Acquisition complete HashiCorp officially joins the IBM family. Learn more
Consul
Consul Home

You are viewing documentation for pre-release version v1.21.0 (rc). View latest version.

Deploy Consul Dataplane on ECS

This page describes the requirements to set up Consul on ECS deployments to use dataplanes instead of client agents, as well as the process to update existing deployments to use dataplanes instead of agents.

If you already have a Consul cluster deployed on Kubernetes and would like to turn on TLS for internal Consul communication, refer to Configuring TLS on an Existing Cluster.

Requirements

  • Dataplanes can connect to Consul servers v1.14.0 and newer.
  • Dataplanes on AWS Elastic Container Services (ECS) requires Consul ECS v0.7.0 and newer.

Installation

Refer to the following documentation for Consul on ECS workloads:

Upgrading to Consul Dataplanes

Since v0.7.0, Consul service mesh on ECS uses Consul dataplanes, which are lightweight processes for managing Envoy proxies in containerized networks. Refer to the release notes for additional information about the switch to Consul dataplanes.

Requirements

Before you upgrading to the dataplane-based architecture, you must upgrade your Consul servers to a version compatible with Consul ECS:

  • Consul 1.14.x and later
  • Consul dataplane 1.3.x and laterS

Deploy the latest version of the ECS controller module

In an ACL enabled cluster, deploy the latest version of the ECS controller module in hashicorp/terraform-aws-consul-ecs along with the older version of the ACL controller. Note that both the controllers should coexist until the upgrade is complete. The new version of the controller only tracks tasks that use dataplanes.

Upgrade workloads

For application tasks, upgrade the individual task definitions to v0.7.0 or later of the mesh-task module. You must upgrade each task one at a time.

module "my_task" {
  source  = "hashicorp/consul-ecs/aws//modules/mesh-task"
  version = "v0.7.0"
}

For gateway tasks, upgrade the individual task definitions to v0.7.0 or later of the gateway-task module. You must upgrade each task one by one independently. ECS creates new versions of tasks before shutting down the older tasks to support zero downtime deployments.

module "my_task" {
  source  = "hashicorp/consul-ecs/aws//modules/gateway-task"
  version = "v0.7.0"
}

Delete previous tasks

After upgrading all tasks, you can destroy the acl-controller containers, which are replaced by the ECS controller. You can manually remove any artifacts related to the old architecture, including Consul clients and ACL controllers, by executing the following commands:

  1. Run consul acl policy delete to delete the client policy. You can pass either the ID of the policy or the name of the policy, for example:

    $ consul acl policy delete -name="consul-ecs-client-policy"

    Refer to the consul acl policy delete documentation for additional information.

  2. Run the consul acl role delete command to delete the client role. You can pass either the ID of the role or the name of the role, for example:

    $ consul acl role delete -name="consul-ecs-client-role"

    Refer to the consul acl role delete documentation for additional information.

  3. Run the consul acl auth-method delete command and specify the auth method name to delete. 

    $ consul acl auth-method delete -name="iam-ecs-client-token"

    Refer to the consul acl auth-method delete documentation for additional information.