Closed loungerider closed 6 months ago
👋 @loungerider The configuration looks correct to me. Can you verify from the ECS UI if the CONSUL_GRPC_CACERT_PEM
environment variable is populated correctly?
Hi @Ganeshrockz yes I can confirm that CONSUL_GRPC_CACERT_PEM is set correctly.
We did some digging and looking at the example posted here https://github.com/hashicorp/terraform-aws-consul-ecs/tree/main/examples/locality-aware-routing and tracing the dev server config back to the module. We noticed that verify_incoming
is only set for tls internal_rpc
and not in tls defaults
. Our server config has verify_incoming
set in our tls defaults
. We tested moving this configuration from tls defaults
to internal_rpc
and the controller can now connect.
We thought that the server side auto_encrypt
setting would automatically set the client side cert for the controller. Do you think this is a bug or does using tls defaults verify_incoming require client side certs that auto_encrypt can't provide?
This is what our working consul agent config looks like:
{
"tls": {
"defaults": {
"verify_outgoing": true,
"ca_file": "/consul/tls/certs/consul-agent-ca.pem",
"cert_file": "/consul/tls/certs/server-consul-0.pem",
"key_file": "/consul/tls/certs/server-consul-0-key.pem"
},
"internal_rpc": {
"verify_incoming": true,
"verify_server_hostname": true
}
},
"encrypt": "${gossip_key}",
"primary_datacenter": "${primary_datacenter}",
"connect": {
"enabled": true
},
"auto_encrypt": {
"allow_tls": true
},
"ports": {
"http": 8500,
"https": 8501,
"grpc_tls": 8503
}
}
We thought that the server side auto_encrypt setting would automatically set the client side cert for the controller.
This isn't a bug and is expected. Setting this configuration in the server doesn't affect the controller's configuration because it is independent (and there is no client agent in the ECS task similar to the v0.6.x
architecture)
Great thanks
Hello all, we are seeing the following tls communication issue when deploying the ecs controller with tls enabled.
Consul server version Consul v1.17.0 Revision 4e3f428b Build Date 2023-11-03T14:56:56Z Protocol 2 spoken by default, understands 2 to 3 (agent will automatically use protocol >2 when speaking to compatible agents)
ecs controller image variable "consul_ecs_image" { description = "Consul ECS image to use in all tasks." type = string default = "hashicorp/consul-ecs:0.8.0" }
The ecs controller is running as a fargate task and we see the following error in the logs
When running consul montior with trace logging on the server we see the corresponding server side error
We are passing the following to the controller
Are we missing something on the client side configuration?