Apply suggestions from code review
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
This commit is contained in:
parent
f6d0220af8
commit
c779d224e2
|
@ -11,7 +11,7 @@ You can run Consul Enterprise on ECS by specifying the Consul Enterprise Docker
|
||||||
|
|
||||||
## Specify the Consul image
|
## Specify the Consul image
|
||||||
|
|
||||||
When instantiating the [`mesh-task`](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/mesh-task) or [`gateway-task`](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/gateway-task) module,
|
When you set up an instance of the [`mesh-task`](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/mesh-task) or [`gateway-task`](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/gateway-task) module,
|
||||||
set the parameter `consul_image` to a Consul Enterprise image. The following example instructs the `mesh-task` module to import Consul Enterprise version 1.12.0:
|
set the parameter `consul_image` to a Consul Enterprise image. The following example instructs the `mesh-task` module to import Consul Enterprise version 1.12.0:
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
|
@ -63,10 +63,10 @@ If client support is required for any of the features, then you must use a Consu
|
||||||
|
|
||||||
Consul on ECS supports [admin partitions](/docs/enterprise/admin-partitions) and [namespaces](/docs/enterprise/namespaces) when Consul Enterprise servers and clients are used. These features have the following requirements:
|
Consul on ECS supports [admin partitions](/docs/enterprise/admin-partitions) and [namespaces](/docs/enterprise/namespaces) when Consul Enterprise servers and clients are used. These features have the following requirements:
|
||||||
|
|
||||||
* ACLs must be enabled.
|
- ACLs must be enabled.
|
||||||
* ACL controller must run in the ECS cluster.
|
- ACL controller must run in the ECS cluster.
|
||||||
* `mesh-tasks` must use a Consul Enterprise client image.
|
- `mesh-task` must use a Consul Enterprise client image.
|
||||||
* `gateway-task`s must use a Consul Enterprise client image.
|
- `gateway-task` must use a Consul Enterprise client image.
|
||||||
|
|
||||||
The ACL controller automatically manages ACL policies and token provisioning for clients and services on the service mesh.
|
The ACL controller automatically manages ACL policies and token provisioning for clients and services on the service mesh.
|
||||||
It also creates admin partitions and namespaces if they do not already exist.
|
It also creates admin partitions and namespaces if they do not already exist.
|
||||||
|
|
|
@ -7,7 +7,7 @@ description: >-
|
||||||
|
|
||||||
# Manual Installation
|
# Manual Installation
|
||||||
|
|
||||||
The following instructions describe how to manually create the ECS task definition using the [`consul-ecs` Docker image](https://gallery.ecr.aws/hashicorp/consul-ecs) without Terraform. Refer to the [Consul ECS Terraform module](/docs/ecs/terraform/install) documentation for an alternative method for installing Consul on ECS.
|
The following instructions describe how to use the [`consul-ecs` Docker image](https://gallery.ecr.aws/hashicorp/consul-ecs) to manually create the ECS task definition without Terraform. If you prefer to use Terraform, refer to [Consul ECS Terraform module](/docs/ecs/terraform/install).
|
||||||
|
|
||||||
If you intend to peer the service mesh to multiple Consul datacenters or partitions, you must use the Consul ECS Terraform module to install your service mesh on ECS. Manually configuring mesh gateways without using the `gateway-task` Terraform module is not supported.
|
If you intend to peer the service mesh to multiple Consul datacenters or partitions, you must use the Consul ECS Terraform module to install your service mesh on ECS. Manually configuring mesh gateways without using the `gateway-task` Terraform module is not supported.
|
||||||
|
|
||||||
|
@ -19,12 +19,12 @@ You should have some familiarity with AWS ECS. See [What is Amazon Elastic Conta
|
||||||
|
|
||||||
## Task Definition
|
## Task Definition
|
||||||
|
|
||||||
Create a task definition configured to create the containers:
|
Configure a task definition that creates the containers:
|
||||||
|
|
||||||
* Your application container
|
- Your application container
|
||||||
* An Envoy sidecar-proxy container
|
- An Envoy sidecar-proxy container
|
||||||
* A Consul client container
|
- A Consul client container
|
||||||
* A `consul-ecs-mesh-init` container for service mesh setup
|
- A `consul-ecs-mesh-init` container for service mesh setup
|
||||||
* (Optional) A `consul-ecs-health-sync` container to sync ECS health checks into Consul
|
* (Optional) A `consul-ecs-health-sync` container to sync ECS health checks into Consul
|
||||||
|
|
||||||
## Top-level fields
|
## Top-level fields
|
||||||
|
|
|
@ -13,11 +13,11 @@ This topic describes how to enable Consul security features for your production
|
||||||
|
|
||||||
The following features must be configured for your Consul server cluster:
|
The following features must be configured for your Consul server cluster:
|
||||||
|
|
||||||
* [TLS encryption](/docs/security/encryption#rpc-encryption-with-tls) for RPC communication between Consul clients and servers.
|
- [TLS encryption](/docs/security/encryption#rpc-encryption-with-tls) for RPC communication between Consul clients and servers.
|
||||||
* [Gossip encryption](/docs/security/encryption#gossip-encryption) for encrypting gossip traffic.
|
- [Gossip encryption](/docs/security/encryption#gossip-encryption) for encrypting gossip traffic.
|
||||||
* [Access control lists (ACLs)](/docs/security/acl) for authentication and authorization for Consul clients and services on the mesh.
|
- [Access control lists (ACLs)](/docs/security/acl) for authentication and authorization for Consul clients and services on the mesh.
|
||||||
|
|
||||||
You should already have followed the [installation instructions](/docs/ecs/manual/install) to understand how to define the necessary components of the task definition for Consul on ECS.
|
You should already have followed the [manual installation instructions](/docs/ecs/manual/install) to define the necessary components of the task definition for Consul on ECS.
|
||||||
|
|
||||||
You should be familiar with [specifying sensitive data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) on ECS.
|
You should be familiar with [specifying sensitive data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) on ECS.
|
||||||
|
|
||||||
|
@ -36,7 +36,7 @@ This section describes how to manually create ACL tokens. You can install the AC
|
||||||
|
|
||||||
### Define policies
|
### Define policies
|
||||||
|
|
||||||
Confiture the following ACL policy for the Consul client token:
|
Configure the following ACL policy for the Consul client token:
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
node_prefix "" {
|
node_prefix "" {
|
||||||
|
@ -58,12 +58,12 @@ If you intend to create a gateway for connecting multiple Consul datacenters, yo
|
||||||
Mesh gateways must run in the default namespace.
|
Mesh gateways must run in the default namespace.
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
namespace "default" { // If namespaces enabled
|
namespace "default" { ## If namespaces enabled
|
||||||
service "<Service Name>" {
|
service "<Service Name>" {
|
||||||
policy = "write"
|
policy = "write"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
namespace_prefix "" { // If namespaces enabled
|
namespace_prefix "" { ## If namespaces enabled
|
||||||
service_prefix "" {
|
service_prefix "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
@ -78,8 +78,8 @@ agent_prefix "" {
|
||||||
#### Terminating gateway policy
|
#### Terminating gateway policy
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
partition "<partition>" { // If partitions enabled
|
partition "<partition>" { ## If partitions enabled
|
||||||
namespace "<namespace>" { // If namespaces enabled
|
namespace "<namespace>" { ## If namespaces enabled
|
||||||
service "<Service Name>" {
|
service "<Service Name>" {
|
||||||
policy = "write"
|
policy = "write"
|
||||||
}
|
}
|
||||||
|
@ -93,8 +93,8 @@ partition "<partition>" { // If partitions enabled
|
||||||
#### Ingress gateway policy
|
#### Ingress gateway policy
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
partition "<partition>" { // If partitions enabled
|
partition "<partition>" { ## If partitions enabled
|
||||||
namespace "<namespace>" { // If namespaces enabled
|
namespace "<namespace>" { ## If namespaces enabled
|
||||||
service "<Service Name>" {
|
service "<Service Name>" {
|
||||||
policy = "write"
|
policy = "write"
|
||||||
}
|
}
|
||||||
|
@ -114,12 +114,12 @@ partition "<partition>" { // If partitions enabled
|
||||||
Create the Consul client token and the service tokens after adding the necessary policies. Service tokens should be associated with a service identity. The service identity includes `service:write` permissions for the service and sidecar proxy.
|
Create the Consul client token and the service tokens after adding the necessary policies. Service tokens should be associated with a service identity. The service identity includes `service:write` permissions for the service and sidecar proxy.
|
||||||
|
|
||||||
You can create tokens using the [`consul acl token create`](/commands/acl/token/create) command or the [`[PUT] /v1/acl/token`](/api-docs/acl/tokens#create-a-token) API endpoint.
|
You can create tokens using the [`consul acl token create`](/commands/acl/token/create) command or the [`[PUT] /v1/acl/token`](/api-docs/acl/tokens#create-a-token) API endpoint.
|
||||||
The following example shows how to use the Consul CLI to create a service token for a service named example-client-app:
|
The following example shows how to use the Consul CLI to create a service token for a service named `example-client-app`:
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ consul acl token create -service-identity=example-client-app ...
|
$ consul acl token create -service-identity=example-client-app ...
|
||||||
```
|
```
|
||||||
You will need to create one service token for each registered Consul service in ECS, including when new services are added to the service mesh.
|
You need to create one service token for each registered Consul service in ECS. When you add new services to the service mesh, you must create new tokens for each service.
|
||||||
|
|
||||||
|
|
||||||
## Secret storage
|
## Secret storage
|
||||||
|
|
|
@ -66,7 +66,7 @@ module "acl_controller" {
|
||||||
```
|
```
|
||||||
|
|
||||||
The `name_prefix` parameter is used to prefix any secrets that the ACL controller will
|
The `name_prefix` parameter is used to prefix any secrets that the ACL controller will
|
||||||
update in AWS Secrets Manager. The `name_prefix` parameter value must be unique for each ECS cluster where you are deploying this controller.
|
update in AWS Secrets Manager. The `name_prefix` parameter value must be unique for each ECS cluster where you deploy this controller.
|
||||||
|
|
||||||
## Deploy your services
|
## Deploy your services
|
||||||
|
|
||||||
|
@ -74,7 +74,7 @@ Follow the instructions described in [Create a task definition](/docs/ecs/terraf
|
||||||
|
|
||||||
### Create an AWS Secrets Manager secret
|
### Create an AWS Secrets Manager secret
|
||||||
|
|
||||||
The secret stores the gossip encryption key that the Consul clients will use.
|
The secret stores the gossip encryption key that the Consul clients use.
|
||||||
|
|
||||||
<CodeBlock>
|
<CodeBlock>
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue