Perl 6 - the future is here, just unevenly distributed

IRC log for #confidant, 2017-05-05

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:54 Ryan_Lane you're supposed to create the table with the specified indexes, yeah
00:54 Ryan_Lane confidant _can_ create them on your behalf, if you give it permissions to do so in IA<
00:54 Ryan_Lane IAM
01:50 ilbot3 joined #confidant
01:50 Topic for #confidant is now Secret management for AWS. https://lyft.github.io/confidant | Channel logs at http://irclog.perlgeek.de/confidant/ | No one around? We check channel history and will respond later. Check the channel logs or gitter.
16:17 Masterphi joined #confidant
17:11 Masterphi joined #confidant
17:43 Masterphi joined #confidant
18:00 Masterphi joined #confidant
18:35 Zimmer joined #confidant
18:35 Zimmer Greetings!
18:37 Masterphi joined #confidant
18:37 Zimmer Esquisite timing
18:38 Zimmer Care if I pick your brain on a docker question relating to confidant Masterphi?
18:38 Masterphi Zimmer: to be honest, I'm a noob on confidant :/
18:39 Masterphi but post your question. People can try and answer it
18:39 Zimmer Essentially I am doing an automated deployment of confidant using Ansible/ECR/ECS
18:40 Zimmer Due to limitations in ecs services vs tasks. I need to pre-sale the env into the docker container I deploy
18:40 Zimmer Prebake*
18:40 Zimmer I thought I could do this with ENV in my dockerfile, but that doesn't appear to be working. Is there something I'm missing, or is there a config file I can write to instead of using the env?
18:46 lyftbot [aizimmer] Logged in instead
19:14 lyftbot [aizimmer] Fwiw I think I need to run an expose 443 on my dockerfile that pulls Lyft/confidant
19:16 lyftbot [aizimmer] That's what I couldn't hit leading me to believe it wasnt reading my env. I also probably need to run the gunicorn exec at the end also.
19:34 Masterphi joined #confidant
19:35 Ryan_Lane howdy
19:36 Ryan_Lane @Zimmer I think you should be able to have the env in the ECS definition, right?
19:36 Ryan_Lane @aizimmer ^^
19:36 Ryan_Lane you shouldn't need to expose 443
19:37 Ryan_Lane you should have port 80 exposed and have an ELB in front of it that does SSL termination
19:37 lyftbot [aizimmer] That's what I was going to try next actually
19:37 Ryan_Lane there's an environment variable you need to set here as well
19:37 Ryan_Lane one sec
19:38 lyftbot [aizimmer] Sslify?
19:38 lyftbot [aizimmer] I fished it out of the code base lol
19:38 Ryan_Lane https://lyft.github.io/confidant/basics/configuration/#gunicorn-configuration-for-ssl-termination-support
19:38 Ryan_Lane which confidant version are you using in docker?
19:38 lyftbot [aizimmer] Yea I saw all of that. I think I'll test with ssl termination at the elb
19:39 lyftbot [aizimmer] And you can only define env in ecs for tasks, at least with Ansible.
19:39 Ryan_Lane 1.9.0 is probably what you want to use, as the tag
19:39 lyftbot [aizimmer] For services (self healing) I don't have that option.
19:39 Ryan_Lane (latest is based on master, which we try to keep in a completely deployable state, but there's always a possibility of a change going in that causes you issues)
19:39 Ryan_Lane (we run master)
19:40 lyftbot [aizimmer] Yea I'm working off master.
19:40 lyftbot [aizimmer] I think I'll try full termination at the elb and not change the port for confidant itself.
19:41 Ryan_Lane yeah. we don't have gunicorn support for ssl at this point in confidant
19:41 Ryan_Lane mostly because we assume everyone will use ELBs
19:41 lyftbot [aizimmer] My only concern from a security standpoint, is that in regards to lb termination
19:42 lyftbot [aizimmer] It being a managed service you don't know how close that elb is to your actual instance.
19:42 lyftbot [aizimmer] There is still a point in time where nothing is encrypted, creating a race condition for someone who has compromised the system.
19:42 Ryan_Lane yeah. at some point we need to have SSL support for things like HIPAA compliance and such I'd imagine
19:42 lyftbot [aizimmer] Yep. I'm under the HIPAA umbrella :)
19:43 Ryan_Lane we could have the ssl cert as part of the bootstrap secrets
19:43 lyftbot [aizimmer] Exactly my thoughts.
19:43 lyftbot [aizimmer] Before you answered I almost started forking the code
19:43 Ryan_Lane though I wonder if it's something that needs to be part of the gunicorn config
19:44 lyftbot [aizimmer] I'm heading home from my lunch break but I'll chime in if I find or accomplish anything notable.
19:44 Ryan_Lane looks like flask support it directly
19:44 lyftbot [aizimmer] Flask is what I was going to use
19:44 lyftbot [aizimmer] I use it for most Python web apps I've done in the past.
19:45 lyftbot [aizimmer] And uwsgi instead of gunicorn
19:45 Ryan_Lane for us gunicorn has performed pretty well, and it's something we can directly modify in the config
19:46 lyftbot [aizimmer] You can do the same with uwsgi
19:46 Ryan_Lane I think we could probably do the gunicorn config as a class, then do the ssl setup as part of that
19:47 lyftbot [aizimmer] I haven't a ton of experience with gunicorn so I can't fairly draw good distinctions though.
19:47 Ryan_Lane which would let us load the bootstrap secrets, I think
19:47 Ryan_Lane mostly I'm trying to think of a way to keep the ssl cert/key encrypted
19:47 Ryan_Lane in the bootstrap
19:49 Ryan_Lane so, if we can have gunicorn (or uwsgi) use a python config module, it can import confidant, then have it load the bootstrap
19:49 Ryan_Lane that may mess with gevent, though
19:49 Ryan_Lane may want to split the bootstrap into a separate module, then it doesn't matter if it's loaded before the monkey patch
19:50 Ryan_Lane (welcome to the horrible world of gevent :D )
19:58 lyftbot [aizimmer] I do not envy you
20:00 lyftbot [aizimmer] I'm still making changes to my code, but I suspect another problem with ecs service vs task
20:01 lyftbot [aizimmer] I think it'll want a listener on the elb that matches a portmapping on the container
20:04 Ryan_Lane yeah, probably. I haven't used much ECS, so I'm unfortunately not a lot of help here :)
20:04 Ryan_Lane @aizimmer if you can document the steps you take, this would be a great part of the docs :)
20:13 lyftbot [aizimmer] Was already planning on it :)
20:13 lyftbot [aizimmer] Assuming my boss is okay with sharing, but if it better the product we all benefit
20:14 Ryan_Lane cool. thanks :)
20:41 lyftbot [aizimmer] I may keep the elb config tied to the asg with my mappings instead of letting ecs manage the load balancer
20:57 Masterphi joined #confidant
21:05 lyftbot [aizimmer] Yep. Detaching the elb from ecs fixed it
21:11 lyftbot [aizimmer] Well sweet. Fully ansibilised confidant deployment managed by ecs. I don't even have to call a dynamic inventory once!
21:11 lyftbot [aizimmer] I'll find some time to document better and I can shoot it your way

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary