feat(deploy): optional ALB (direct in-binary TLS default) + right-size defaults#15
Merged
Conversation
smithclay
force-pushed
the
codex/deploy-optional-alb
branch
2 times, most recently
from
6f5adcd to
ec0fa67
Compare
…size defaults Add UseLoadBalancer (default false): the app task is exposed directly to the internet via the in-binary TLS terminator (ephemeral self-signed cert) on AppTlsPort (8443, non-privileged so the non-root container can bind it), dropping the ~$18/mo ALB. Clients use HTTPS with insecure/skip-verify; the plaintext backend stays on 127.0.0.1:4318 so the container health check is unchanged. UseLoadBalancer=true restores the ALB (HTTP) path. The ALB resources (LB, target group, listener, LB SG) are now conditional; the app SG opens AppTlsPort to AllowedIngressCidr in direct mode, or only the ALB SG in ALB mode. Listener ordering for ALB mode uses a conditional Metadata Ref (DependsOn can't be conditional). The public IP is ephemeral in direct mode (no stable DNS without a domain); the DirectTlsEndpoint output prints the lookup. Also bake right-sized defaults into the template (soak/bench showed ~6% CPU): app 0.5 vCPU/1 GiB, catalog 0.25 vCPU/1 GiB, process mem limit 512 MiB (~$46/mo vs ~$111/mo).
Versioning was enabled but provided no real data protection here -- DuckLake's own catalog tracks file references and the `delete_older_than` retention grace (24h default) covers orphan recovery. The only practical effect was operational drag on teardown: a versioned bucket's `rm --recursive` writes delete markers rather than removing object versions, leaving the bucket non-empty and blocking CloudFormation's bucket delete during `delete-stack`. New deploys get a non-versioned bucket and tear down cleanly.
smithclay
force-pushed
the
codex/deploy-optional-alb
branch
from
bee02ee to
1fbab18
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rebased on
origin/main(after EFS #14 merged).Makes the ALB optional via
UseLoadBalancer(default false = direct in-binary TLS on port 4318, ephemeral self-signed cert, clients use insecure/skip-verify), dropping the ~$18/mo ALB.UseLoadBalancer=truerestores the ALB (HTTP) path. Also bakes the right-sized Fargate defaults (0.5 vCPU / 1 GiB app, 0.25 vCPU / 1 GiB catalog, 512 MiB process-memory limit) into the template.Design
LoadBalancers/port mismatch that blocks an atomic update.http://127.0.0.1:4318/healthz.0.0.0.0:4318forwarding to a plaintext backend on127.0.0.1:4319; health checkhttp://127.0.0.1:4319/healthz.WithAlb. App SG ingress opens 4318 toAllowedIngressCidrin direct mode, or only the ALB SG in ALB mode.Ref(CloudFormationDependsOncan't be conditional).This flag works cleanly for new stacks deployed with
UseLoadBalancer=falsefrom creation. Migrating an existing ALB-fronted stack to direct mode in a single CFN update fails: while CFN is applying the change, ECS auto-registers the new task to the still-attached target group, which HTTP-health-checks port 4318 — but that port is now TLS — so the task is marked unhealthy and the deployment circuit breaker rolls back.To migrate an existing stack, do it in two steps:
aws ecs update-service --cluster <c> --service <s> --load-balancers '[]' --force-new-deployment, wait forservices-stable.aws cloudformation update-stackwith this template (UseLoadBalancer=false); CFN sees the service already has no LB, applies the new task def, and deletes the now-unreferenced ALB resources.Or simpler: deploy a fresh stack with
UseLoadBalancer=falsefrom the start.Direct-mode endpoint
The public IP is ephemeral in direct mode (no stable DNS without a domain). The
DirectTlsEndpointstack output prints the AWS CLI command to find the current task's public IP; clients then hithttps://<ip>:4318with insecure/skip-verify (the API key still authenticates).