mirror of https://github.com/hashicorp/consul
docs: Fixes to ECS manual secure configuration
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>pull/11825/head
parent
08c046b3b0
commit
8c8292a9d1
|
@ -38,5 +38,6 @@ There are several ways to get started with Consul with ECS.
|
|||
* The [Consul with Dev Server on Fargate](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/examples/dev-server-fargate) example installation deploys a sample application in ECS using the Fargate launch type.
|
||||
* The [Consul with Dev Server on EC2](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/examples/dev-server-ec2) example installation deploys a sample application in ECS using the EC2 launch type.
|
||||
|
||||
See the [Requirements](/docs/ecs/requirements) and then choose whether to [install with Terraform](/docs/ecs/terraform/install) or [install without Terraform](/docs/ecs/manual/install)
|
||||
when you're ready to install Consul on an existing ECS cluster and add tasks to the service mesh.
|
||||
Refer to the [Requirements](/docs/ecs/requirements) and use one of the following sets of instructions when you're ready to install Consul on an existing ECS cluster and add tasks to the service mesh:
|
||||
* [Install with Terraform](/docs/ecs/terraform/install)
|
||||
* [Install Manually](/docs/ecs/manual/install)
|
||||
|
|
|
@ -16,7 +16,7 @@ If you are using Terraform, refer to the [Terraform Secure Configuration](/docs/
|
|||
Refer to the [Task Tags](/docs/ecs/manual/install#task-tags) section of the installation page.
|
||||
* You should be familiar with configuring Consul's secure features, including how to create ACL tokens and policies. Refer to the following [Learn Guides](https://learn.hashicorp.com/collections/consul/security) for an introduction and the [ACL system](/docs/security/acl) documentation for more information.
|
||||
|
||||
## Setup AWS Secrets Manager
|
||||
## Set Up Secrets
|
||||
|
||||
The ACL controller supports managing secrets in AWS Secrets Manager.
|
||||
|
||||
|
@ -38,7 +38,7 @@ The ACL controller requires that the secrets it reads and writes are named with
|
|||
in the [Task Role Policy](/docs/ecs/manual/acl-controller#task-role-policy) to limit the ACL controller's access within
|
||||
AWS Secrets Manager to only those secrets strictly needed by the ACL controller.
|
||||
|
||||
The name prefix should be unique among secrets your AWS account. We recommend a short (8 character) random
|
||||
The name prefix should be unique among secrets in your AWS account. We recommend using a short (8 character) random
|
||||
string for the prefix.
|
||||
|
||||
-> **NOTE:** If you are using the ACL controller with multiple ECS clusters, each cluster requires
|
||||
|
@ -55,7 +55,7 @@ The following example shows how the task definition should be configured for the
|
|||
|
||||
```json
|
||||
{
|
||||
"family": "my-consul-acl-controller".
|
||||
"family": "my-consul-acl-controller",
|
||||
"networkMode": "awsvpc",
|
||||
"containerDefinitions": [
|
||||
{
|
||||
|
@ -102,7 +102,7 @@ In the `containerDefinitions` list, include one container with the following fie
|
|||
| `name` | string | The container name, which should be `acl-controller` |
|
||||
| `image` | string | The `consul-ecs` image. Use our public AWS registry, `public.ecr.aws/hashicorp/consul-ecs`, to avoid rate limits. |
|
||||
| `command` | list | Must be set as shown. The startup command for the ACL controller. |
|
||||
| `essential` | boolean | Must be `true` to ensure the container health ties into the health of the task. |
|
||||
| `essential` | boolean | Must be `true` to ensure the health of your application container affects the health status of the task. |
|
||||
| `secrets` | list | Must have `CONSUL_HTTP_TOKEN` set to the ACL bootstrap token and `CONSUL_CACERT_PEM` set to the Consul server CA certificate. |
|
||||
| `environment` | string | Must set the `CONSUL_HTTP_ADDR` environment variable to the address of the HTTP API of your Consul servers. |
|
||||
|
||||
|
@ -135,7 +135,7 @@ to complete the remaining details for your use case.
|
|||
| Field name | Type | Description |
|
||||
| ---------------- | ------- | ---------------------------------------------------------------------------------------------------------------- |
|
||||
| `cluster` | string | Set to your ECS cluster name or ARN. This must be the same ECS cluster where your service mesh applications run. |
|
||||
| `desiredCount` | integer | Must be 1. Only one instance of the ACL controller should run per ECS cluster. |
|
||||
| `desiredCount` | integer | Must be `1`. Only one instance of the ACL controller should run per ECS cluster. |
|
||||
| `launchType` | string | Consul on ECS supports both the `FARGATE` and `EC2` launch types. |
|
||||
| `serviceName` | string | The service name of your choice. |
|
||||
| `taskDefinition` | string | Must be set to the ACL controller [task definition](/docs/ecs/manual/acl-controller#task-definition). |
|
||||
|
|
|
@ -112,11 +112,11 @@ this task and the service mesh.
|
|||
}
|
||||
```
|
||||
|
||||
| Field name | Type | Description |
|
||||
| ----------- | ------- | -------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `name` | string | The name of your application container. |
|
||||
| `image` | string | The container image used to run your application. |
|
||||
| `essential` | boolean | Must be `true` to ensure your application container ties into the health of the task. |
|
||||
| Field name | Type | Description |
|
||||
| ----------- | ------- | -------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `name` | string | The name of your application container. |
|
||||
| `image` | string | The container image used to run your application. |
|
||||
| `essential` | boolean | Must be `true` to ensure the health of your application container affects the health status of the task. |
|
||||
| `dependsOn` | list | Must be set as shown above. Container dependencies ensure your application container starts after service mesh setup is complete. |
|
||||
|
||||
See the [ECS Task Definition](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html) documentation for a complete reference.
|
||||
|
@ -185,7 +185,7 @@ The following table describes the necessary configuration settings.
|
|||
| ------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `name` | string | The container name, which must be `sidecar-proxy`. |
|
||||
| `image` | string | The Envoy image. This must be a [supported version of Envoy](/docs/connect/proxies/envoy#supported-versions). |
|
||||
| `dependsOn` | list | Must be set as shown above to ensure Envoy starts after the `consul-ecs-mesh-init` has written the `envoy-bootstrap.json` config file for Envoy. |
|
||||
| `dependsOn` | list | Must be set as shown above to ensure Envoy starts after the `consul-ecs-mesh-init` container has written the `envoy-bootstrap.json` config file for Envoy. |
|
||||
| `healthCheck` | list | Must be set as shown above to monitor the health of Envoy's primary listener port, which ties into container dependencies and startup ordering. |
|
||||
| `mountPoints` | list | Must be set as shown above to access the files shared in the `/consul` directory, like the Envoy bootstrap configuration file and the `consul-ecs` binary. |
|
||||
| `ulimits` | list | The `nofile` ulimit must be raised to a sufficiently high value so that Envoy does not fail to open sockets. |
|
||||
|
@ -400,7 +400,7 @@ the `consul-ecs-health-sync` container.
|
|||
|
||||
| Field name | Type | Description |
|
||||
| ---------------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `bootstrapDir` | string | This is the path of a shared volume the is mounted to other containers, where `consul-ecs-mesh-init` will write out Envoy configuration. |
|
||||
| `bootstrapDir` | string | This is the path of a shared volume that is mounted to other containers, where `consul-ecs-mesh-init` will write out Envoy configuration. |
|
||||
| `healthSyncContainers` | list | Used for [health status syncing](/docs/ecs/manual-installation#consul-ecs-health-sync-container) from ECS to Consul. See below for details. |
|
||||
| `proxy.upstreams` | list | The upstream services that your application calls over the service mesh, if any. The `destinationName` and `localBindPort` fields are required. |
|
||||
| `service.name` | string | The name used to register this service into the Consul service catalog. |
|
||||
|
|
|
@ -14,7 +14,7 @@ A secure Consul cluster should include the following:
|
|||
1. [Gossip Encryption](/docs/security/encryption#gossip-encryption) for encrypting gossip traffic.
|
||||
1. [Access Control (ACLs)](/docs/security/acl) for authentication and authorization for Consul clients and services on the mesh.
|
||||
|
||||
-> **NOTE:** This page assumes that you have already configured your Consul server with the above features.
|
||||
-> **NOTE:** In this topic, we assume that you have already configured your Consul server with the security-related features.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
|
@ -175,7 +175,7 @@ EOF
|
|||
|
||||
</CodeBlockConfig>
|
||||
|
||||
The following are the additional fields that must be included in the Consul client configuration file.
|
||||
The following table describes the additional fields that must be included in the Consul client configuration file.
|
||||
|
||||
| Field name | Type | Description |
|
||||
| --------------------------------------------------------- | ------- | ------------------------------------------------------------------------------------ |
|
||||
|
|
|
@ -77,6 +77,7 @@ The following fields are required. Refer to the [module reference documentation]
|
|||
| `version` | string | Must be set to the version of the `mesh-task` module. |
|
||||
| `family` | string | The [ECS task definition family](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#family). The family is also used as the Consul service name by default. |
|
||||
| `container_definitions` | list | This is the list of [container definitions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definitions) for the task definition. This is where you include your application containers. |
|
||||
| `essential` | boolean | Must be `true` to ensure the health of your application container affects the health status of the task. |
|
||||
| `port` | integer | The port that your application listens on, if any. If your application does not listen on a port, set `outbound_only = true`. |
|
||||
| `retry_join` | list | The is the [`retry_join`](/docs/agent/options#_retry_join) option for the Consul agent, which specifies the locations of your Consul servers. |
|
||||
|
||||
|
|
Loading…
Reference in New Issue