DanielJonesEB
commented
6 years ago Seems like a reasonable idea - we often do the same on our Concourseseses (Conci?) and I can't see any harm in doing so.
Closed steveYeah closed 5 years ago
DanielJonesEB
commented
6 years ago Seems like a reasonable idea - we often do the same on our Concourseseses (Conci?) and I can't see any harm in doing so.
steveYeah
commented
6 years ago Awesome, thanks @DanielJonesEB (I'd go with Conci 👍)
DanielJonesEB
commented
6 years ago @peterellisjones @crsimmons @takeyourhatoff Any ideas if workers route out through a NAT box, so they all have the same outbound IP?
steveYeah
commented
6 years ago @DanielJonesEB We had a stab at adding what we had in mind. Let us know if that looks OK, or if we missed anything 👍
peterellisjones
commented
6 years ago @DanielJonesEB yep it will route out through the NAT box provided the URL DNS maps to a public IP (which it will if it's CNAMEd to an ELB).
Another way to accomplish this is with split DNS: add a private hosted zone inside the VPC and add an A-record mapping the URL to the private IP of the ATC (10.0.0.7). All requests to the Concourse URL on the worker will then resolve to the private IP instead.
peterellisjones
commented
6 years ago @DanielJonesEB @steveYeah
A temporary workaround would be to hack your hosts file in any jobs that need to access the Concourse URL from inside the VPC:
echo "10.0.0.7 myconcourse-atc-url.com" >> /etc/hosts
steveYeah
commented
6 years ago @peterellisjones after working out it was routed though the NAT box, it was just a case of finding the IP for that and adding it to --allow-ips, the above PR does the same thing, but automatically
peterellisjones
commented
6 years ago @steveYeah oops... For some reason I completely missed that this was a PR and responded to @DanielJonesEB's question from 5 days ago instead. LGTM
CC @DanielJonesEB @crsimmons @takeyourhatoff
steveYeah
commented
6 years ago 😂 no worries 👍
crsimmons
commented
5 years ago We implemented this a few versions ago. See https://github.com/EngineerBetter/concourse-up/pull/54#issuecomment-412147066
Hey, not sure if this is something that is very specific to the way we are working, so I though it best to ask.
We have a self-pausing pipeline in concourse. To do so it uses fly to login to concourse and check the status of a few things before pausing the pipeline or not. This was fine in testing until we added a firewall to the web instance using
--allow-ips.Would it be useful to automatically add the IP of the web instance when using this option? This means that I would only need to
concourse-uponce when creating a new instance rather than do it once to get everything up and running, then again to add the firewall settings.Alternatively, are we doing it wrong? Is there another way to set the target on fly instead of using the external URL when it's running locally, or maybe not even use fly?
Thanks a lot!