Add toggle to use public ip for communicating to fargate task (!59) · Merge requests · GitLab.org / Ops Sub-Department / custom-executor-drivers / AWS Fargate driver for Custom Executor

The source project of this merge request has been removed.

Ghost User requested to merge (removed):master into master Dec 12, 2021

What does this MR do?

Adds a UsePublicIP option to the fargate config file to toggle whether the runner uses the public or private IP address of the fargate task to communicate.

Why was this MR needed?

Currently to communicate with fargate tasks you needed to allow ssh access to your security group from the internet, this also incurs egress/ingress charges on AWS. This MR adds a toggle which by default will use the private IP address of the fargate task to communicate, avoiding having to route out to the internet and back in to AWS to reach the task. This also allows for the ingress SSH rule from the internet to be removed from the security group.

What's the best way to test this MR?

Private Routing

Setup your fargate.toml with the EnablePublicIP option set to true

 [Fargate]
 Cluster = "gitlabcluster"
 ...
 EnablePublicIP = true

On your security group don't add an inbound rule to allow ssh from 0.0.0.0/0, only have the default self referencing rule for ssh from itself.
You should still be able to run tasks, with the runner communicating with the tasks using its private IP address rather than it's public IP.

Public Routing

To test with using the public IP for communication set fargate.toml like below

[Fargate]
  Cluster = "gitlabcluster"
  ...
  EnablePublicIP = true
  UsePublicIP = true

Add an inbound rule to your security group to allow ssh from 0.0.0.0/0
You should still be able to run tasks, with the runner communicating with the tasks using its public IP address rather than it's private IP.

Error Handling

If you attempt to the following configuration:

[Fargate]
  Cluster = "gitlabcluster"
  ...
  EnablePublicIP = false
  UsePublicIP = true

The driver will throw an error stating can't use public IP to communicate if EnablePublicIP not enabled in configuration file

Evaluation Logic

EnablePublicIP	UsePublicIP	Outcome
true	true	Public IP
true	false	Private IP
false	true	Error
false	false	Private IP

Unless set to true the UsePublicIP parameter will default to false, and use the private IP for communications.

Add toggle to use public ip for communicating to fargate task

What does this MR do?

Why was this MR needed?

What's the best way to test this MR?

What are the relevant issue numbers?

Merge request reports