Update go-discover to support ECS discovery (#13782)

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
This commit is contained in:
Frank DiRocco 2023-01-12 13:06:29 -05:00 committed by GitHub
parent d224744f6a
commit 9420fd229b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 22 additions and 8 deletions

3
.changelog/13782.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:feature
deps: update to latest go-discover to provide ECS auto-discover capabilities.
```

2
go.mod
View File

@ -40,7 +40,7 @@ require (
github.com/hashicorp/go-checkpoint v0.5.0
github.com/hashicorp/go-cleanhttp v0.5.1
github.com/hashicorp/go-connlimit v0.3.0
github.com/hashicorp/go-discover v0.0.0-20220411141802-20db45f7f0f9
github.com/hashicorp/go-discover v0.0.0-20220714221025-1c234a67149a
github.com/hashicorp/go-hclog v1.2.1
github.com/hashicorp/go-immutable-radix v1.3.0
github.com/hashicorp/go-memdb v1.3.4

4
go.sum
View File

@ -469,8 +469,8 @@ github.com/hashicorp/go-cleanhttp v0.5.1 h1:dH3aiDG9Jvb5r5+bYHsikaOUIpcM0xvgMXVo
github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
github.com/hashicorp/go-connlimit v0.3.0 h1:oAojHGjFxUTTTA8c5XXnDqWJ2HLuWbDiBPTpWvNzvqM=
github.com/hashicorp/go-connlimit v0.3.0/go.mod h1:OUj9FGL1tPIhl/2RCfzYHrIiWj+VVPGNyVPnUX8AqS0=
github.com/hashicorp/go-discover v0.0.0-20220411141802-20db45f7f0f9 h1:2GsEkBZf1q4LKZjtd4cO+V0xd85xGCMolX3ebC2+xd4=
github.com/hashicorp/go-discover v0.0.0-20220411141802-20db45f7f0f9/go.mod h1:1xfdKvc3pe5WKxfUUHHOGaKMk7NLGhHY1jkyhKo6098=
github.com/hashicorp/go-discover v0.0.0-20220714221025-1c234a67149a h1:xeDSq/xo0CfnSZnPUkNH/00Qy8Q8ySJW0Ij2u/pH680=
github.com/hashicorp/go-discover v0.0.0-20220714221025-1c234a67149a/go.mod h1:1xfdKvc3pe5WKxfUUHHOGaKMk7NLGhHY1jkyhKo6098=
github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd/go.mod h1:9bjs9uLqI8l75knNv3lV1kA55veR+WUPSiKIWcQHudI=
github.com/hashicorp/go-hclog v0.9.1/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=

View File

@ -106,7 +106,7 @@ In order to use discovery behind a proxy, you will need to set
The following sections give the options specific to each supported cloud
provider.
### Amazon EC2
### Amazon EC2 and ECS
This returns the first private IP address of all servers in the given
region which have the given `tag_key` and `tag_value`.
@ -128,6 +128,10 @@ $ consul agent -retry-join "provider=aws tag_key=... tag_value=..."
- `addr_type` (optional) - the type of address to discover: `private_v4`, `public_v4`, `public_v6`. Default is `private_v4`. (>= 1.0)
- `access_key_id` (optional) - the AWS access key for authentication (see below for more information about authenticating).
- `secret_access_key` (optional) - the AWS secret access key for authentication (see below for more information about authenticating).
- `service` (optional) - String value that specifies which AWS service to filter. You can specify either `ec2` or `ecs`. Default is `ec2`.
- `ecs_cluster` (optional) - String value that limits searches to a specific AWS ECS cluster name or full ARN. By default, Consul searches all clusters with the specified tag values.
- `ecs_family` (optional) - String value limits searches to a AWS ECS task definition family. By default, Consul searches all task definition families with the specified tags.
- `endpoint` (optional) - String value that specifies the endpoint URL of the AWS service to use. If not set, the AWS client sets the value, which defaults to the public DNS name for the service in the specified region.
#### Authentication & Precedence
@ -137,12 +141,19 @@ $ consul agent -retry-join "provider=aws tag_key=... tag_value=..."
- ECS task role metadata (container-specific).
- EC2 instance role metadata.
The only required IAM permission is `ec2:DescribeInstances`, and it is
recommended that you make a dedicated key used only to auto-join the datacenter. If the
region is omitted it will be discovered through the local instance's [EC2
metadata
The only IAM permission required for discovering EC2 consul-servers is `ec2:DescribeInstances`.
We recommend that you make a dedicated key used only to auto-join the datacenter.
If the region is omitted it will be discovered through the local instance's [EC2 metadata
endpoint](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html).
The AWS ECS task role associated with the service attempting to discover the `consul-server` must have the following IAM permissions:
- `ecs:ListClusters` (only used when `ecs_cluster` is not provided)
- `ecs:ListServices` (only used when `ecs_cluster` is not provided)
- `ecs:DescribeServices` (only used when `ecs_cluster` is not provided)
- `ecs:ListTasks`
- `ecs:DescribeTasks`
If the region is omitted from the configuration, Consul obtains it from the local instance's [ECS V4 metadata endpoint](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v4.html).
### Microsoft Azure
This returns the first private IP address of all servers in the given region