-
Notifications
You must be signed in to change notification settings - Fork 25
Consul key/value collision #47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Consul key/value collision #47
Conversation
@@ -127,7 +128,7 @@ case "$1" in | |||
acquireLeader | |||
;; | |||
watch) | |||
/usr/local/bin/consul-template -config /etc/acme/watch.hcl -consul $CONSUL_HOST:8500 | |||
/usr/local/bin/consul-template -config /etc/acme/watch.hcl -consul-addr $CONSUL_HOST:8500 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was changed as a warning was output to stdout by consul-template
@@ -1 +1,2 @@ | |||
{{if key "nginx/acme/cert"}}{{key "nginx/acme/cert"}}{{end}} | |||
{{ $service_name := env "SERVICE_NAME" }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WARNING!!! No default SERVICE_NAME
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should have a default service name nginx
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, honestly I'm not sure how to do it and I didn't have time yesterday to look. Just needed it working to show off a few things
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This appears fixed with {{ $service_name := or $service_name "nginx" }}
below.
@tgross Warning, I've never used golang and not sure how to add a default value for templating. Right now there is no default See the example below: I haven't had time to look up adding defaults. |
Unfortunately |
@tgross added a default service_name to the templates and tested on joyent. I've noticed curl showing an error when SSL is enabled though. No matter what I end up using for the hostname I always get an error resolving the host. Update: /usr/bin/curl --insecure --fail --silent --show-error --output /dev/null --header \"HOST: {{ .ACME_DOMAIN }}\" https://localhost/nginx-health Update 2: |
/usr/bin/curl --insecure --fail --silent \
--show-error --output /dev/null \
--header \"HOST: {{ .ACME_DOMAIN }}\" \
https://localhost/nginx-health If that were the case I don't think we'd be seeing an attempt to resolve that hostname, right? Which hostname is the error |
@tgross - Here is what I'm doing: ACME_DOMAIN=cms.dev.famishednow.net
Obviously the request is working and consul shows the test as passing. However I see that damn curl error in the logs every 10 seconds. Update: Why are you even using the |
This is the bit I'm confused by. Why does the name you're using resolve to localhost? That's not going to work with Let's Encrypt anyways, right?
Yes, which is a pretty safe assumption under TLS. I'm not sure why we're including |
I was confused by it until I realized you are injecting LetsEncrypt runs just fine, in fact I was blow away how well and quickly it worked. 100x easier than setting up certificates the old fashion manual way. Right now the only issue I see is the error showing up in the logs. It doesn't cause any issues related to functionality. Even the consul health check shows as passing so it isn't that big of a deal. |
@@ -1 +1,3 @@ | |||
{{if key "nginx/acme/cert"}}{{key "nginx/acme/cert"}}{{end}} | |||
{{ $service_name := env "SERVICE_NAME" }} | |||
{{ $service_name := or $service_name "nginx" }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not saying the following with certainty, but there's a chance we'll also (or alternatively) want to set SERVICE_NAME
to nginx
as a default value in the Dockerfile. That would result in reliably getting a env var, even if the user doesn't supply one.
If I remember correctly, that syntax would look like:
ENV SERVICE_NAME =${SERVICE_NAME:-nginx}
bin/acme
Outdated
CONSUL_HOST_DEFAULT=${CONSUL:-consul} | ||
if [ "${CONSUL_AGENT}" != "" ]; then | ||
CONSUL_HOST_DEFAULT="localhost" | ||
fi | ||
CONSUL_HOST=${CONSUL_HOST:-$CONSUL_HOST_DEFAULT} | ||
CONSUL_ROOT="http://${CONSUL_HOST}:8500/v1" | ||
CONSUL_KEY_ROOT="${CONSUL_ROOT}/kv/nginx" | ||
CONSUL_KEY_ROOT="${CONSUL_ROOT}/kv/${SERVICE_NAME}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is another place where we'd need a default value.
@sberryman I think this looks good. There's one place where |
@misterbisson I have moved on past nginx and started using traefik for my project instead. I am more than happy to up the PR though. Still using the autopilot pattern for pretty much everything though which has been working out great! |
@sberryman I think this was a useful change, so if you're up for it I'd love to update this PR. Also, I'd love to hear more about how you're using Traefik. |
…ul-servicename # Conflicts: # README.md
@misterbisson lets see what you think of those quick changes. We can move the Traefik conversation to another spot if you would like. I can go over what I'm using containerpilot for and the rest of my stack. All of which is hosted on Triton of course. |
Not sure if this is a common use-case but is something I ran into recently. I have several front end load balancers where I want to perform SSL termination. Since I don’t want to run several Consul clusters I ran into an issue where they all use the same keys. I’m also not sure if I have caught all the places where
nginx
is hard coded but this DOES work in production for me.