Consul key/value collision #47
Conversation
| @@ -127,7 +128,7 @@ case "$1" in | |||
| acquireLeader | |||
| ;; | |||
| watch) | |||
| /usr/local/bin/consul-template -config /etc/acme/watch.hcl -consul $CONSUL_HOST:8500 | |||
| /usr/local/bin/consul-template -config /etc/acme/watch.hcl -consul-addr $CONSUL_HOST:8500 | |||
There was a problem hiding this comment.
This was changed as a warning was output to stdout by consul-template
| @@ -1 +1,2 @@ | |||
| {{if key "nginx/acme/cert"}}{{key "nginx/acme/cert"}}{{end}} | |||
| {{ $service_name := env "SERVICE_NAME" }} | |||
There was a problem hiding this comment.
WARNING!!! No default SERVICE_NAME
There was a problem hiding this comment.
We should have a default service name nginx.
There was a problem hiding this comment.
Right, honestly I'm not sure how to do it and I didn't have time yesterday to look. Just needed it working to show off a few things
There was a problem hiding this comment.
This appears fixed with {{ $service_name := or $service_name "nginx" }} below.
|
@tgross Warning, I've never used golang and not sure how to add a default value for templating. Right now there is no default See the example below: I haven't had time to look up adding defaults. |
Unfortunately |
|
@tgross added a default service_name to the templates and tested on joyent. I've noticed curl showing an error when SSL is enabled though. No matter what I end up using for the hostname I always get an error resolving the host. Update: /usr/bin/curl --insecure --fail --silent --show-error --output /dev/null --header \"HOST: {{ .ACME_DOMAIN }}\" https://localhost/nginx-healthUpdate 2: |
/usr/bin/curl --insecure --fail --silent \
--show-error --output /dev/null \
--header \"HOST: {{ .ACME_DOMAIN }}\" \
https://localhost/nginx-healthIf that were the case I don't think we'd be seeing an attempt to resolve that hostname, right? Which hostname is the error |
|
@tgross - Here is what I'm doing: ACME_DOMAIN=cms.dev.famishednow.net
Obviously the request is working and consul shows the test as passing. However I see that damn curl error in the logs every 10 seconds. Update: Why are you even using the |
This is the bit I'm confused by. Why does the name you're using resolve to localhost? That's not going to work with Let's Encrypt anyways, right?
Yes, which is a pretty safe assumption under TLS. I'm not sure why we're including |
|
I was confused by it until I realized you are injecting LetsEncrypt runs just fine, in fact I was blow away how well and quickly it worked. 100x easier than setting up certificates the old fashion manual way. Right now the only issue I see is the error showing up in the logs. It doesn't cause any issues related to functionality. Even the consul health check shows as passing so it isn't that big of a deal. |
| @@ -1 +1,3 @@ | |||
| {{if key "nginx/acme/cert"}}{{key "nginx/acme/cert"}}{{end}} | |||
| {{ $service_name := env "SERVICE_NAME" }} | |||
| {{ $service_name := or $service_name "nginx" }} | |||
There was a problem hiding this comment.
I'm not saying the following with certainty, but there's a chance we'll also (or alternatively) want to set SERVICE_NAME to nginx as a default value in the Dockerfile. That would result in reliably getting a env var, even if the user doesn't supply one.
If I remember correctly, that syntax would look like:
ENV SERVICE_NAME =${SERVICE_NAME:-nginx}
bin/acme
Outdated
| CONSUL_HOST_DEFAULT=${CONSUL:-consul} | ||
| if [ "${CONSUL_AGENT}" != "" ]; then | ||
| CONSUL_HOST_DEFAULT="localhost" | ||
| fi | ||
| CONSUL_HOST=${CONSUL_HOST:-$CONSUL_HOST_DEFAULT} | ||
| CONSUL_ROOT="http://${CONSUL_HOST}:8500/v1" | ||
| CONSUL_KEY_ROOT="${CONSUL_ROOT}/kv/nginx" | ||
| CONSUL_KEY_ROOT="${CONSUL_ROOT}/kv/${SERVICE_NAME}" |
There was a problem hiding this comment.
This is another place where we'd need a default value.
|
@sberryman I think this looks good. There's one place where |
|
@misterbisson I have moved on past nginx and started using traefik for my project instead. I am more than happy to up the PR though. Still using the autopilot pattern for pretty much everything though which has been working out great! |
|
@sberryman I think this was a useful change, so if you're up for it I'd love to update this PR. Also, I'd love to hear more about how you're using Traefik. |
…ul-servicename # Conflicts: # README.md
|
@misterbisson lets see what you think of those quick changes. We can move the Traefik conversation to another spot if you would like. I can go over what I'm using containerpilot for and the rest of my stack. All of which is hosted on Triton of course. |
Not sure if this is a common use-case but is something I ran into recently. I have several front end load balancers where I want to perform SSL termination. Since I don’t want to run several Consul clusters I ran into an issue where they all use the same keys. I’m also not sure if I have caught all the places where
nginxis hard coded but this DOES work in production for me.