This repository has been archived by the owner on Jul 23, 2024. It is now read-only.
use nginx for prometheus basic auth #11
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MuriloDalRi
approved these changes
May 21, 2018
Apologies for the one-massive-commit. The main thing this does is adds an nginx authenticating proxy in front of prometheus, that puts basic auth in place. This is done by adding an nginx container into the task definition for prometheus, and using a `link` to allow nginx to access prometheus. Other things done in this commit: - we no longer specify `hostPort` values; we allow ECS to automatically assign host ports. The load balancer can still find our container, but we no longer have port conflicts when two concurrent versions of the service are deployed - reintroduce cpu quotas. because our instance has a total of 4096 cpu units available, and the default value is 1024, once we added nginx we had 3 containers and therefore couldn't run a new version of our service without killing the old version. Instead we set prometheus=1024, s3-config-grabber=256, nginx=256. - we use the nginx:alpine image rather than the plain `nginx` image. This is for two reasons: 1) it's smaller, and 2) the alpine image supports bcrypt: docker-library/official-images#860
This has to be a separate container because container links can't form cycles.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Apologies for the one-massive-commit. The main thing this does is
adds an nginx authenticating proxy in front of prometheus, that puts
basic auth in place.
This is done by adding an nginx container into the task definition for
prometheus, and using a
linkto allow nginx to access prometheus.The password is in the credential store. The password hash is publicly viewable
in this commit; we should probably replace this with a better secret management
policy at some point.
Other things done in this commit:
we no longer specify
hostPortvalues; we allow ECS toautomatically assign host ports. The load balancer can still find
our container, but we no longer have port conflicts when two
concurrent versions of the service are deployed
reintroduce cpu quotas. because our instance has a total of 4096
cpu units available, and the default value is 1024, once we added
nginx we had 3 containers and therefore couldn't run a new version
of our service without killing the old version. Instead we set
prometheus=1024, s3-config-grabber=256, nginx=256.
we use the nginx:alpine image rather than the plain
nginximage.This is for two reasons: 1) it's smaller, and 2) the alpine image
supports bcrypt:
nginx:1.9 image not working with bcrypt encryption docker-library/official-images#860