# Configure TLS settings
|
||||
auto_encrypt = {
|
||||
tls = true
|
||||
ip_san = ["$ECS_IPV4"]
|
||||
}
|
||||
ca_file = "/tmp/consul-ca-cert.pem"
|
||||
verify_outgoing = true
|
||||
|
||||
# Configure ACLs
|
||||
acl {
|
||||
enabled = true
|
||||
default_policy = "deny"
|
||||
down_policy = "async-cache"
|
||||
tokens {
|
||||
agent = "$AGENT_TOKEN"
|
||||
}
|
||||
}
|
||||
|
||||
EOF
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
||||
|
||||
The following are the additional fields that must be included in the Consul client configuration file.
|
||||
|
||||
| Field name | Type | Description |
|
||||
| --------------------------------------------------------- | ------- | ------------------------------------------------------------------------------------ |
|
||||
| [`encrypt`](/docs/agent/options#_encrypt) | string | Specifies the gossip encryption key |
|
||||
| [`ca_file`](/docs/agent/options#ca_file) | string | Specifies the Consul server CA cert for TLS verification. |
|
||||
| [`acl.enabled`](/docs/agent/options#acl_enabled) | boolen | Enable ACLs for this agent. |
|
||||
| [`acl.tokens.agent`](/docs/agent/options#acl_tokens_agent) | string | Specifies the Consul client token which authorizes this agent with Consul servers. |
|
||||
|
||||
## Configure `consul-ecs-mesh-init` and `consul-ecs-health-sync`
|
||||
|
||||
Both `consul-ecs-mesh-init` and `consul-ecs-health-sync` containers need to be configured with
|
||||
the service ACL token. This allows these containers to make HTTP API requests to the local
|
||||
Consul client for service registration and health syncing.
|
||||
|
||||
The following shows how to set the `CONSUL_HTTP_TOKEN` variable to the service token for the `example-client-app` service,
|
||||
if the token is stored in AWS Secrets Manager.
|
||||
|
||||
<CodeBlockConfig highlight="5-8">
|
||||
|
||||
```json
|
||||
{
|
||||
"containerDefinitions": [
|
||||
{
|
||||
"secrets": [
|
||||
{
|
||||
"name": "CONSUL_HTTP_TOKEN",
|
||||
"valueFrom": "arn:aws:secretsmanager:us-west-2:000000000000:secret:my-example-client-app-token"
|
||||
}
|
||||
]
|
||||
},
|
||||
...
|
||||
],
|
||||
...
|
||||
}
|
||||
```
|
||||
|
||||
</CodeBlockConfig>
|
|
@ -15,9 +15,9 @@ The following requirements must be met in order to install Consul on ECS:
|
|||
1. **ACL Controller:** If you are running a secure Consul installation with ACLs enabled, configure the ACL controller.
|
||||
1. **Sidecar containers:** Consul on ECS requires two sidecar containers to run in each ECS task: a
|
||||
Consul agent container and a sidecar proxy container. These additional sidecar containers must
|
||||
be included in the ECS task definition. The [Consul ECS Terraform module](/docs/ecs/install)
|
||||
be included in the ECS task definition. The [Consul ECS Terraform module](/docs/ecs/terraform/install)
|
||||
will include these sidecar containers for you. If you do not use Terraform, you can construct
|
||||
the task definition yourself by following [our documentation](/docs/ecs/manual-installation).
|
||||
the task definition yourself by following [our documentation](/docs/ecs/manual/install).
|
||||
1. **Routing:** With your application running in tasks as part of the mesh, you must specify the
|
||||
upstream services that your application calls. You will also need to change the URLs your
|
||||
application uses to ensure the application is making requests through the service mesh.
|
||||
|
|
|
@ -268,7 +268,7 @@ python manage.py runserver "127.0.0.1:8080"
|
|||
|
||||
## Next Steps
|
||||
|
||||
- Configure a secure [Production Installation](/docs/ecs/production-installation).
|
||||
- Follow the [Secure Configuration](/docs/ecs/secure-configuration) to get production-ready.
|
||||
- Now that your applications are running in the service mesh, read about
|
||||
other [Service Mesh features](/docs/connect).
|
||||
- View the [Architecture](/docs/ecs/architecture) documentation to understand
|
|
@ -90,7 +90,7 @@ module "my_task" {
|
|||
}
|
||||
]
|
||||
|
||||
port = "9090"
|
||||
port = 9090
|
||||
retry_join = ["<address of the Consul server>"]
|
||||
}
|
||||
```
|
||||
|
@ -111,5 +111,5 @@ resource.
|
|||
|
||||
Now that your task(s) are migrated to the `mesh-task` module,
|
||||
|
||||
- Start at the [ECS Service section](/docs/ecs/install#ecs-service) of the Installation Guide to continue installing Consul on ECS.
|
||||
- Start at the [ECS Service section](/docs/ecs/terraform/install#ecs-service) of the Installation Guide to continue installing Consul on ECS.
|
||||
- Refer to the [`mesh-task` reference documentation](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/mesh-task?tab=inputs) for all available inputs to your mesh tasks.
|
|
@ -1,11 +1,11 @@
|
|||
---
|
||||
layout: docs
|
||||
page_title: Production Installation - AWS ECS
|
||||
page_title: Secure Configuration - AWS ECS
|
||||
description: >-
|
||||
Production Installation of the Consul Service Mesh on AWS ECS (Elastic Container Service).
|
||||
Secure Configuration of the Consul Service Mesh on AWS ECS (Elastic Container Service) with Terraform.
|
||||
---
|
||||
|
||||
# Production Installation
|
||||
# Secure Configuration
|
||||
|
||||
For a production-ready installation of Consul on ECS, you will need to make sure that the cluster is secured.
|
||||
A secure Consul cluster should include the following:
|
||||
|
@ -68,7 +68,7 @@ deploying this controller.
|
|||
## Deploy Services
|
||||
|
||||
Once the ACL controller is up and running, you will be able to deploy services on the mesh using the [`mesh-task` module](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/mesh-task).
|
||||
Start with the basic configuration for the [Task Module](/docs/ecs/install#task-module) and specify additional settings to make the configuration production-ready.
|
||||
Start with the basic configuration for the [Task Module](/docs/ecs/terraform/install#task-module) and specify additional settings to make the configuration production-ready.
|
||||
|
||||
First, you will need to create an AWS Secrets Manager secret for the gossip encryption key that the Consul clients
|
||||
should use.
|
||||
|
@ -104,5 +104,5 @@ module "my_task" {
|
|||
}
|
||||
```
|
||||
|
||||
Now you can deploy your services! Follow the rest of the steps in the [Installation instructions](/docs/ecs/install#task-module)
|
||||
Now you can deploy your services! Follow the rest of the steps in the [Installation instructions](/docs/ecs/terraform/install#task-module)
|
||||
to deploy and connect your services.
|
|
@ -612,16 +612,38 @@
|
|||
"path": "ecs/requirements"
|
||||
},
|
||||
{
|
||||
"title": "Installation with Terraform",
|
||||
"path": "ecs/install"
|
||||
"title": "Install with Terraform",
|
||||
"routes": [
|
||||
{
|
||||
"title": "Installation",
|
||||
"path": "ecs/terraform/install"
|
||||
},
|
||||
{
|
||||
"title": "Secure Configuration",
|
||||
"path": "ecs/terraform/secure-configuration"
|
||||
},
|
||||
{
|
||||
"title": "Migrate Existing Tasks",
|
||||
"path": "ecs/terraform/migrate-existing-tasks"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "Production Installation",
|
||||
"path": "ecs/production-installation"
|
||||
},
|
||||
{
|
||||
"title": "Migrate Existing Tasks",
|
||||
"path": "ecs/migrate-existing-tasks"
|
||||
"title": "Install Manually",
|
||||
"routes": [
|
||||
{
|
||||
"title": "Installation",
|
||||
"path": "ecs/manual/install"
|
||||
},
|
||||
{
|
||||
"title": "Secure Configuration",
|
||||
"path": "ecs/manual/secure-configuration"
|
||||
},
|
||||
{
|
||||
"title": "ACL Controller",
|
||||
"path": "ecs/manual/acl-controller"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "Architecture",
|
||||
|
@ -630,10 +652,6 @@
|
|||
{
|
||||
"title": "Consul Enterprise",
|
||||
"path": "ecs/enterprise"
|
||||
},
|
||||
{
|
||||
"title": "Manual Installation",
|
||||
"path": "ecs/manual-installation"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
|
Loading…
Reference in New Issue