Kyle
06/17/2020, 2:03 AM<http://localhost:8080>
I get connection refused or “sending http request to https server”, and then using https, it works with a self-signed cert (I think the default one?). I checked my pod’s config, everything is mounting correctly, exec’d into the pod to check the config and it had tls: false
zwass
06/17/2020, 3:13 AMfleet config_dump
with whatever flags you are using to see what Fleet actually picks up.Kyle
06/17/2020, 3:17 AM- name: KOLIDE_SERVER_TLS
value: "false"
and that worked, it's not storing what's in the config in the env vars it seemszwass
06/17/2020, 3:19 AMKyle
06/17/2020, 3:21 AMzwass
06/17/2020, 4:16 AMKyle
06/18/2020, 12:39 AMzwass
06/18/2020, 2:42 AMosqueryd <- HTTPS -> LB <- HTTP -> Fleet server
.Kyle
06/18/2020, 3:12 AMapiVersion: <http://networking.k8s.io/v1beta1|networking.k8s.io/v1beta1>
kind: Ingress
metadata:
name: my-ingress
annotations:
<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
spec:
tls:
- hosts:
- <http://my.hostname.com|my.hostname.com>
secretName: kolide-fleet-tls
rules:
- host: <http://my.hostname.com|my.hostname.com>
http:
paths:
- backend:
serviceName: kolide-fleet
servicePort: 8080
Which has the UI working correctly. However, on an enroll of a launcher agent (with --insecure to avoid self-signed errors) I get this error in launcher logs:
{"caller":"request_queries.go:133","err":"rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: authentication handshake failed: tls: first record does not look like a TLS handshake\"","method":"RequestQueries","reauth":false,"res":"null","severity":"info","took":"108.909µs","ts":"2020-06-18T03:04:08.961847Z","uuid":"9c800ad7-d6d9-4ce0-bd49-cf4d18cee684"
The relevant LB log lines are hex gibberish.
Thanks for your assistance btwzwass
06/18/2020, 3:19 AMKyle
06/18/2020, 4:03 AMcurl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: <https://curl.haxx.se/docs/sslcerts.html>
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
But curling with --insecure flag retrieves the page successfully.
If I port forward the fleet server and try to enroll via localhost:8080 (thus bypassing the LB), it throws the exact same error as in my prev message.{
"caller": "extension.go:494",
"err": "sending string logs: writing logs: transport error sending logs: rpc error: code = Unknown desc = OK: HTTP status code 200; transport: received the unexpected content-type \"text/html; charset=utf-8\"",
"severity": "info",
"ts": "2020-06-18T06:51:48.562111Z"
}
The host does not show as green in fleet, this seems to me I need some extra configuration in the LB to route these grpc calls...zwass
06/18/2020, 4:06 PM