Skip to content
This repository was archived by the owner on Nov 27, 2023. It is now read-only.

X certificate #950

Closed
wants to merge 2 commits into from
Closed

X certificate #950

wants to merge 2 commits into from

Conversation

ndeloof
Copy link
Collaborator

@ndeloof ndeloof commented Nov 23, 2020

What I did
Added support to configure SSL termination by LoadBalancer

how to test

  1. Create a (self-signed) certificate or use AWS Certificate Manager to get one for your domain.
    I'm using aws.loof.fr here
openssl genrsa -out aws.loof.fr.key 2048
echo "
[req]
distinguished_name=req
[SAN]
subjectAltName=DNS:aws.loof.fr " > aws.loof.fr.conf
openssl req -new -x509 -key aws.loof.fr.key -out aws.loof.fr.cert -days 3650 -subj /CN=aws.loof.fr -extensions SAN -config 'aws.loof.fr.conf'

  1. Import this certificate into AWS Certificate Manager

  2. Configure compose app with an external secret for certificate ARN, and service to refer to it by x-aws-certificate:

services:
  web:
    image: nginx
    ports:
      - target: 80
        x-aws-certificate: certificate

secrets:
  certificate:
    external: true
    name: "arn:aws:acm:us-east-1:123abc:certificate/123-abc-456-def"

Related issue
#775

  1. run docker compose up

  2. configure DNS CNAME for your domain to point to application LoadBalancer

  3. access your domain

~ curl  --insecure https://aws.loof.fr:80
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
...

TODO

  • manage secret as a file within the compose project (not as an external)
  • define inner loop experience with certificates

I wonder this would be better addressed as a route, as certificate will only apply to external service connectivity, not service-2-service (until we introduce AppMesh support here?)
see discussion on compose-spec/compose-spec#111

(not mandatory) A picture of a cute animal, if possible in relation with what you did

@github-actions github-actions bot added the ecs label Nov 23, 2020
@ndeloof ndeloof marked this pull request as draft November 23, 2020 14:01
camilosantana
camilosantana reviewed Dec 29, 2020
View reviewed changes
ecs/cloudformation.go
func (b *ecsAPIService) createListener(service types.ServiceConfig, port types.ServicePortConfig,
template *cloudformation.Template,
targetGroupName string, loadBalancer awsResource, protocol string) string {
func (b *ecsAPIService) createListener(project *types.Project, service types.ServiceConfig, port types.ServicePortConfig, template *cloudformation.Template, targetGroupName string, loadBalancer awsResource, protocol string) string {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
func (b *ecsAPIService) createListener(project *types.Project, service types.ServiceConfig, port types.ServicePortConfig, template *cloudformation.Template, targetGroupName string, loadBalancer awsResource, protocol string) string {
func (b *ecsAPIService) createListener(project *types.Project, service types.ServiceConfig, port types.ServicePortConfig,
template *cloudformation.Template, targetGroupName string, loadBalancer awsResource, protocol string) string {

nudge to pass golangci-lint CI stage

@ndeloof
Copy link
Collaborator Author

ndeloof commented Jan 27, 2021

closing as obsolete

@ndeloof ndeloof closed this Jan 27, 2021
@lorenrh lorenrh deleted the x-certificate branch October 18, 2021 14:48
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@camilosantana camilosantana camilosantana left review comments

Assignees
No one assigned
Labels
ecs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ndeloof @camilosantana