Open Ardiea opened 9 months ago
Gotchas with ECS / Traefik / Vault
VAULT_LOCAL_CONFIG
which if you populate it with json, the entrypoint.sh script will dump it into $VAULT_CONFIG/local.json for you. Easy peasy.--providers.ecs.autoDiscoverClusters=True
but we don't want it to do any discovery within those clusters besides the one it is running in. Restrict that with --provider.ecs.clusters={cluster_name}
where {cluster_name} is the the name of the current cluster.--providers.ecs.exposedByDefault=False
. Now containers we route to will require special labels/annotations in order for traefik to discover them and setup configurations. /vault/file
which is different: https://github.com/hashicorp/vault/blob/main/Dockerfile#L139. Have vault render its secrets into this directory. Mount the same shared volume in traefik at /etc/traefik/tls
and you can load the certificates and the dynamic config needed.vault status
. Traefik requires --ping
to be specified as a command line argument in BOTH the running container / commands list and in the healthcheck but only AFTER the work healthcheck
, so : traefik healthcheck --ping
. Put it before and it errors in a most unhelpful way. root@ip-172-17-1-56:/etc/docker# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fed5626c3518 traefik:v2.10.4 "/entrypoint.sh --ap…" About an hour ago Up About an hour (healthy) ecs-data-ci-traefik-46-data-ci-traefik-c48599c2e2becdaf6300
4295b1aca17a hashicorp/vault:latest "docker-entrypoint.s…" About an hour ago Up About an hour (healthy) ecs-data-ci-traefik-46-traefik-vault-agent-f4e89caaa8fa95e6cf01
27c6ff18d366 amazon/amazon-ecs-agent:latest "/agent" 3 weeks ago Up 3 weeks (healthy) ecs-agent
So, there is one outstanding issue at the moment that I'm struggling with the best approach to and that is environment variables. ECS offers two ways to do env vars documented here. There is an extension/exception to that for secrets using SecretsManager but it isn't that interesting because we don't use that.
So, from the two provided methods we have the following.
Notably absent from that list is just a .env file on the local system. Probably because the underlying EC2 instances are supposed to be livestock, not pets. And livestock doesn't have any local files.
So I'm thinking something a little more flexible but probably more janky.
Doesn't envconsul
do this already? Yeah, probably, but it is very particular about the keynames in consul and vault and re-organizing / cleaning those superfund sites up is outside the scope of this exploration.
consul-template itself can also be used for spawning the process after rendering the config. It might make sense to use that as the entrypoint? https://github.com/hashicorp/consul-template/blob/main/docs/modes.md#exec-mode
There is nothing analogous to a k8s configMap
or a docker config
in ECS which is presenting some issues. This SO comment covers basically the only options for getting files into containers with ECS: https://stackoverflow.com/a/71704130
Consider the following volume mount list for the nginx sidecar in OVS:
Some of these files are static and unchanging, others require interpolation from vault, and some are rendered entirely from vault. Each of these situations requires a slightly different approach in order to get the configuration where it needs to be in the container. And nearly all of those approaches is going to be complicated and janky. Ultimately this is going to lead to an increase in complexity and boilerplate which is not what we're looking for at this time.
Branch https://github.com/mitodl/ol-infrastructure/tree/md/ecs_init