recently I have tried to redeploy old Drone 0.5 environment to Drone 0.8 on AWS ECS and faced some difficulties dealing with multiple ports for a drone server container. In previous deployment, all communications gone through one exposed port. With recent switch to GRPC running on a separate port, ECS limitations showed up. AWS ECS does not allow to create multiple target groups per service.
Possible solution is to use awsvpc network mode with NLB. Such a way, multiple ports for a container are reachable by forwarding to the same IP address assigned for a container. Unfortunately, I could not terminate HTTPS on NLB (does not recognize high level protocol HTTP/HTTPS).
If I combine ALB(with HTTPS) --> container with reverse-proxy --> NLB(two ports 8000, 9000) <-- Docker Agent container, would it be a proper answer to ECS limitation?
Please share your thought if anyone hit similar issues.
Thanks in advance
Can’t you just terminate https on the drone server using the built in let’s encrypt functionality?
Let me know how this goes, kinda interested.
Hello, sorry for the late response.
I’m using AWS ACM with certificate provided by Amazon “for free”. You just generate it and use for your domain.
Unfortunately, could not use any AWS LB to terminate GRPC on port 9000, as no support for HTTP/2.
As for now it looks like follows:
ALB(application load balancer) with HTTPS–>Port 8000 Drone server, Drone Agents --> Port 9000 Drone Server(IP address of ECS host where container runs is hardcoded).
It works well, only one big issue is, if Drone Server container migrate from ECS host, new IP address has to be provided manually to all Drone Agents.
ECS supports service discovery(Auto Naming API for Service Name Management and Discovery), but only with Network Mode “awsvpc”.
For some reason, Drone Server could not expose any port in Network Mode “awsvpc”.
I got round this by using ECS service discovery:
Obviously you shouldn’t be doing it through the console, I have a CloudFormation snippets I can share if anyone is interested.